Tunneblick - Virus Notifications - Bitdefender

[goo...@northway.co]

Hello,

I received virus warnings for the following files possible associated with Genieo Trojan:

01/10/2018, 08:01

Gen:Variant.Application.MAC.Genieo.1 deleted

/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.5_git_6844188-openssl-1.1.0h/openvpn=>(Mach-O x86-64 ALL)

 

01/10/2018, 08:01

Gen:Variant.Application.MAC.Genieo.1 deleted

/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.1.0h/openvpn=>(Mach-O x86-64 ALL)

 

Bitdefender Antivirus for Mac - Version 7.1.0.6

Genieo is not necessarily malicious malware, more of a PUA/PUP.

Has this been seen before? 

Kind regards,
Tom

[Tunnelblick developer]

Please see https://tunnelblick.net/cNews.html#2018-09-30.

Note: My understanding is that one should not necessarily be alarmed by a small number of alerts on VirusTotal because multiple malware detectors often use the same source of information. For example, Emsisoft is complaining because BitDefender is complaining.

Tunnelblick's total of 7 alerts from 58 engines seems to fit in that category, however we do not plan to reinstate Tunnelblick 3.7.7 and 3.7.8beta01 until most or all of the alerts are gone.

Best regards,

Jon Bullard

[s.l...@firetext.co.uk]

Just wanted to add some additional information to this thread, and maybe pinpoint a specific event as the trigger for this issue.

I have encountered a similar issue this morning with Bitdefender.  The problem arose following a Bitdefender definitions update carried out at 11:33 BST.  I was, at the time, running TunnelBlick 3.7.6a when the issue occured.  TunnelBlick 3.7.6a was functioning with no issues up until the Bitdefender definitions update.  I have since tried a reinstallation of TunnelBlick 3.7.6a and 3.7.7Beta to see if the problem can be resolved.

I've raised the issue with BItdefender as a possible false positive, and I'm awaiting a response.

TunnelBlick developer can contact me for further information if required.

[Tunnelblick developer]

Thanks, s.last, that's interesting.

I think it's a good indication that these are false positives: BitDefender suddenly complaining about software that's been public for more than three months (and which you have probably been using for a lot of that time).

It's unlikely that the /Applications/Tunnelblick.app would be modified by any other program, since it is read-only except by root.

We recommend that everyone verify their downloads of Tunnelblick before installing, but anyone who suspects /Applications/Tunnelblick.app of having been modified after installation can compare it to the copy of the app on a freshly-downloaded disk image using the "diff" command in Terminal after mounting the disk image:

diff -u -r -q /Applications/Tunnelblick.app /Volumes/Tunnelblick/Tunnelblick.app

which should have no output if the copies are identical.

[Tunnelblick developer]

There was no malware in Tunnelblick; these were all "false positives", that is, reporting malware when there was not any malware.

The new releases, and updates to them, have been reinstated.

If you are still getting malware alerts for Tunnelblick, update your anti-malware program or its definitions.

See No Malware in Tunnelblick for details.

[toon...@gmail.com]

Hi,

FYI, where I work we're finding that after updating a few hours ago (Tunnelblick 3.7.7 build 5150), Webroot SecureAnywhere started giving out the Genieo false positive. So it seems that after reinstating, some virus scanners are still giving out false positives.

Out IT supplier has contacted Webroot to notify them of the issue, but maybe it would be good if you guys did the same thing.

Toon

[Tunnelblick developer]

Thanks, Toon Spin, for letting us know.

The problem probably isn't WebRoot itself, it is that it is picking up the original false positive from BitDefender (or whoever started this mess). So it should resolve itself when WebRoot picks up the removal of that false positive and updates its own malware signatures, and then your devices are updated with the updated WebRoot signatures.

But I will contact them anyway just to be sure.

[Tunnelblick developer]

I received this notice from WebRoot about one hour ago:

"Thank you for reporting this, we have reversed this determination globally on our end. "

[Bill....@phoenixmi.com]

I'm still seeing this issue with Webroot. Anyone else?

--

This electronic message, including its attachments (if any), is CONFIDENTIAL and may contain PROPRIETARY or LEGALLY PRIVILEGED information. If you are not the intended recipient, you are hereby notified that any use, disclosure, copying, or distribution of this message, its attachments, or any of the information included therein, is unauthorized and strictly prohibited. If you have received this message in error, please immediately notify the sender by reply e-mail and permanently delete this message and its attachments, along with any copies thereof.