![]() ![]() Download by real malware? Another possibility is that some piece of malware might cause an infected machine to download PuTTY and then use it (which we know has happened at least once), and that this is causing virus checkers to assume the PuTTY executable being downloaded is guilty by association.Perhaps that was enough to get the legitimate PuTTY tarred with the same brush? But that surely wouldn't explain the ongoing deliberate flagging of every release as a new kind of virus. Incorporation into real malware? We've heard in the past that at least one real piece of malware had reused PuTTY or pieces of it (among other legitimate communications software) as a means of keeping in touch with its command and control servers.But when we started code-signing PuTTY, the accusations didn't stop. ![]() No code signing? We also wondered if antivirus people had adopted a default policy of extreme suspicion towards any unsigned Windows executable.But then we upgraded to Visual Studio 2015 and that didn't stop the accusations. We wondered if that might be considered an indicator of malware. Old build tools? PuTTY was built with Visual Studio 2003 for a long time, and that also meant it didn't have up-to-date executable security features like ASLR and DEP enabled. ![]() Some possibilities that have occurred to us in the past include: Why antivirus software is so keen to call us names. It would be nice if we could give some explanation here of We put out a release, they turned round and flagged that one as They withdrew the database entry in question. In several cases, we submitted a false-positive report to ClamAV, and Other than the specific PuTTY executable in question. No way that a database entry of that kind could have matched anything Specifically as malware, apparently on purpose – there is Malware it's that ClamAV's database was identifying PuTTY General behaviour or matching a general pattern that made it look like In other words, it wasn't that PuTTY was exhibiting any kind of Hash of the code segment of the corresponding putty.exe. Of those accusations was based on ClamAV's database containing an MD5 Successive releases of putty.exe to be flagged as various Least able to find the entries in its database that caused four Have caused all those people to flag PuTTY as malware.ĬlamAV is a partial exception: because it's free software, we were at Information we could use, and undoubtedly would say they have sound Of course, we weren't able to investigate most of these claims,īecause proprietary antivirus organisations don't provide much
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |