/usr/bin/jq suddenly flagged as malware on many AV engines
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
jq (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Some of my users use Windows 10 and run 20.04 LTS (Focal Fossa) in WSL.
We use jq a lot. Last week users reported that jq was not working / missing and they were unable to reinstall with apt.
Users having installed Ubuntu on bare metal or using it in a VM were not affected, only the WSL crowd.
Windows Defender logs showed that it has quarantined /usr/bin/jq as Trojan:
I compared the sha256sum from affected systems to a fresh install of jq from the Ubuntu repo. It is bcfa215dec8fe15
We reported it to Microsoft and they agreed it was a false positive and they would update definitions.
A few days later the issue reoccurred. This time Microsoft classify it as Trojan:
We contacted them again to report it as a false positive but this time they close our submission and say that the detection of /usr/bin/jq as Trojan:
There is an issue open on jq's GitHub about it too: https:/
I see one security firm claimed that jq is an IOC for a crypto mining worm:
https:/
None of our systems show indications of compromise, worm activity or anything. I maintain that this seems to be a false positive. What can we do ?
lsb_release -rd
Description: Ubuntu 20.04 LTS
Release: 20.04
apt-cache policy jq
jq:
Installed: 1.6-1
Candidate: 1.6-1
Version table:
*** 1.6-1 500
500 http://
100 /var/lib/
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: jq 1.6-1
ProcVersionSign
Uname: Linux 5.4.0-29-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.6
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: ubuntu:GNOME
Date: Tue Aug 25 17:26:40 2020
InstallationDate: Installed on 2019-05-01 (481 days ago)
InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416)
SourcePackage: jq
UpgradeStatus: No upgrade log present (probably fresh install)