6

I was updating wget this morning and Symantec notified me of trojans detected in locale.exe and tzset.exe

Does this mean my cygwin installation is infected?

Robotnik
  • 2,645
Sinsanator
  • 163
  • 4

4 Answers4

5

This is most likely a false positive. Trojan.ADH.2 is a name Symantec uses to identify heuristically detected "unknown" threats -- i.e. things that don't match the signature of any known threat but have qualities that make Symantec suspicious. A quick web search suggests that false positives identifying this threat are quite common. Cygwin's FAQ also suggests that their product in general tends to spook antivirus software.

A thread on the Norton forums contains instructions to restore the files from quarantine, exclude the files from future scanning, and submit samples of them to Symantec engineers so they can adjust the heuristic to avoid that particular class of false positive.

tgies
  • 1,153
  • 1
  • 10
  • 22
2

I had the exact same problem after I updated yesterday, but my SSH keys are all fine. It is almost definitely a false positive from Symantec. Unfortunately Symantec also decided to --delete-- my executables instead of quarantining them.

Just in case you've encountered the same problem, you can re-install these executables by rerunning the Cygwin installer and choosing to re-install the cygwin / coreutils / cygutils packages.

Ben Cassell
  • 21
1

I submitted the false positive request for locale.exe to Symantec and they have verified my submission. They will distribute new definitions by LiveUpdate witch removes detection for locate.exe.

But sorry, I had no problem with tzset.exe, so the status of this one is still unknown...

hiroki
  • 21
1

Update from July 2014: Symantec again uses the (obviously crazy) Tojan.ADH.2 heuristics to label Cygwin's latest col.exe, tzset.exe, and locale.exe as viruses (for the quarantine or deletetion thereof).

So any learning that Symantec did last year has work off.

I have also submitted these to Symantec as false positives, they have (again?) verified their tools is rogue:

In relation to submission [3576111].

Upon further analysis and investigation we have verified your submission and as such this detection will be removed from our products.

The updated detection will be distributed in the next set of virus definitions, available via LiveUpdate or from our website at ...

Chris Kuklewicz
  • 111