Chocolatey package held in review due to too many false virus detection positives

[ronaldtse]

https://community.chocolatey.org/packages/metanorma/1.4.17.20211007#virus

Because our score is either 7 or 8 (tried a couple runs on virustotal.com), it is automatically held up preventing release:
https://www.virustotal.com/gui/file/d006fd078d8c73d0b13a77196944180f6c5cee2b7aeb74240bb5223251210a87?nocache=1

While these are all unknown virus scanners we might still want to remove/update the files that have been falsely flagged as malicious.

The problematic files are:

• cve-2017-6419-lzx-negative-spaninfo.chm
• stub.exe
• stubw.exe
• edicon.exe
• lzma.exe

Is it possible for us to remove or modify these files?

The actual scores are:

[ronaldtse]

• edicon.exe: https://github.com/larsch/ocra/blob/master/src/edicon.c
• lzma.exe: https://github.com/larsch/ocra/blob/master/share/ocra/lzma.exe
• stub.exe: https://github.com/larsch/ocra/blob/master/src/stub.c
• stubw.exe: same as stub.exe but built with -mwindows flag instead of -D_CONSOLE flag.

[ronaldtse]

All of these files are from Ocra. Maybe some malicious executables are built with Ocra, and the Ocra files get tagged?

[CAMOBAP]

@ronaldtse probably, let me check

[ronaldtse]

Found the original issue at Ocra: larsch/ocra#175

[ronaldtse]

Found the offending chm file:
https://github.com/kyz/libmspack/blob/master/libmspack/test/test_files/chmd/cve-2017-6419-lzx-negative-spaninfo.chm

This file is provided in libmspack which is included via the ruby-libmspack gem (https://github.com/davispuh/ruby-libmspack)

[ronaldtse]

We've forked Ocra at https://github.com/metanorma/ocra to attempt fixing these issues, and will contribute back if they work...

[CAMOBAP]

@ronaldtse It doesn't look like we can do anything about it. We cannot get rid of lzma.exe because it used for decompression.

Regarding cve-2017-6419-lzx-negative-spaninfo.chm we can just remove it from installed gem before ocra run. But this is a probably single what we can done

[ronaldtse]

@CAMOBAP we will be able to resolve the issues with Orca when we switch to Tebako.

However for libmspack - why does this test file get into ruby-libmspack gem? Only the compiled artifact (only the .so file?) should be included in the ruby-libmspack gem.

[ronaldtse]

As requested here by the Chocolatey admins of our package, #64 (comment)

False positives

All "positives" at VirusTotal for the Metanorma package are false positives, from these engines:

• DrWeb
• SecureAge APEX
• VBA32
• Antiy-AVL
• Ikarus
• NANO-Antivirus
• Gridinsoft
• Jiangmin

Quite a few of them I've never even heard of: Antiy-AVL, Ikarus, NANO-Antivirus, Gridinsoft, Jiangmin.

@CAMOBAP has used DrWeb, SecureAge APEX, VBA32 before.

We maintain that the value of an anti-virus scan is about quality - not quantity.

Analysis of false positives

Here's an analysis of every false positive file.

1. cve-2017-6419-lzx-negative-spaninfo.chm. This file originates from the libmspack library's test suite.

• Source: https://github.com/kyz/libmspack/blob/master/libmspack/test/test_files/chmd/cve-2017-6419-lzx-negative-spaninfo.chm

2. stub.exe. Compiled as part of the Orca package as the launcher.

• Source: https://github.com/larsch/ocra/blob/master/src/stub.c

3. stubw.exe: same as stub.exe but built with -mwindows flag instead of -D_CONSOLE flag.

• Source: https://github.com/larsch/ocra/blob/master/src/stub.c

4. edicon.exe: Compiled as part of the Orca package as the icon holder.

• Source: https://github.com/larsch/ocra/blob/master/src/edicon.c

5. lzma.exe: This is the LZMA executable from 7-zip: https://www.7-zip.org/sdk.html

• Source: https://github.com/larsch/ocra/blob/master/share/ocra/lzma.exe

I hope this is sufficient for the admins.

[CAMOBAP]

I will update description

[CAMOBAP]

Resubmited

[CAMOBAP]

VirusScan doesn't a problem anymore