Jq: Trend Micro flagged 'jq' as Trojan.SH.HADGLIDER.TSE, installing on Ubuntu under WSL (Windows Subsystem for Linux)

This issue should be reported to Trend Micro OfficeScan or whatever else is flagging this file.

Unless you have some specific information as to what exactly makes jq trigger the flagging, this is not an issue that could be handled here.

actually it is being reported by Sophos as well

Sophos found a virus called Mal/Generic-S with jq

also by ClamAV. It found a virus called Win.Malware.Agent-9451404-0

I'm seeing the ClamAV -> Win.Malware.Agent-9451404-0 on our hosts where jq (dynamically linked) is loaded via package manager. I'll have to check if the statically linked version is also reporting an error.

I'm seeing the ClamAV -> Win.Malware.Agent-9451404-0 on our hosts where jq (dynamically linked) is loaded via package manager. I'll have to check if the statically linked version is also reporting an error.

As of today, the alerts are clearing after the latest Clam definitions update.

I'm seeing the ClamAV -> Win.Malware.Agent-9451404-0 on our hosts where jq (dynamically linked) is loaded via package manager. I'll have to check if the statically linked version is also reporting an error.

As of today, the alerts are clearing after the latest Clam definitions update.

Just tried it. It is still there.

Where did you install jq from? We don't manage any distribution packages, so if the issue is unique to builds from those, then you may need to take it up with them.
Do you get the alerts from the statically-linked release binaries here https://github.com/stedolan/jq/releases/tag/jq-1.6 ? If so, then something in jq may be triggering the alerts. (I can promise that I didn't put malware in those binaries, though- I would expect it to be a false positive)

apt-get, which is from http://us.archive.ubuntu.com/ubuntu I believe. Well, I believe it is probably false positive. But 3 antivirus companies report something at the same time. I bet it is certain kinda code pattern triggers that.

This is what's being reported by Virus Total:
https://www.virustotal.com/gui/file/bcfa215dec8fe15d4265c508c39c1ebafb7370acc95721e4e7d610b0459eb8dd/detection

For context, our affected users are installing jq via apt and running Ubuntu 20.04.1 LTS.

The Mac OS binary has a clean report and is not being blocked by our AV (https://www.virustotal.com/gui/file/0954dfe94b05fafd0900ebb7f60b9df72c49515b82e45c499e0597408d5baa11/detection).

Can one of the maintainers please investigate and possibly reach out to the Ubuntu apt repo maintainers?

Can you confirm the hash of 1.6-1 in apt? Is this the same as the GitHub release 1.6 published on Nov 1, 2018?

Just to update my previous comment, our errors are not clearing.
Our errors are from a ubuntu container and the containers were being reaped after they exited.

The hashes will likely be different- the github release is a statically-linked binary, while the one provided by apt is dynamically-linked. Additionally, it seems that the package applies a few patches to the source code (these patches look fine to me- just stuff to make it build nicer for them)

I uploaded the statically-linked binary from the official release to virustotal- no matches https://www.virustotal.com/gui/file/af986793a515d500ab2d35f8d2aecd656e764504b789b66d7e1a0b727a124c44
I built a dynamically-linked version based on the official 1.6 release's source code and uploaded it to virustotal- no matches https://www.virustotal.com/gui/file/afc95cec7902bfffd7e04b1ca9ff3ed3b65111f0647215c930622e4cc08341a7
I also pulled ubuntu's source package and built that binary- I get one match there https://www.virustotal.com/gui/file/c3192297e0065a99a65aab8f27a04ed716217f8e455ca4d35642d9d3b2bc1dcf
The source code in ubuntu's source package seems to match the official 1.6 source (or close enough anyway- there are some small changes that seem fine to me).

I can't say for sure that the binary package released on ubuntu _doesn't_ have malware in it- we aren't the ones who publish that package. I can say that the alert I'm seeing for the source package seems very much like a false positive.

Thank you @wtlangford.

Been battling microsoft for the past week regarding this. Initially Security Intelligence Version 1.321.1943.0 detected it as _Trojan:Win32/Casdet!rfn._ We did a clean Ubuntu 20.04 install and installed jq binary from official repo. Checked sha256sum. It was bcfa215dec8fe15d4265c508c39c1ebafb7370acc95721e4e7d610b0459eb8d in all cases.

Satisfied with the provenance of the file a submission was made and then accepted by Microsoft. They said it will be fixed in the next definitions update.

Now Security Intelligence Version 1.321.2133.0 is out and instead of fixing it it is now detecting it as _Trojan:Linux/CoinMiner.N!MTB_

Resubmitted to Microsoft but they closed that ticket saying that the binary is indeed malware Trojan:Linux/CoinMiner.N!MTB and won't be actioned. :(

I see a growing number of AV engines starting to detect it. Few days ago in Virustotal it was 4 or 5 engines now it is up to 15.

bcfa215dec8fe15d4265c508c39c1ebafb7370acc95721e4e7d610b0459eb8d

is mentioned as part of IOC for an actual crypto-mining worm. Perhaps these AV vendors are somehow sourcing that.

Ubuntu bug has been filed.

The package itself is maintained by Debian. Would it make sense to file a bug here as well:
https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=jq

We are following up with our AV Vendor separately.

We finally succeeded in getting Microsoft to agree that the binary is not a coin miner :) Windows Defender no longer hates jq as of last week.