Antivirus, Lots of false positives here?

Ran Clam, picked up 6 instances of Win.Malware.Razy-9856673-0, all in iexplore.exe on my playonlinux installs. Also picked up PUA.Win.Packer.Ep-7 in lutris runners and playonlinux. Assuming these are all false positives? Only installed software using ‘software’ in Gnome and with fresh downloads from GOG…
Thanks
Giz

Submit the files to online antivirus to check.

https://www.virustotal.com/gui/home/upload

Well, since they are from Windows emulating software, they could be true positives…

5 Likes

Potentially Unwanted Applications (PUA) are not malware

ClamWin Free Antivirus :: View topic - Abt Pua.win32.packer
Please turn off PUA detection, and do not use it again. It is broken!

PUA detection (Potentially Unwanted Applications) is for detecting files that are packed with packers used by malware or tools that could be used by malware (such as keyloggers, remote admin tools, some scripts, etc.). The problem is that both malware and “good” programs can use the same packers…,

…Use ClamWin to detect real viruses–not PUA

But Win.Malware.Razy may not be false positive

Just don’t run Internet Explorer. :wink:

Sorry for the slow reply guys…been unexpectedly off line for a week! Thanks for the info on Razy - i will need to look into that. But am i safe in using my Manjaro system considering this is appearing in files used by playonlinux ?

Thanks
Giz

If you have malware you’re not safe, either it is on playonlinux or not. Make sure to clean your system of malware before trying to run your malware infected environments.

https://www.google.com/search?q=Win.Malware.Razy-9856673-0

No comment…

Please comment because it is not helping to be cryptic like that.

2 Likes

Whilst my questions may seem simple or stupid, im new to Linux and security in general. I have always used windows and had the mentality of software doing its thing, especially AV. So im learning and asking questions and I hope that these forums can be a place where I can learn things and not made to feel stupid

So i have done some digging and here is what i found. Clam has found ‘Win.Malware.Razy’ in 6 instances of iexplore which are located under PlayOnLinux and distributed as part of Wine when I looked to install my copy of Flashback.

From the 6 instances of iExplore, the SHA256 checksum indicates that there are 3 distinct versions of iexplore. Scanning each of these files with Virus total, the first variation is flagged by 3 AV vendors, the second 29 and third 33.

  1. Does this mean the files installed with PlayOnLinux have been compromised? (and how should this be reported?)
  2. Would this mean running iexplore (as Wine automatically happened on my system) would cause infection within my Manjaro install? (is there a way to check?)

Thanks
Giz

That depends entirely on how you got the file in question.

IF the file is distributed as a part of wine - that is - you can directly track it to the wine repository there is no need to worry.

But if you got the file as part of a complicated download script where you have no idea where the packages are pulled from - then you should worry.

Normally windows malware cannot work on a Linux system BUT when you installed wine you opened a door and in the context of wine a malware will be able to execute in the current user context.

If it succeed will very much depend on the code - if it utilizes Windows API in a way which is not implemented in wine (binary form) - or if it is an embedded macro in a document - even JavaScript embedded in PDF has been used to deliver the payload.

The only consequence is your user files - unless you run wine as root (yes - some has done it) there is no immediate danger to your system.

The question is what did you install to eventually have malware in the Wine prefix. I would suggest you installed cracked windows software, this is the most probable cause I would imagine because I tried to install something that I may or may not have acquired legally, in a new Wine prefix, and no surprise I found with clamav that I have in this specific Wine prefix multiple iexplorer.exe file with Razy malware in it.

All my legit Wine prefixes seem to be clean with a scan of clamav.

Thanks @linux-aarhus - in my case playonlinux was installed via the package manager and the game itself was my windows version of Flashback, which i bought from GOG.com.

This is actually turning into a little mystery which i think im going to use as a learning exercise and have a play trying to recreate in a virtual machine.

@omano - it was a legitimate copy of Flashback i bought through GOG.Com!

So I don’t know, I didn’t find any of these Razy iexplorer in my various Wine games, from Steam, or Lutris (with various Wine versions), but found it in my Lutris :v: Place Of Business 2019 :v: failed installation.

Was this a legit copy of Place of Business 2019?

If so, i wonder if its a specific version of Wine?

Still getting my head round all this stuff so just a guess really


Amazed…

When one posts a problem and that goo shows the very post as the first one + two others reffering to 11 years ago…

What is your conclusion ?

That you should do better google search?

No it wasn’t.

No change : just creates old warez use suspicion