Trellix security has reported a trojan in file postgis-bundle-pg15x64-setup-3.4.2-1.exe

Okken, James CIV USARMY DEVCOM AC (USA) james.okken.civ at army.mil
Thu Sep 12 05:59:55 PDT 2024


Thank you for the reply Greg and Regnia. I hope it is a false positive. Currently I am using 3.4.1 (and skipping 3.4.2) but I will be on the lookout for future versions (ie 3.4.3) to test how Trellix handles them.

I will file a report with Trellix and try to report back here any interaction with them. KB97027 might be for a slightly different finding but they do mention resolving that particular issue through whitelisting. So maybe they would do the same here, assuming, as we hope, the 3.4.2 file is in fact clean.

Thanks again!

--Jim Okken
Protection Systems Branch, FCDD-ACW-SA
Phone: 520-684-2228
Cell: 973-809-2112

-----Original Message-----
From: Regina Obe <lr at pcorp.us>
Sent: Thursday, September 12, 2024 1:07 AM
To: 'Greg Troxel' <gdt at lexort.com>; Okken, James CIV USARMY DEVCOM AC (USA) <james.okken.civ at army.mil>
Cc: postgis-devel at lists.osgeo.org
Subject: RE: Trellix security has reported a trojan in file postgis-bundle-pg15x64-setup-3.4.2-1.exe

[You don't often get email from lr at pcorp.us. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

> "Okken, James CIV USARMY DEVCOM AC (USA)" <james.okken.civ at army.mil>
> writes:
>
> > My Trellix secuirty program (Mcafee) has reported a trojan in posgis
3.4.2
> installer file "postgis-bundle-pg15x64-setup-3.4.2-1.exe"
> >
> > This is as downloaded from either of these locations.
> > https://d/
> > ownload.osgeo.org%2Fpostgis%2Fwindows%2Fpg15%2Fpostgis-bundle-&data=
> > 05%7C02%7Cjames.okken.civ%40army.mil%7C37f66edc99344cf38de708dcd2e8b
> > d3f%7Cfae6d70f954b481192b60530d6f84c43%7C0%7C0%7C638617144253842326%
> > 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6
> > Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=na4QkelLX6TMV9g39gNum4C7jJ
> > %2F7XPgpBG9ICfzOuMk%3D&reserved=0
> pg15x64
> > -setup-3.4.2-1.exe
> > or
> > https://f/
> > tp.postgresql.org%2Fpub%2Fpostgis%2Fpg15%2Fv3.4.2%2Fwin64%2Fpostgis-
> > bundl&data=05%7C02%7Cjames.okken.civ%40army.mil%7C37f66edc99344cf38d
> > e708dcd2e8bd3f%7Cfae6d70f954b481192b60530d6f84c43%7C0%7C0%7C63861714
> > 4253848090%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luM
> > zIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=jfHgy2m7Q4wYLI5
> > aeWIQ3KMFB%2BotHcMiBDT0xgrB38g%3D&reserved=0
> > e-pg15x64-setup-3.4.2-1.exe
> >
> > Attached is a screenshot of Trellix's detections, 1 per my attempt
> > to
> download the file.
> > I double confirmed that the previous postgis version 3.4.1 does not
> > have
> this trojan detected. That is file
"postgis-bundle-pg15x64-setup-3.4.1-1.exe"
> is good.
>
> Please file a support request with Trellix and ask them to either fix
their
> detection or to explain in particular what is present, in enough
> detail that the accusation is credible.   False positives from
> anti-virus programs happen all the time.   It is always possible that
> there really is malware, but I cannot remember that actually happening
within
> postgis.

Greg,

Thanks for chiming in on this.  Just got back from foss4gna so catching up on emails.

James,
Someone complained about Trellix false positive on windows binaries on PostGIS IRC/Matrix channel as well a couple of weeks ago. Though I recall it marked even 3.4.1 as malware or infected at the time.

The Detection Name:  Artemis  -- is the name they give for their heuristic detection system which seems to be highly prone to false positives.
So it's not the true name of any real known virus or malware, just some AI thing saying "I think this could be dangerous"

For example you can see here -
https://kcm.trellix.com/corporate/index?page=content&id=KB97027&locale=en_US
how Artemis marks even common Linux files as infected.

I tend to not believe virus / malware detection tools if

a) No other tool detects it as infected
b) The virus/malware noted , is code name some "Heuristic" detection unspecified malware

Thanks,
Regina




More information about the postgis-devel mailing list