Firebird flagged as malicious by VirusTotal

25 views
Skip to first unread message

MK

unread,
Sep 25, 2024, 4:51:44 AMSep 25
to firebird-support
Hello,
when i'm downloading the latest Firebrid zip Firebird-5.0.1.1469-0-windows-x64.zip VirusTotal recognizes this:
Trojan.Malware.300983.susgen
Trojan.Kryptik AI.100 (RDML:QM5FSwESTAkekcxSI...)

Why is that? Is it a false positive and can it be avoided?

Best regards,
MK

Mark Rotteveel

unread,
Sep 25, 2024, 5:06:29 AMSep 25
to firebird...@googlegroups.com
On 25/09/2024 10:49, 'MK' via firebird-support wrote:
> Hello,
> when i'm downloading the latest Firebrid zip _Firebird-5.0.1.1469-0-
> windows-x64.zip <https://github.com/FirebirdSQL/firebird/releases/
> download/v5.0.1/Firebird-5.0.1.1469-0-windows-x64.zip>_ VirusTotal
> recognizes this:
> Trojan.Malware.300983.susgen
> // Trojan.Kryptik AI.100 (RDML:QM5FSwESTAkekcxSI...)
>
> Why is that? Is it a false positive and can it be avoided?

I fed it into Jotti, and it reported nothing for the virus scanners it
supports: https://virusscan.jotti.org/en-US/filescanjob/7pjaabssmr

Searching for that "Trojan.Malware.300983.susgen", it looks like Virus
Total (or that MaxSecure scanner), has a habit of reporting it for some
files, without a clear indication why. Similarly,
"Trojan....@AI.100" doesn't give much to go on.

I'd think it is a false positive. Likely it trips over a specific common
DLL file in the binary, or has some kind of signature which is a common
compiler artifact.

Mark
--
Mark Rotteveel

Tomasz Tyrakowski

unread,
Sep 25, 2024, 5:08:42 AMSep 25
to firebird...@googlegroups.com
On 25.09.2024 at 10:49, 'MK' via firebird-support wrote:
> Hello,
> when i'm downloading the latest Firebrid zip *Firebird-5.0.1.1469-0-windows-x64.zip
> <https://github.com/FirebirdSQL/firebird/releases/download/v5.0.1/Firebird-5.0.1.1469-0-windows-x64.zip>* VirusTotal
> recognizes this:
> Trojan.Malware.300983.susgen
> Trojan.Kryptik AI.100 (RDML:QM5FSwESTAkekcxSI...)
>
> Why is that? Is it a false positive and can it be avoided?
On virustotal.com only 2 engines (out of 40 or so) detect something (and
each of them a different thing), so I'd definitely consider it a false
positive.

regards
Tomasz



Mark Rotteveel

unread,
Sep 25, 2024, 5:33:48 AMSep 25
to firebird...@googlegroups.com
Looking over the data in the Relations tab of VirusTotal:

1. Something contacts an IP address owned by Microsoft; I don't think
our installer does this, but who knows. Flagged by G-Data and ArcSight
Threat Intelligence engines
2. The examples\prebuilt\bin\fbSampleExtAuthKeygen.exe and
examples\prebuilt\bin\fbSampleDbCryptApp.exe are flagged by MaxSecure
and Rising engines
3. The examples\prebuilt\plugins\fbSampleKeyHolder.dll and
examples\prebuilt\plugins\fbSampleDbCrypt.dll are flagged by Cynet engine

Digging down, it seems to be because those files are built with
debugging symbols. I'm not 100% sure, but I think files with debug
symbols may trigger a look up to a Microsoft server for debugging
symbols, possibly because the PDB files aren't actually included. And
this could also explain point 1.

Interestingly enough, submitting
Firebird-5.0.1.1469-0-windows-x64-withDebugSymbols.zip produces only a
mention from Rising, not MaxSecure, but it is still processing things so
there is no relations tab.

Conclusion: it's a false positive due to the example files.

Mark
--
Mark Rotteveel

MK

unread,
Sep 25, 2024, 5:51:34 AMSep 25
to firebird-support
Thank you for your expertise. I wasn't sure about the cryptic issue, but this helps me to understand it better now.

Regards
MK
Reply all
Reply to author
Forward
0 new messages