Install-ChocolateyZipPackage might contribute to VirusTotal false positive #3390
-
Checklist
What You Are Seeing?I'm currently in the process of submitting a new package, which is now under moderator review. I noticed other open-source projects also struggled with scanners' false positives, especially the MaxSecure scanner: And I also understand Choco doesn't handle how anti-virus scanners work. Having said this, are there any enhancements in the ChocoInstall script we could do to avoid false positives? It seems the usage of Scanning zip files separately and the NuGet package don't throw any flags. Thanks in advance! What is Expected?Avoid false positives that damage packages reputation. How Did You Get This To Happen?I submitted a brand new package and this is the scan result: https://community.chocolatey.org/packages/okta-aws-cli/1.2.2#virus System Details
Installed PackagesN/A Output LogCrowdsourced Sigma Rules
CRITICAL 0
HIGH 0
MEDIUM 1
LOW 1
Matches rule Password Protected Compressed File Extraction Via 7Zip by Nasreddine Bencherchali (Nextron Systems) at Sigma Integrated Rule Set (GitHub)
Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.
Matches rule Creation of an Executable by an Executable by frack113 at Sigma Integrated Rule Set (GitHub)
Detects the creation of an executable by another executable Additional ContextNo response |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 1 reply
-
I'm unclear on what the issue is. The files that are in your package are uploaded directly to VirusTotal.
I'm unclear what you mean here. Can you elaborate? |
Beta Was this translation helpful? Give feedback.
-
Hi @pauby, I'm new to the process of uploading packages into Chocolatey, so I apologize if I wasn't clear enough. This issue is mostly a question about what things a maintainer can do to avoid false positives. As I mentioned, I've submitted a package, a zip file that contains a .exe file, and VirusTotal is reporting a warning for a potential vulnerability (trojan.Malware.300983.susgen). As no vulns were detected, I dug deeper into the VirusTotal report provided in the Chocolatey package dashboard, and I noticed this particular one:
Considering all files don't throw any vulns independently, is it possible that this MEDIUM vuln is caused by |
Beta Was this translation helpful? Give feedback.
-
Thanks for clarifying. I converted this to a discussion, as I don't believe it is an issue.
I'm going to try to go through your comments and explain each point, and I apologise in advance if I'm explaining things you already know, but I just want to make sure we are on the same page.
There are a few things here. The Chocolatey package page that you mentioned in your first comment, shows the hashes of the files that are downloaded by the package upon install (not that they are the short versions of the hashes on this page). The Chocolatey package install script, And the files downloaded from GitHub (that are also in the https://github.com/okta/okta-aws-cli/releases/download/v1.2.2/okta-aws-cli_1.2.2_windows_386.zip: https://github.com/okta/okta-aws-cli/releases/download/v1.2.2/okta-aws-cli_1.2.2_windows_amd64.zip: So what we can say here is: that the files downloaded from your GitHub releases during the installation of the package, by Package Scanner, and by me, have the same hashes. So they are identical files. If we look at the files that were uploaded to VirusTotal by Package Scanner, we can see they have the same hashes too. There is an AV detection in the x64 version of the ZIP file, but that isn't something that Chocolatey CLI has caused. As I've shown above, the file at each stage has the same hash so hasn't changed. Therefore, the file on your GitHub releases has an AV detection, because of something in the ZIP file. That would be something you would need to investigate and resolve.
That is for the This is the same file uploaded to the Chocolatey Community Repository and has the same number of AV detections, so there isn't anything to comment here. That package doesn't contain any of the Okta ZIP files that were submitted to the Chocolatey Community Repository, as it is only 3.35KB. So there is nothing to detect, or comment on, here. From the Chocolatey Community Repository package page: okta-aws-cli_1.2.2_windows_386.zip (dfd418999cf1) okta-aws-cli_1.2.2_windows_amd64.zip (5d8865b3df88):
I found this here: That is a VirusTotal 'thing', so you would need to contact them about it. Once files are uploaded into VirusTotal, we have no control over what rules / AV engines they apply. But just to be clear, this is nothing that Package Scanner has done to the file, and we know that because the hashes of the files hosted on your GitHub page match the hashes of the files in VirusTotal. If they had been altered, those hashes would not match.
Simple answer, no. Here is what Package Scanner does:
It doesn't do anything more than that.
The AV detections are done by VirusTotal. We don't do the detection and therefore cannot influence any results. What you give us, we give to VirusTotal. If your package has any AV detections, then you need to look at what is being detected and on what files and work to mitigate the issue. VirusTotal gives you a lot of information, as you can see, whereas the Chocolatey Community Repository package page only gives you the AV detection results, simply I hope the above demonstrates that your A couple of things worth mentioning:
This was a long post, but I hope it clarifies that this issue is not one that Chocolatey can solve for you. This is an issue in your Okta package that needs to be resolved by you. However, should you consider it a false positive, we would not stop it being approved with only 1 AV detection. |
Beta Was this translation helpful? Give feedback.
Thanks for clarifying. I converted this to a discussion, as I don't believe it is an issue.
I'm going to try to go through your comments and explain each point, and I apologise in advance if I'm explaining things you already know, but I just want to make sure we are on the same page.
There are a few things here. …