Hi,
My antivirus triggered on the file libnet.so.1.7.0 inside libnet-1.1.6-15.el8.i686.rpm from CentOS 8 AppStream/x86_64/{kickstart|os}/Packages/.
It was marked as Potential Unwanted Program (PUP): "RDN/Generic PUP.z".
Uploaded the file libnet-1.1.6-15.el8.i686.rpm to virustotal.com to scan it with multiple antivirus engines. 6 engines triggered on this file:
https://www.virustotal.com/gui/file/112 ... /detection
Is this a false positive or an actual issue?
libnet-1.1.6-15.el8.i686.rpm triggers antivirus
Re: libnet-1.1.6-15.el8.i686.rpm triggers antivirus
Well, the file is present on the DVD iso image at release time on Sept 24th. The sha256sum of that file agrees with the one on the mirror I also retrieved the file from and matches the one in the virustotal link you posted. Running rpm -qpi libnet-1.1.6-15.el8.i686.rpm shows that it is GPG signed with the official CentOS GPG key so it verifies as genuine.
One of the descriptions on the virustotal link mentions it being to do with Tcpscan.C. I can see similarities in the functionality between libnet and that.
It's also an odd file to pick to carry your "virus" payload - libnet.i686? CentOS 8 is x86_64 only not x86 so if anyone uses libnet at all, they're more likely than not to be using the x86_64 package not the 32 bit one. From reading the description of what libnet does from dnf info libnet, it doesn't seem like something that many people would install. If I were a cracker aiming to infect CentOS 8 I'd pick a package that lots of people would be going to use, not an obscure 32 bit one.
I'd try reporting it to them as a false positive and get them to investigate.
One of the descriptions on the virustotal link mentions it being to do with Tcpscan.C. I can see similarities in the functionality between libnet and that.
It's also an odd file to pick to carry your "virus" payload - libnet.i686? CentOS 8 is x86_64 only not x86 so if anyone uses libnet at all, they're more likely than not to be using the x86_64 package not the 32 bit one. From reading the description of what libnet does from dnf info libnet, it doesn't seem like something that many people would install. If I were a cracker aiming to infect CentOS 8 I'd pick a package that lots of people would be going to use, not an obscure 32 bit one.
I'd try reporting it to them as a false positive and get them to investigate.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: libnet-1.1.6-15.el8.i686.rpm triggers antivirus
Hi,
Thanks for looking into it. I agree that it most likely is a false positive.
But as long as my antivirus triggered on this file, I cannot copy or use this file.
I also had problems with packages from Fedora (llvm-test-suite and rubygem-sup-doc) triggering my antivirus. Anyone with a strict virus checking policy will get in trouble with files like this, so I thought it was about time to report it and see if anything can be done about it.
For now I'll just ignore this file as it is very unlikely to be used, as you pointed out.
Thanks for looking into it. I agree that it most likely is a false positive.
But as long as my antivirus triggered on this file, I cannot copy or use this file.
I also had problems with packages from Fedora (llvm-test-suite and rubygem-sup-doc) triggering my antivirus. Anyone with a strict virus checking policy will get in trouble with files like this, so I thought it was about time to report it and see if anything can be done about it.
For now I'll just ignore this file as it is very unlikely to be used, as you pointed out.