Chocolatey-coreteampackages: (kitty) High Virus Count for klink.exe (0.74.2.7)

Created on 3 Nov 2020  路  11Comments  路  Source: chocolatey-community/chocolatey-coreteampackages

We've had another report about the kitty package high virus count for klink.exe. It's currently standing at 7 detections which is above the threshold we'd consider a false positive and as such we'd need to reject it without a good explanation backed up from the vendor / author.

I've submitted it back to the Package Scanner just now to rerun the scan. Does anybody have any thoughts?

Previous issue was raised at #1427

QuestioDiscussion

All 11 comments

Apparently this is due to poor-quality virus scanners flagging it over the use of UPX to reduce the size of the executable. I see that the latest version on chocolatey, 0.74.2.8 seems to trigger less issues on VirusTotal.

The author now builds an uncompressed version that avoids those issues which is apparently used by scoop- maybe it would be best to switch to that for the packages.

I'd disagree this is poor quality virus scanners:

image

But I take your point.

The latest doesn't have AV results as yet but the 0.74.2.8 is flagged by 6 AV scanners. This is still too high without an explanation by the vendor / author. Do we have something we can point to in the nuspec description?

If the uncompressed version doesn't get picked up by the scanners in the same way I'd think this would be a better way to go.

It looks to be primarily the result of some scanners, including, unfortunately, Defender, picking up on the UPX-compressed klink.exe which is included in the executables to be installed. Decompressing klink.exe takes that down to 2 results on VirusTotal. Unless I'm missing something, that's strongly suggestive of spurious results.

I've asked about whether it would be possible to have a non-UPX'd exe for the various 'extra' exes that are part of the KiTTY package. I suppose an alternative would be to exclude klink.exe in the nuspec package, though that might be problematic for anyone actually using it, or to un-UPX the executables in the AU package build so that the ones in the .nupkg aren't flagged, though I imagine that could still cause problems for people running their own local AU package builds.

Maybe we should just add note and call it a day. We know this is not a virus and know the reasons for it being reported.

I think we need to get this issue resolved permanently rather than closing it as we'll have the same issue with the next version and the next.

We know this is not a virus and know the reasons for it being reported.

_We_ may know the reasons. _I_ don't know it's not a virus. But more importantly users of the package and the site don't know the reasons OR whether it's a virus. They look at the AV scores. They see Defender quarantining it and that is enough for them to label the package and software as malware. That isn't in anybody's best interests. So we should fix the problem as best we can so that Chocolatey and kitty are not getting a bad reputation.

The author has provided an uncompressed version so this could be used.

I've rejected v0.74.2.7. We also have v0.74.2.8 and v0.74.3.1 with 6 detections each for klink.exe (and a couple of others). This also needs to be addressed.

So genpass and klink are problematic and those DO NOT have uncompressed version.

Since there is really nothing we could do except perhaps uncompress those 2 tools ourselves which seems intrusive to me (we are changing upstream binaries) I am still for the note.

I don't know it's not a virus.

You can say that for any tool in universe even if we don't tackle your particular personality traits.

I don't see that kitty has a problem with VT, they even link it in download section. Foshub also list it with 0 viruses: https://www.fosshub.com/KiTTY.html

We are all here hostages of AV companies. We need to defend and inform, not blindly follow into the big hole.

Hence, I am for the note, we can make it a REALLY BIG ONE IF YOU WANT. I will personally write it which by itself guaranties success.

So genpass and klink are problematic and those DO NOT have uncompressed version.

Then we're back to square one for those at least.

I don't see that kitty has a problem with VT, they even link it in download section. Foshub also list it with 0 viruses: https://www.fosshub.com/KiTTY.html

The Virus Total detections are on the package page.

Only KiTTY is provided in three versions in Fosshub page:

  • compressed version pre-configured for registry mode
  • compressed version pre-configured for portable mode
  • uncompressed version pre-configured for registry mode

To be clear, there is no registry nor portable version. There is only one KiTTY that can be run in two different modes.
So that uncompressed version can be used in portable mode too. The configuration is describe in this page.

No other binaries (including klink.exe, genpass.exe ...) are compressed.
Please note that klink.exe is 95% plink.exe source code. And plink.exe has also some false positives: see Virus Total report of the version 0.74 of plink.exe 64bits.

Thank you. I think we ca now safely close this. I will add note on package.

Also, plink doesn't have it in latest version, so its probably going to reflect on klink too.

@majkinetor

Thank you. I think we ca now safely close this. I will add note on package.

Make sure you reference the official source for the notes on the AV detections.

Was this page helpful?
0 / 5 - 0 ratings