VirusTotal reports for Firebird 5.0.3

[F. D. Castel]

Firebird 5.0.3 Binaries were rejected by Chocolatey Moderation:

-----

Hi, the count of Virustotal positives is high for this package version.

If there a known reason that this software may have a high rate of false positives, please link to the upstream documentation (for example it could be an issue or wiki) in the package description.
Then ask for an exemption and a moderator will review the documentation.
If there is not a known and documented reason, please contact the software authors to see if they have any reasons they can document.

-----

The reports can be seen here:

https://www.virustotal.com/gui/file/9bffda77806fd238febd04a0938e3e374b6f24efa3d78d53e06a171724605163/detection/f-9bffda77806fd238febd04a0938e3e374b6f24efa3d78d53e06a171724605163-1753141523

https://www.virustotal.com/gui/file/2affb4b29a01fc35f1747684cba6263cb30a519f3f5343a105a14472c757cb53/detection/f-2affb4b29a01fc35f1747684cba6263cb30a519f3f5343a105a14472c757cb53-1753141524

Based on the reports, it's clear to me that this issue stems from false positives generated by some of the lesser-known engines (Bkav Pro, Trapmine, SecureAge, Varist?).

However, if the team has any input or additional context, I'd be happy to include it in my report to them when asking for a review.

[Dimitry Sibiryakov]

F. D. Castel wrote 23.07.2025 16:40:
> However, if the team has any input or additional context, I'd be happy to
> include it in my report to them when asking for a review.

Do not ever feed installers to the VirusTotal. Feed content of ZIP archive.

--
WBR, SD.

[F. D. Castel]

Sent the following to Chocolatey moderation:

---

From the reports I've seen, it appears that the issue is caused by false positives from a few lesser-known antivirus engines (such as Bkav Pro, Trapmine, SecureAge, and Varist?). None of the major antivirus vendors have flagged similar issues.

The Firebird binaries are built through an automated process on GitHub's servers, and everything is publicly available on the project's GitHub Actions page: https://github.com/FirebirdSQL/firebird/actions.

At this point, I don't believe there's any cause for concern.

---

[Mark Rotteveel]

On 23/07/2025 16:40, F. D. Castel wrote:
> Firebird 5.0.3 Binaries were rejected by Chocolatey Moderation:
>
> -----

> /Hi, the count of Virustotal positives is high for this package version.

>
> If there a known reason that this software may have a high rate of false
> positives, please link to the upstream documentation (for example it
> could be an issue or wiki) in the package description.
> Then ask for an exemption and a moderator will review the documentation.
> If there is not a known and documented reason, please contact the

> software authors to see if they have any reasons they can document./

> -----
>
> The reports can be seen here:
>
> https://www.virustotal.com/gui/
> file/9bffda77806fd238febd04a0938e3e374b6f24efa3d78d53e06a171724605163/
> detection/
> f-9bffda77806fd238febd04a0938e3e374b6f24efa3d78d53e06a171724605163-1753141523
>
> https://www.virustotal.com/gui/
> file/2affb4b29a01fc35f1747684cba6263cb30a519f3f5343a105a14472c757cb53/
> detection/
> f-2affb4b29a01fc35f1747684cba6263cb30a519f3f5343a105a14472c757cb53-1753141524
>
>
> Based on the reports, it's clear to me that this issue stems from false
> positives generated by some of the lesser-known engines (Bkav Pro,
> Trapmine, SecureAge, Varist?).
>
> However, if the team has any input or additional context, I'd be happy
> to include it in my report to them when asking for a review.

The TrapMine one is pretty much meaningless. It is an "AI" (machine
learning) based system, and the reported "Suspicious.low.ml.score"
pretty much means it either has not enough information, or not seen
enough similar code to make a determination.

The MaxSecure reported "Trojan.Malware.300983.susgen" is a pretty
well-known false-positive (so well-know, that if you search for it, a
lot of the links are from less-than-reputable sources claiming they can
help you clean it), and is also based on some heuristic or machine
learning algorithm. As far as I know, it is reported for some of the
examples in examples\prebuilt (like the fbSampleDbCryptApp.exe and
fbSampleExtAuthKeygen.exe), but interestingly enough, it is not linked
from the report for the installer.

The Bkav Pro "W32.AIDetectMalware" is also relatively well-known
false-positive (and also seems to be based on some AI thing).

The SecureAge "Malicious" is probably for fbSampleExtAuthKeygen.exe
(based on the results for the zip, as it isn't linked from the report on
the installer), which seems to be a false positive

Some of the others follow links. And the installer links to the Firebird
website, and the Firebird website uses cdn.sendpulse.com, which two of
the scanners report based on IP addresses. Similarly, one of the
scanners reports substackcdn.com, which is also loaded (from
https://www.firebirdsql.org//afterinstall) as Firebird hosts a list
there, and the after install page shows a "sign up" element from Substack.

I'm not sure about the "W32/Agent.DUA.gen!Eldorado" reported by Varist,
as I've not been able to link it to a file or other thing in the report
(though possibly it's about the links from the installer mentioned above).

Mark
--
Mark Rotteveel

[Paul Reeves]

On Sat, 26 Jul 2025 09:42:23 +0200
"'Mark Rotteveel' via firebird-devel" <firebir...@googlegroups.com> wrote:

>As far as I know, it is reported for some of the examples in
>examples\prebuilt (like the fbSampleDbCryptApp.exe and
>fbSampleExtAuthKeygen.exe),

Do we even need to include them in the kits? They are examples that do not
actually 'work'. Any developer interested in creating a working version can
just build them from the source anyway.


Paul
--
Paul Reeves
https://www.ibphoenix.com
Supporting users of Firebird

[Mark Rotteveel]

On 26/07/2025 10:31, 'Paul Reeves' via firebird-devel wrote:
> On Sat, 26 Jul 2025 09:42:23 +0200
> "'Mark Rotteveel' via firebird-devel" <firebir...@googlegroups.com> wrote:
>
>> As far as I know, it is reported for some of the examples in
>> examples\prebuilt (like the fbSampleDbCryptApp.exe and
>> fbSampleExtAuthKeygen.exe),
>
> Do we even need to include them in the kits? They are examples that do not
> actually 'work'. Any developer interested in creating a working version can
> just build them from the source anyway.

Personally, I don't see the point of including them (to be honest, I
think that can be said for most of the contents of examples).

I have submitted some of the reported files as false positives, but if
that works is a big question (and could be whack-a-mole for each release).

Mark
--
Mark Rotteveel

[Pavel Zotov]

26.07.2025 11:31:15 UTC+3, Paul Reeves:

On Sat, 26 Jul 2025 09:42:23 +0200
"'Mark Rotteveel' via firebird-devel" <firebir...@googlegroups.com> wrote:

>As far as I know, it is reported for some of the examples in
>examples\prebuilt (like the fbSampleDbCryptApp.exe and
>fbSampleExtAuthKeygen.exe),

Do we even need to include them in the kits? They are examples that do not
actually 'work'. Any developer interested in creating a working version can
just build them from the source anyway.

Am i right in guess that you want to remove $FB_HOME/examples/prebuilt/bin/fbSampleDbCryptApp.exe and fbSampleExtAuthKeygen.exe from daily snapshots ?

If yes then please do NOT remove any other files from $FB_HOME/examples/prebuilt/plugins/

Our QA requires fbSampleDbCrypt.dll , fbSampleKeyHolder.dll  (and appropriate *.conf) from $FB_HOME/examples/prebuilt/plugins/  directory.

These files are copied during tests prepare phase in $FB_HOME/plugins/

There are about 20 tests which assume that these files does exist:

1) in $QA_ROOT/tests/bugs/ :

    core_4462_linux_test.py
    core_4462_windows_test.py
    core_4524_test.py
    core_4964_test.py
    core_5077_test.py
    core_5501_test.py
    core_5673_test.py
    core_5793_test.py
    core_5796_test.py
    core_5808_test.py
    core_5831_test.py
    core_6048_test.py
    core_6071_test.py
    core_6163_test.py
    gh_5978_test.py
    gh_5995_test.py
    gh_6947_test.py
    gh_7200_test.py
    gh_7917_test-obj-in-use-on-drop-db.py
    gh_7917_test.py
    gh_8429_test.py

2) in $QA_ROOT/tests/functional/util/ :
    test_gbak_zip.py

 

[Dimitry Sibiryakov]

Pavel Zotov wrote 27.07.2025 11:10:
> Our QA requires fbSampleDbCrypt.dll , fbSampleKeyHolder.dll  (and appropriate
> *.conf) from $FB_HOME/examples/prebuilt/plugins/  directory.

Taking into account wide plugin compatibility between versions, QA tests
could copy these plugins from firebird-qa/files directory as does it with
configuration, 7zip, etc.

--
WBR, SD.

[Pavel Zotov]

At one 'funny' day this compatibility  will be broken.

Who will re-built these .dlls ?

Currently it is impossible to get such files as 'incompatible' - at least i can't remember that make_examples could fail after make_boot & make_all pass.

воскресенье, 27 июля 2025 г. в 12:16:04 UTC+3, Dimitry Sibiryakov:

[Dimitry Sibiryakov]

Pavel Zotov wrote 27.07.2025 11:35:
> At one 'funny' day this compatibility  will be broken.
> Who will re-built these .dlls ?

Compatibility is important so if it is broken - it is an another bug than
must be checked and detected by the QA suite.

--
WBR, SD.

[Pavel Zotov]

I can't get: what is the problem with these files (.dll) ?

And how virus could infect them (.exe) if they weren't launched ?

воскресенье, 27 июля 2025 г. в 12:37:27 UTC+3, Dimitry Sibiryakov:

[Mark Rotteveel]

On 27/07/2025 11:50, Pavel Zotov wrote:
> I can't get: what is the problem with these files (.dll) ?
> And how virus could infect them (.exe) if they weren't launched ?

They aren't infected at all, that is the whole "problem". They contain
some combination of code that trigger heuristics of certain virus or
malware scanners that make them think it is somehow malicious, even if
it's not.

So, if removal of this is problematic for the tests, then we leave it,
at least for now. That said, I'm curious what those tests do that they
rely on something which is basically a toy example of database encryption.

Mark
--
Mark Rotteveel

[Dimitry Sibiryakov]

Pavel Zotov wrote 27.07.2025 11:50:
> And how virus could infect them (.exe) if they weren't launched ?

Usual way: a virus sitting as a resident in memory intercept opening and
writing of executables taking it as an opportunity to inject own code inside them.
I.e. if GitHub CI container is infected, build will produce infected executables.

--
WBR, SD.

[Mark Rotteveel]

Again, there is no virus here. These are false positives.

Mark

--
Mark Rotteveel

[Dimitry Sibiryakov]

'Mark Rotteveel' via firebird-devel wrote 27.07.2025 12:16:
>>    I.e. if GitHub CI container is infected, build will produce infected
>> executables.
>
> Again, there is no virus here. These are false positives.

Most likely - yes.

All I want to say that removing these files from distribution packages won't
hurt QA. CI may be set up to produce a separate artifact containing these
prebuilt examples and QA suite can either store it in its tree or download and
install these files the same way as files from the tested package.

--
WBR, SD.

[Paul Reeves]

On Sun, 27 Jul 2025 02:10:48 -0700 (PDT)
Pavel Zotov <p51...@gmail.com> wrote:

>26.07.2025 11:31:15 UTC+3, Paul Reeves:
>
>On Sat, 26 Jul 2025 09:42:23 +0200
>"'Mark Rotteveel' via firebird-devel" <firebir...@googlegroups.com> wrote:
>
>>As far as I know, it is reported for some of the examples in
>>examples\prebuilt (like the fbSampleDbCryptApp.exe and
>>fbSampleExtAuthKeygen.exe),
>
>Do we even need to include them in the kits? They are examples that do not
>actually 'work'. Any developer interested in creating a working version can
>just build them from the source anyway.
>
>
>Am i right in guess that you want to remove
>$FB_HOME/examples/prebuilt/bin/fbSampleDbCryptApp.exe and
>fbSampleExtAuthKeygen.exe from daily snapshots ?
>If yes then please do NOT remove any other files from
>$FB_HOME/examples/prebuilt/plugins/
>

I was thinking just to remove the executables from the binary installer.
Sorry if I did not make that clear.

I know it does not solve the underlying problem but people get scared by
virus reports and it takes time explaining about false positives. So if we
can get an easy win here, then why not?

[Dimitry Sibiryakov]

'Paul Reeves' via firebird-devel wrote 27.07.2025 12:21:
> I was thinking just to remove the executables from the binary installer.

One of these reports is about the installer itself: "content after end of
executable" which is actually the way Inno Setup works, it appends the
distribution archive to the actual installer's executable to get a single file.

--
WBR, SD.

[Mark Rotteveel]

I think you're talking about one of the MITRE "warnings" in the report,
but that has nothing to do with the false positives themselves.

Mark
--
Mark Rotteveel

[Pavel Zotov]

> what those tests do that they rely on something which is basically a toy example of database encryption.

They just verify problems described in appropriate tickets, and that these bugs actually were fixed - not less and no more :-)

There is no any complex mathematics or attempts to broke encryption, of course.

Several years ago these tests used proprietary crypt plugin developed by IB Surgeon but eventually it was decided to switch to plugin provided in every FB snapshot 'by default'.

воскресенье, 27 июля 2025 г. в 12:59:27 UTC+3, Mark Rotteveel:

[Pavel Zotov]

> Usual way: a virus sitting as a resident in memory intercept opening and  writing of executables

But in such way any FB executable, e.g. firebird.exe or isql.exe,  can be infected, isn't ?

воскресенье, 27 июля 2025 г. в 13:15:52 UTC+3, Dimitry Sibiryakov:

[Dimitry Sibiryakov]

Pavel Zotov wrote 27.07.2025 12:44:
> But in such way any FB executable, e.g. firebird.exe or isql.exe,  can be
> infected, isn't ?

Yes. That's why these reports, that reports only several libraries instead of
every executable, are suspected to be false positive.

--
WBR, SD.

[Pavel Zotov]

> reports only several libraries instead of every executable, are suspected

So, why we can't just ignore such reports ?

Did anybody encounter for last ~25 years with some infected file .exe or .dll from FB package ? 8-O

воскресенье, 27 июля 2025 г. в 13:48:50 UTC+3, Dimitry Sibiryakov:

[Mark Rotteveel]

On 27/07/2025 13:14, Pavel Zotov wrote:
> > reports only several libraries instead of every executable, are suspected
>
> So, why we can't just ignore such reports ?
> Did anybody encounter for last ~25 years with some infected file .exe
> or .dll from FB package ? 8-O

Because people use tools like VirusTotal to make security decisions.
This is not about the fact that anything is infected (once again,
nothing is infected!), it is that such tools can generate false
positives that can confuse people or reduce their confidence in
Firebird, or just create work for us (or bikeshedding discussions like
the last dozen posts or so in this thread).

And if such a false positive is for a non-essential part like a very
basic and essentially insecure example of a security feature, you can
ask yourself if it is not simpler to just not include such an example at
all, than to have to play whack-a-mole with the vendors of such malware
scanners to have the false positive removed (because in a lot of case,
they will probably just whitelist the specific hash of the file, instead
of fixing their detection, meaning that a next release might be reported
once again).

Mark
--
Mark Rotteveel

[F. D. Castel]

Mark, thank you for your thorough analysis and response.

I’ve resubmitted the package for moderation including your remarks, and it has been accepted.

I'm now updating the .nuspec file to include a link to this conversation, as requested by the Chocolatey moderators.