Version 2.19.1 is being flagged as malicious by Hybrid Analysis

[KevinNapper]

The Hybrid Analysis website is reporting version 2.19.1 as as having a threat score of 95/100 and containing 4 malicious and 19 suspicious indicators: https://www.hybrid-analysis.com/sample/5e11205840937dd4dfa4a2a7943d08da7443faa41d92ccc5dafbb4f82e724793

This is also referenced from the Virus Total report in the community section: https://www.virustotal.com/#/file/5e11205840937dd4dfa4a2a7943d08da7443faa41d92ccc5dafbb4f82e724793/community

Even if this is a false positive it still undermines user confidence.

[PhilipOakley]

Even if this is a false positive it still undermines user confidence.

Correct, It undermines confidence in the AV threat business. The question is "why do 'they' keep doing it?"

I may have my suspicions but this is not the time nor place to consider them.

4 malicious and 19 suspicious indicators

Have you looked at how they might be mitigated? Are the reports detailed enough that one could even begin to address them? Are the just indicators of FOSS code developed on Linux (compared to Expensive code for corporate Windows environments ;-)

If you are able to eliminate even one of the indicator types?, it could be a step forward!

Usually it is just that the AV business folks are 'slow' at accepting new FOSS releases.

That all said, on the link, the "AV Detection: Marked as Clean" is a better indicator".

[dscho]

Well, this report is not entirely truthful, is it? The most prominent thing that sticks out when you click on the first link is the word "CLEAN" in all caps, under a very, very green rainbow.

In that light, I have to admit that I am not enthused by the alarmist wording of the report.

[dscho]

As to the "suspicious indicators":

• Installation/Persistance
  • Allocates virtual memory in a remote process
  • Writes data to a remote process
• Unusual Characteristics
  • Spawns a lot of processes
  • Tries to access unusual system drive letters

The first two are required by Git Bash's Ctrl+C emulation, and the latter two, well, you know, this is Git, baby. If you don't understand how it works, don't complain about it.

[PhilipOakley]

@dscho Thanks for also pointing out the Green Rainbow. I'd looked right passed that - Doh.

Like you said, "not enthused by the alarmist wording of the report"

Close?