New PortableApps.com Platform 12.0.5. Better, stronger, faster. Download or Buy on Drive
Instant access to over 300 free and legal portable apps including the new Caesium (Oct 10, 2014)
PortableApps.com needs your help: Please donate today

Gimp is a Trojan? [Resolved as a FP]

truthseeker's picture
truthseeker - August 20, 2009 - 6:19pm
Share on Facebook

I use ClamWin Portable, and it says this about portable Gimp.

J:\PortableApps\GIMPPortable\App\gimp\bin\gimp-2.6.exe: Trojan.Agent-121386 FOUND
J:\Vista\Portablepps\GIMPPortable_2.6.7_Rev_3.paf.exe: Trojan.Agent-121386 FOUND

False positive? If so, how can I be sure?

[Resolved: update to latest db, 9727, Clam Has confirmed a False Positive, see Below, Mod Tim 08/23/09 2:30 CDT USA]

( categories: )

I get the same trojan warning

I get the same trojan warning when scanning with clamwin portable, but not when scanning with other scanners (norman and outpost). I just downloaded a fresh gimp version from the website, but also that file gives the trojan in clamwin.
I don't know how to interpret this and what to do with it.

Some advice would be helpful.

See the very bottom of this

See the very bottom of this page:
http://portableapps.com/support

“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

SCOTT, you are hinting that

SCOTT, you are hinting that it's a false positive report.

However, how can we be 100% sure it's a false positive report in ClamWin?

Maybe ClamWin is detecting a genuine threat in Gimp, and the other AV's at Virustotal are missing a genuine threat.

As you will admit, NO AV can detect every single new threat out there.

Gimp may be a false positive and maybe not.

I am removing portableapps Gimp to be certain, because portableapps ClamWin reports it as a Trojan, and nobody can 100% gurantee me that it's a Clamwin false positive.

Following your logic you can

Following your logic you can never be sure something in not infected and you should stop downloading files from the internet immediately.

If a virus alarm is not picked by by other vendors a day or two after being submitted to the Multitesting sites it is almost certainly a false positive.
http://www.virustotal.com/
http://virusscan.jotti.org/

ClamAV has a fairly high (IMO) FP rate. It should be used as a guide for further investigation, not as definitive determinate.

Have you actually tried to submit the sample to ClamAV to have them investigate further ?
http://cgi.clamav.net/sendvirus.cgi

Tim

Things have got to get better, they can't get worse, or can they?

Tim, when you say, "Following

Tim, when you say, "Following your logic you can never be sure something in not infected and you should stop downloading files from the internet immediately.". That shows your reasoning is flawed and in error. And I will explain why.

Not "everything" is showing up as being infected with a Trojan, so your reasoning is flawed.

Secondly, Your comments come from childishness and insecurity, showing you are getting very defensive about portableapps.

Thirdly, grow up for goodness sake Tim before you make such a silly comment again using flawed reasoning.

I repeat, ONLY Gimp portable is showing up as being infected, not everything on my PC. So I will continue to use internet to download files, but as soon as they are indicated as being infected as your portableapps Gimp is, then they are removed immediately.

Watch the attitude please !

You said "As you will admit, NO AV can detect every single new threat out there."

Which means that there could be a virus out there that is not detected by your AV or Any other, so logically it is dangerous to download anything.

and by the way, "...showing you are getting very defensive about portableapps"
I said absolutely nothing about portableapps.

And I ask again, "Have you actually tried to submit the sample to ClamAV to have them investigate further ?"

Try not to fall back into your old ways of just being annoying.

Tim

Things have got to get better, they can't get worse, or can they?

Follow Up and Conclusion

As anticipated, the latest update to the ClamAV data base, 9277, from last night, has removed the False Positive for the installer and gimp-2.6.exe .

Much Thanks to whoever took the time to report it to them Eye-wink

A full scan with ClamWin of Gimp shows it is clean, as it always was.

Tim

Things have got to get better, they can't get worse, or can they?

ATTENTION: Tim

Tim,

1. Your reasoning is flawed again, showing your low awareness of not thinking outside the box. If an AV reports my PC as clean, I am happy and confident, even though I realise no AV detects everything. However, if an AV reports a Trojan as ClamWin did about Gimp, then I remove the program immediately.

2. Stop always getting so defensive when someone brings up a challenge about portablapps. It exposes your low self-esteem and insecurities. Instead handle feedback and challenges maturely, and not like a child.

3. Yes, submitted and now it shows as clean Smiling So now I am using Gimp again Smiling

4. Tim, stop being so annoying and so self-righteous and condescending. You are not above us common folk, so don't convince yourself you are someone special as you are not.

Please Stop

It was a false positive, as has happened many times before, and will probably happen again. VirusTotal showing only 1 or 2 reports is an accepted indicator of a false positive throughout the tech world. If you choose another way, that's fine. But, in the future, please use our standard method of running it through VirusTotal and/or Jotti to determine whether it is a valid report before reporting it in the forums.

And please stop taking offense at every suggestion you receive. It seems like you were looking for a battle right from when someone first pointed out our standard policy on the support page. This is not necessary. People are here working together in the forums to make things better for everyone. Even if you perceive a slight, turn the other cheek, let it go, and move on. Every post is not a battle to be won. Everyone (you, Tim, myself, the other thread readers) has more important things we can be doing.

Sometimes, the impossible can become possible, if you're awesome!

By saying that you can never

By saying that you can never be sure something is not infected, is not flawed. Why? There is not, I repeat NO antivirus that is 100% effective, so even if it says the file is safe, that doesn't mean that it is. It just means that particular antivirus/definition database didn't see it as an issue.

So, technically, TimClark was right in his comment. By trusting one antivirus over another, you are saying it's superior. Which in many cases it's not. Just see my post a few comments down about AV-Comparatives. And there-in lies the point. NOTHING is 100% effective at detecting viruses, nor is anything 100% effective at detecting that something isn't a virus, therefore reporting a false positive as we see here.

And, VirusTotal is not a third party program out there, they are more the standard in virus detection.

And please, keep your cool and stop the personal attacks.

Dodgy advice

That "support" page gives some seriously dodgy advice.

It's a bit like saying "If a program is detected as having a virus - it isn't really infected, just keep trying other antivirus programs until one doesn't detect it, and then you'll know you're safe".

It completely ignores the fact that an antivirus company might actually have found a new virus - and you've already been infected with it!

That "Support" page really should be updated to give better advice - atm, it's just plain dangerous.

It would be safer to say "quarantine the file in question, and do not run it, then check it again (with the same antivirus software) after 48 hours. If it was a false positive, the antivirus signatures will most likely have been updated within this time to prevent a false positive. If it's still detected, it could be a problem".

Not sure what the "seriously

Not sure what the "seriously dodgy" advice is ?
Submitting a file for further testing is the logical thing to do if you got it from a site that you have a good amount of confidence in.

As I said above, "IF" after a day or two [you recommend 48hrs] the other AV vendors have not picked it up, that should raise the confidence level.
That is very different than trying to find ONE that says the file is ok.

Folks need to use logic, caution, and common sense.

Tim

Things have got to get better, they can't get worse, or can they?

As is yours

Dodgy advice is far from the truth.

Just because the site says that you should test it with MORE than one av scanner, it DOES NOT say to keep scanning until you find a scanner that doesn't find it as an issue. In fact, here is what is said:

If you encounter a false positive, please test the file in another antivirus product before reporting the issue to us in the forums to ensure that it's not an error in their software.

That, is good, solid, true advice. It says to test the file with more than one scanner to ensure that it is not a false positive as many different scanners will find many different false positives as described by the third party organization AV-Comparative.

So, before you attack anything else on the site for being "dodgy advice", please ensure that you've read the item in question in its' entirety. You seem to have a habit of doing so on this site very often, without any true support or factual information to backup your opinions.

In the future, it would be good form and very courteous to keep your uninformed opinions to yourself before you accuse people/organizations of something that they have not done.

Thanks Smiling

And to the OP - Yes, this is a false positive. It is VERY unlikely that John T. Haller would allow anything that could be potentially harmful to your computer be posted, hosted, and endorsed by PortableApps.com

Ok...

@truthseeker,

Yes, I am hinting at a FP.

I will admit (and even suggest this myself) that NO av product will detect 100% of malware out there.

When I see this kind of thing, on the avast! forum, the first thing that I (and many others) will do is advise the user to upload it to virustotal etc. to confirm/correct the suspicious of the detection. In my experience, a file with a minimal amount of detections on something like virustotal is most likely a false positive.

Next is to send the file to the av company (in my case avast!) with the reasons why I believe that it is a FP. One of the main considerations in this case would be the fact that the involvement of not only John (et al) here, but Sourceforge and the gimp devs also.
(As suggested by Tim Clark also)
This will often result in the company responding with 'yes it is infected/no it is clean, we will correct it.'

@jamcomm,

I agree with Tim Clark and Gizmokid here, the advice is to investigate further, as opposed to ignore the issue, why would anyone suggest this?

@all,

I personally would not rely on clam as a first line of defense, mainly because it has no real time scanning. I will occasionally use it as a second opinion...
One other issue I have with Clam, is that they don't encrypt their virus database, causing other AVs to detect it and alert to it, up to the point where another av should have to implement a change on their side to resolve the issue...this should not be the way...

-Scott-

Wow...long post...sorry for the story guys...Laughing out loud

“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

What have portableapps users come to???

Let me give you a short version...

There is (guaranteed) NO virus in any of the supported portableapps (period)

These are simply false positives that all these so called "anti-virus programs find"

If you just search the website you will find PLENTY of examples of false positives.