Virustotal gives hits for misp-2.4.139-1.el7.rpm

[hrleinonen]

It is maybe false positive:
https://www.virustotal.com/gui/file/86d06c191d1943831dd567bc03c0f5a0220efa88ef7a641e03e802898019fc12/detection

CVE is 2013-5331

Regards,

Ville

[adulau]

There are a set of malicious files to test viper. It's most probably what it is triggering VT detection.

./PyMISP/tests/viper-test-files/README.md
./PyMISP/tests/viper-test-files/test_files/string_handling/ascii.txt
./PyMISP/tests/viper-test-files/test_files/string_handling/with blank.txt
./PyMISP/tests/viper-test-files/test_files/string_handling/dümmy.txt
./PyMISP/tests/viper-test-files/test_files/string_handling
./PyMISP/tests/viper-test-files/test_files/sample.oat
./PyMISP/tests/viper-test-files/test_files/sample.vdex
./PyMISP/tests/viper-test-files/test_files/sample1.pe
./PyMISP/tests/viper-test-files/test_files/whoami.exe
./PyMISP/tests/viper-test-files/test_files/sample.macho
./PyMISP/tests/viper-test-files/test_files/ObjectPool-_1398590705-Contents-FLASH-Decompressed1
./PyMISP/tests/viper-test-files/test_files/hello-world.apk
./PyMISP/tests/viper-test-files/test_files/sample.dex
./PyMISP/tests/viper-test-files/test_files/unicode.msg
./PyMISP/tests/viper-test-files/test_files/9afa90370cfd217ae1ec36e752a393537878a2f3b5f9159f61690e7790904b0d
./PyMISP/tests/viper-test-files/test_files/sample2.elf
./PyMISP/tests/viper-test-files/test_files/chromeinstall-8u31.exe
./PyMISP/tests/viper-test-files/test_files/EICAR.com
./PyMISP/tests/viper-test-files/test_files/MachO-OSX-x64-ls
./PyMISP/tests/viper-test-files/test_files/Douglas-Resume.doc
./PyMISP/tests/viper-test-files/test_files/junk2.eml
./PyMISP/tests/viper-test-files/test_files/junk3.eml
./PyMISP/tests/viper-test-files/test_files/junk.eml
./PyMISP/tests/viper-test-files/test_files/MachO-OSX-x86-ls
./PyMISP/tests/viper-test-files/test_files/513a6e4e94369c64cab49324cd49c44137d2b66967bb6d16394ab145a8e32c45
./PyMISP/tests/viper-test-files/test_files/cmd.exe
./PyMISP/tests/viper-test-files/test_files/sample3.pe
./PyMISP/tests/viper-test-files/test_files/shattered-2.pdf
./PyMISP/tests/viper-test-files/test_files/archiver/Mac.tar
./PyMISP/tests/viper-test-files/test_files/archiver/Mac.zip
./PyMISP/tests/viper-test-files/test_files/archiver/Mac.pdf.bz2
./PyMISP/tests/viper-test-files/test_files/archiver/Mac.pw_infected.zip
./PyMISP/tests/viper-test-files/test_files/archiver/Mac.pdf.org
./PyMISP/tests/viper-test-files/test_files/archiver/Mac.pdf.gz
./PyMISP/tests/viper-test-files/test_files/archiver/Mac.7z
./PyMISP/tests/viper-test-files/test_files/archiver/Mac.tbz2
./PyMISP/tests/viper-test-files/test_files/archiver/Mac.pw_infected.rar
./PyMISP/tests/viper-test-files/test_files/archiver/Mac.tar.gz
./PyMISP/tests/viper-test-files/test_files/archiver/Mac.pdf
./PyMISP/tests/viper-test-files/test_files/archiver/Mac.rar
./PyMISP/tests/viper-test-files/test_files/archiver/Mac.pw_infected.7z
./PyMISP/tests/viper-test-files/test_files/archiver
./PyMISP/tests/viper-test-files/test_files/sample.pe
./PyMISP/tests/viper-test-files/test_files/sample1.macho
./PyMISP/tests/viper-test-files/test_files/sample.elf
./PyMISP/tests/viper-test-files/test_files/sample2.pe
./PyMISP/tests/viper-test-files/test_files/sample.art
./PyMISP/tests/viper-test-files/test_files/shattered-1.pdf
./PyMISP/tests/viper-test-files/test_files/c026ebfa3a191d4f27ee72f34fa0d97656113be368369f605e7845a30bc19f6a
./PyMISP/tests/viper-test-files/test_files/58e902cd-dae8-49b9-882b-186c02de0b81.json
./PyMISP/tests/viper-test-files/test_files/tmux
./PyMISP/tests/viper-test-files/test_files

[adulau]

Maybe the test_files could be removed just before the final build of the RPM. @amuehlem what do you think?

[amuehlem]

Great Idea, I'm excluding these files during the RPM build process

[amuehlem]

Thank you for the hint and the tip to remove this files. The 2.4.140 does not contain the viper-test-files.

[hrleinonen]

Just checked the new version 2.4.140 and it is better, there is still files called mail_1.msg, mail_1_bom.eml and mail_1.eml in folder email_testfiles which are detected Trojan-Downloader:JS/Kavala.V. Can you build one more version?

[amuehlem]

I've excluded this files as well, new RPM misp-2.4.140-2.el7.noarch.rpm

@adulau is it a good idea to exclude all files from /PyMISP/tests/?

[adulau]

Sure. The tests are not used for MISP in production. We can safely remove those. Thanks a lot.

[amuehlem]

misp-2.4.140-3.el7.noarch.rpm is uploaded to the repository

[hrleinonen]

Thank you, there is no issues anymore.

[1holygrail]

Great Idea, I'm excluding these files during the RPM build process

Hi All,

I had a similar issue with Defender detecting the test files and other files as malware which I raised here:

MISP/misp-docker#173

Can someone please confirm if this is expected and if the installation of MISP via docker is safe?

Many thanks