Trend Micro flagged 'jq' as Trojan.SH.HADGLIDER.TSE, installing on Ubuntu under WSL (Windows Subsystem for Linux)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
jq (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
I had a virus scanner go off in a GitLab server. The detected file is "jq"
We are curious why the virus scanner triggers on the latest version in the apt repositories jq 1.6-1
The downloaded 1.6 linux tarball from the jq site doesn't trigger the scanner.
=================
The problem is ALSO described here:
https:/
Here is an excerpt from this issues database.
Trend Micro flagged 'jq' as Trojan.
Description
Not sure how actionable this is, but I thought it might be good to log a bug, in case others have this happen: I tried to install 'jq' under Ubuntu installed in the WSL subsystem of Windows 10, the usual way, via sudo apt install jq. This Windows is running Trend Micro OfficeScan, an antivirus tool, which flagged it as a security threat: Trojan.
Trend Micro ends up blocking the final step (copy or rename of file /usr/bin/
Workaround
So, the workaround was: I ended up doing that copy manually, just by doing sudo cp /usr/bin/
Now I just have to hope there isn't really malware in that file... ;-)
Environment and Version Info
o jq is 1.6-1 (it had downloaded /var/cache/
o jThe Trend Micro "Smart Scan Agent Pattern" version is 16.173.00.
o jWindows 10 is version 1903 (OS Build 18362.1016).
o jUbuntu is Ubuntu 20.04 LTS (Focal Fossa).
o jWe are currently using WSL1, not WSL2.
information type: | Private Security → Public Security |
Thank you for bringing this to our attention and doing so with a private report.
This is not the first time a common benign Linux utility running in WSL has been flagged by antivirus on Windows.
Example: https:/ /github. com/microsoft/ WSL/issues/ 4757
What I suspect is happening is that some Windows malware includes Windows builds of utilities like jq or GNU tools and/or download them as part of their payload.
This resembles malware behavior that occasionally results in binaries in WSL being flagged by antivirus, sometimes even by Windows Defender.
Kaspersky will so aggressively detect R binaries as malware it will corrupt some Windows machines: https:/ /github. com/microsoft/ WSL/issues/ 4716
This happens more often on WSL 1 where the WSL file system is fully extracted to C:\Users\ <user>\ AppData\ Local\Packages\ Ubuntu. ..\LocalState\ rootfs\ .
It is something to log and be aware of, but it is very unlikely to be actual malware.
To be on the safe side, I would run then through virustotal and if there are no hits, report as a false positive to Trend Micro.
Thank you!