Hey all,
Ran my Avira Pro antivirus the other day. Came back with one positive in the whonix installer. The detection was listed as "TR/Crypt.XPACK.Gen7 (Cloud)’.
Any guidance on how to proceed? Is this a known false positive? Tried to upload the file to Avira for scanning but the installer is larger than their max file size.
Any help?
-Rx
Good day,
First and foremost, did you verify the file?
Secondly, the source is available in full here: GitHub - EgoBits1/Whonix-Windows-Installer: Maintained, InnoSetup and 7-Zip based version of a simple automated installer, setting up Whonix, Whonix-UI and accompanying software.
There is nothing in there.
Have a nice day,
Ego
Hi Ego,
Yes, I did verify the file. That took some doing, the process was definitely outside my base tech skill-level. But as far as I can recall, I was able to verify correctly.
But that process didn’t do a whole heck of a lot to reassure me (involving installing other files to verify), and ultimately, doesn’t guarantee the .exe isn’t infected. It does ensure I have the correct actual whonix file and not some substitute installer, and so then…sure, greatly reduces the likelihood that this was a true positive.
But still… this is a privacy application, so it’s important to get it right.
I’m in the process of having Avira verify the file, and perhaps I’ll try to run the verification process again. If I have any questions about that (and I will), I’ll post again here.
Although, am taking a vacation in a couple days, so this might be delayed a bit.
Best,
-Rx
Good day,
Actually, that is precisely what it is supposed to do. Verifying the installer means checking whether the file you’ve downloaded is in fact identical to the initial compilation done by me. Since the installer is also fully reproducable by anyone and those reproductions are also verifiable in the same manner, that means what you’ve downloaded does in fact use the code I’ve linked you to earlier which does not contain any kind of “virus”.
It can thus be expected that this is a false positive. I will later try to reproduce this behaviour myself though.
Have a nice day,
Ego
Yeah, I guess that’s what I said, or meant to say. Verifying confirms that
the file downloaded is the original intended ‘source’ file. It doesn’t
mean that the original intended source file is not infected somehow. Of
course, as before, I admit that in that case, it is very (very) unlikely
that the file is infected. Because that would mean that the creator of the
file infected it, or it got infected somewhere ‘at the source’.
At any rate, Avira has given the file a clean bill of health. No trojan.
So thank you for your attention to the matter, I appreciate the feedback
and communication; apologies for any inconvenience. But I did get a
detection, did want to check it out, did check it out, and now everything’s
great!
-Rx