Hi Tim,
you are right that one should regard also the time-out of some engines, so
here a new table. For better readability and to avoid line wrapping in the
mail I omitted the 1.21 results (with two matches), sorted the table
alphabetically according to the engine names and replaced sone long virus
names by an abbreviation:
Tika 1.22 (14 of 56) 1.23 (7 of 52) 1.23 r (4 of 46)
########### ##################### #################### ################
AegisLab Trojan.GZip.Agent.6!c
Alibaba TJAB1 TJAB1
Comodo MW@#3v
Cyren PATH_SLIP PATH_SLIP (-)
ESET-NOD32 Archbomb.ZIP Archbomb.ZIP Archbomb.ZIP
Fortinet Riskware/GZunlimited
Ikarus TJDPSA (-) (-)
Kaspersky TJABe TJABe TJABe
NANO-Antiv RWW32P RRWW32P (-)
Qihoo-360 Win32/Trojan.BO.316
SentinelOne DFI - Malic. Archive DFI - Malic. Archive
Sophos Troj/ZipB-A Troj/ZipB-A
Symantec Trojan.Gen.NPE
ZoneAlarm TJABe TJABe TJABe
Zoner (-) (-) (-)
(-) "timeout"
TJAB1 TrojanArcBomb:GZip/Agent.836c5791
TJAB2 TrojanArcBomb:GZip/Agent.1b53fc34
TJABe Trojan-ArcBomb.GZip.Agent.e
MW@#3v Malware@#3vccmnmqk3bh6
TJDPSA Trojan-Downloader.PS.Agent
RWW32P Riskware.Win32.Patcher.oltzn
Additionally I unpacked and repacked the tika-1.23-src.zip archive and let
the so generated zip archive also check by VirusTotal (right column). The
a little bit irritating result is that two engines don't match (two other
engines matching for the original zip archive unfortunately timed out).
A manual check on my Linux home system with the tool ClamAV
using additional unofficial signatures found
Sanesecurity.Malware.27384.ZipHeur.ZipSlip
in
tika-app/src/test/resources/test-data/testZip_relative.zip
and
Sanesecurity.Malware.27384.ZipHeur.ZipSlip
in
tika-app/src/test/resources/test-data/testZip_overlappingNames.zip
Ok, both matches are caused by the special contents the file names point
out. So I had first the suspicion that all the matches may be caused by
files in the "tika-app/src/test/resources/test-data/" sub-directory and
packed that files in a test zip file and let it check. But only the engine
"Cyren" found a match "PATH_SLIP" so there must exist more files leading
to the above matches.
That's all a little bit irritating and it seems the VirusTotal check can
only be used as a rough hint (especially since the availability of some
engines is very fluctuating).
If someone has access to one of the above mentioned engines an according
scan would be helpful to find out the triggering files.
Regards
Jens.
So we’ve improved!!! LOL!
We added the quines in 1.22. Still on my phone and can’t dig in. I wonder
if the non compression hits are from tools that timed out on 1.23 but did
not timeout on 1.22.
Is there any way to tell which files are triggering the hits?
Thank you, Jens!!!
Cheers,
Tim
On Sat, Dec 7, 2019 at 10:20 AM Fossies Administrator <
[email protected]> wrote:
Hi Tim,
Thank you for the note. We added two compression quines to the unit
tests, and that looks like what several of the engines are triggering on.
I’m on my phone now and can’t easily figure out if VirusTotal points to
specific files. Without that info, I can’t explain
Riskware.Win32.Patcher.oltzn
or PATH_SLIP.
The latter also was found in 1.21. I’ll take a look early next week.
I find it eye-opening that the quines didn’t set off _more_ AV engines!🤣
A completion: Since for unknown reasons Fossies hasn't detected the
release of tika version 1.22 on Fossies no VirusTotal check was made. So I
have now made up for it manually with a a little bit surprising result
(even 14 of 56 matching engines)
Tika 1.21 (2 of 52) 1.22 (14 of 56) 1.23 (7
of 52)
########### ################### #################################
############################
Cyren PATH_SLIP PATH_SLIP PATH_SLIP
Zoner Probably RTFBinData
Alibaba TrojanArcBomb:GZip/Agent.836c5791
Symantec Trojan.Gen.NPE
ESET-NOD32 Archbomb.ZIP
Archbomb.ZIP
Kaspersky Trojan-ArcBomb.GZip.Agent.e
Trojan-ArcBomb.GZip.Agent.e
NANO-Antiv. Riskware.Win32.Patcher.oltzn
Riskware.Win32.Patcher.oltzn
AegisLab Trojan.GZip.Agent.61c
Sophos Troj/ZipB-A
Troj/ZipB-A
Comodo Malware@#3vccmnmqk3bh6
SentinelOne DFI - Malicious Archive DFI -
Malicious Archive
Fortinet Riskware/GZunlimited
ZoneAlarm Trojan-ArcBomb.GZip.Agent.e
Trojan-ArcBomb.GZip.Agent.e
Ikarus Trojan-Downloader.PS.Agent
Qihoo-360 Win32/Trojan.BO.316
For tika 1.21 I repeated the check because the signatures could be updated
in the meantime. But still 2 matches (now of 52 instead of 45 engines).
Regards
Jens
On Fri, Dec 6, 2019 at 5:36 PM Fossies Administrator <
[email protected]> wrote:
Hi,
just as information: As for all offered software packages the FOSS
server
fossies.org forced also for the just released tika-1.23-src.zip
archive a
malware check by the VirusTotal site, see the line "VirusTotal check" at
the top of the page
https://fossies.org/linux/misc/tika-1.23-src.zip/
You may click on the results to see the detailed report on
https://www.virustotal.com.
Unfortunately 7 of 52 scanning engines found a match for
tika-1.23-src.zip.
Hopefully that are all False positives related to the nature of Tika but
at least for tika-1.21-src.zip "only" 2 of 45 engines have found a
match,
see
https://fossies.org/linux/misc/legacy/tika-1.21-src.zip/
Regards
Jens
--
FOSSIES - The Fresh Open Source Software archive
mainly for Internet, Engineering and Science
https://fossies.org/
