This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Cygrunsrv behaviour triggers Anti-Virus Program

Andy Koppe wrote:
> 2009/11/13 Jacob Jacobson:
>> Output of Kaspersky Anti-Virus 6.0
>> 11/13/2009 1:03:09 PM   C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE Process is trying to
>> inject into another process. This behavior is typical of some malicious
>> programs (Invader)
>> 11/13/2009 1:03:09 PM   C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE "Quarantine" action
>> is selected
>> 11/13/2009 1:03:09 PM   C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE Forced to terminate
>> the process.
>> 11/13/2009 1:03:09 PM   C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE File quarantined.
>> Output of Kaspersky Anti-Virus 6.0
> Send that to Kaspersky. Cygwin isn't gonna be changed to work around
> that sort of crap.

  BLODA in full effect.  It is designed to stop you running anything that
behaves like forking, just in case what you were running wasn't meant to be
doing that; therefore it is a crude and indiscriminate filter and must
inevitably suffer false positives.

  The problem is that there's no easy way for a simple-minded computer program
to tell the difference between "suspicious process injecting itself into
another", and "legitimate user-directed application attempting to emulate
posix fork semantics".  It is unfortunate, but a lot of the things that Cygwin
*has* to do are exactly like a lot of the things that some viruses do; hence
we run up against the limits of heuristic behaviour blockers.


Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]