You are here

Gimp is a Trojan? [Resolved as a FP]

16 posts / 0 new
Last post
truthseeker
truthseeker's picture
Offline
Last seen: 12 years 5 months ago
Joined: 2008-07-30 20:32
Gimp is a Trojan? [Resolved as a FP]

I use ClamWin Portable, and it says this about portable Gimp.

J:\PortableApps\GIMPPortable\App\gimp\bin\gimp-2.6.exe: Trojan.Agent-121386 FOUND
J:\Vista\Portablepps\GIMPPortable_2.6.7_Rev_3.paf.exe: Trojan.Agent-121386 FOUND

False positive? If so, how can I be sure?

[Resolved: update to latest db, 9727, Clam Has confirmed a False Positive, see Below, Mod Tim 08/23/09 2:30 CDT USA]

Antignor
Offline
Last seen: 15 years 3 months ago
Joined: 2009-08-21 06:40
I get the same trojan warning

I get the same trojan warning when scanning with clamwin portable, but not when scanning with other scanners (norman and outpost). I just downloaded a fresh gimp version from the website, but also that file gives the trojan in clamwin.
I don't know how to interpret this and what to do with it.

Some advice would be helpful.

spg SCOTT
spg SCOTT's picture
Offline
Last seen: 12 years 4 months ago
Joined: 2008-08-26 14:11
See the very bottom of this

See the very bottom of this page:
https://portableapps.com/support

“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

truthseeker
truthseeker's picture
Offline
Last seen: 12 years 5 months ago
Joined: 2008-07-30 20:32
SCOTT, you are hinting that

SCOTT, you are hinting that it's a false positive report.

However, how can we be 100% sure it's a false positive report in ClamWin?

Maybe ClamWin is detecting a genuine threat in Gimp, and the other AV's at Virustotal are missing a genuine threat.

As you will admit, NO AV can detect every single new threat out there.

Gimp may be a false positive and maybe not.

I am removing portableapps Gimp to be certain, because portableapps ClamWin reports it as a Trojan, and nobody can 100% gurantee me that it's a Clamwin false positive.

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 7 months ago
Joined: 2006-06-18 13:55
Following your logic you can

Following your logic you can never be sure something in not infected and you should stop downloading files from the internet immediately.

If a virus alarm is not picked by by other vendors a day or two after being submitted to the Multitesting sites it is almost certainly a false positive.
http://www.virustotal.com/
http://virusscan.jotti.org/

ClamAV has a fairly high (IMO) FP rate. It should be used as a guide for further investigation, not as definitive determinate.

Have you actually tried to submit the sample to ClamAV to have them investigate further ?
http://cgi.clamav.net/sendvirus.cgi

Tim

Things have got to get better, they can't get worse, or can they?

truthseeker
truthseeker's picture
Offline
Last seen: 12 years 5 months ago
Joined: 2008-07-30 20:32
Tim, when you say, "Following

Tim, when you say, "Following your logic you can never be sure something in not infected and you should stop downloading files from the internet immediately.". That shows your reasoning is flawed and in error. And I will explain why.

Not "everything" is showing up as being infected with a Trojan, so your reasoning is flawed.

Secondly, Your comments come from childishness and insecurity, showing you are getting very defensive about portableapps.

Thirdly, grow up for goodness sake Tim before you make such a silly comment again using flawed reasoning.

I repeat, ONLY Gimp portable is showing up as being infected, not everything on my PC. So I will continue to use internet to download files, but as soon as they are indicated as being infected as your portableapps Gimp is, then they are removed immediately.

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 7 months ago
Joined: 2006-06-18 13:55
Watch the attitude please !

You said "As you will admit, NO AV can detect every single new threat out there."

Which means that there could be a virus out there that is not detected by your AV or Any other, so logically it is dangerous to download anything.

and by the way, "...showing you are getting very defensive about portableapps"
I said absolutely nothing about portableapps.

And I ask again, "Have you actually tried to submit the sample to ClamAV to have them investigate further ?"

Try not to fall back into your old ways of just being annoying.

Tim

Things have got to get better, they can't get worse, or can they?

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 7 months ago
Joined: 2006-06-18 13:55
Follow Up and Conclusion

As anticipated, the latest update to the ClamAV data base, 9277, from last night, has removed the False Positive for the installer and gimp-2.6.exe .

Much Thanks to whoever took the time to report it to them Wink

A full scan with ClamWin of Gimp shows it is clean, as it always was.

Tim

Things have got to get better, they can't get worse, or can they?

truthseeker
truthseeker's picture
Offline
Last seen: 12 years 5 months ago
Joined: 2008-07-30 20:32
ATTENTION: Tim

Tim,

1. Your reasoning is flawed again, showing your low awareness of not thinking outside the box. If an AV reports my PC as clean, I am happy and confident, even though I realise no AV detects everything. However, if an AV reports a Trojan as ClamWin did about Gimp, then I remove the program immediately.

2. Stop always getting so defensive when someone brings up a challenge about portablapps. It exposes your low self-esteem and insecurities. Instead handle feedback and challenges maturely, and not like a child.

3. Yes, submitted and now it shows as clean Smile So now I am using Gimp again Smile

4. Tim, stop being so annoying and so self-righteous and condescending. You are not above us common folk, so don't convince yourself you are someone special as you are not.

John T. Haller
John T. Haller's picture
Offline
Last seen: 5 hours 13 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Please Stop

It was a false positive, as has happened many times before, and will probably happen again. VirusTotal showing only 1 or 2 reports is an accepted indicator of a false positive throughout the tech world. If you choose another way, that's fine. But, in the future, please use our standard method of running it through VirusTotal and/or Jotti to determine whether it is a valid report before reporting it in the forums.

And please stop taking offense at every suggestion you receive. It seems like you were looking for a battle right from when someone first pointed out our standard policy on the support page. This is not necessary. People are here working together in the forums to make things better for everyone. Even if you perceive a slight, turn the other cheek, let it go, and move on. Every post is not a battle to be won. Everyone (you, Tim, myself, the other thread readers) has more important things we can be doing.

Sometimes, the impossible can become possible, if you're awesome!

Gizmokid2005
Gizmokid2005's picture
Offline
Last seen: 2 weeks 3 days ago
Developer
Joined: 2007-01-17 19:24
By saying that you can never

By saying that you can never be sure something is not infected, is not flawed. Why? There is not, I repeat NO antivirus that is 100% effective, so even if it says the file is safe, that doesn't mean that it is. It just means that particular antivirus/definition database didn't see it as an issue.

So, technically, TimClark was right in his comment. By trusting one antivirus over another, you are saying it's superior. Which in many cases it's not. Just see my post a few comments down about AV-Comparatives. And there-in lies the point. NOTHING is 100% effective at detecting viruses, nor is anything 100% effective at detecting that something isn't a virus, therefore reporting a false positive as we see here.

And, VirusTotal is not a third party program out there, they are more the standard in virus detection.

And please, keep your cool and stop the personal attacks.

jamcomm
Offline
Last seen: 15 years 2 months ago
Joined: 2009-07-24 14:51
Dodgy advice

That "support" page gives some seriously dodgy advice.

It's a bit like saying "If a program is detected as having a virus - it isn't really infected, just keep trying other antivirus programs until one doesn't detect it, and then you'll know you're safe".

It completely ignores the fact that an antivirus company might actually have found a new virus - and you've already been infected with it!

That "Support" page really should be updated to give better advice - atm, it's just plain dangerous.

It would be safer to say "quarantine the file in question, and do not run it, then check it again (with the same antivirus software) after 48 hours. If it was a false positive, the antivirus signatures will most likely have been updated within this time to prevent a false positive. If it's still detected, it could be a problem".

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 7 months ago
Joined: 2006-06-18 13:55
Not sure what the "seriously

Not sure what the "seriously dodgy" advice is ?
Submitting a file for further testing is the logical thing to do if you got it from a site that you have a good amount of confidence in.

As I said above, "IF" after a day or two [you recommend 48hrs] the other AV vendors have not picked it up, that should raise the confidence level.
That is very different than trying to find ONE that says the file is ok.

Folks need to use logic, caution, and common sense.

Tim

Things have got to get better, they can't get worse, or can they?

Gizmokid2005
Gizmokid2005's picture
Offline
Last seen: 2 weeks 3 days ago
Developer
Joined: 2007-01-17 19:24
As is yours

Dodgy advice is far from the truth.

Just because the site says that you should test it with MORE than one av scanner, it DOES NOT say to keep scanning until you find a scanner that doesn't find it as an issue. In fact, here is what is said:

If you encounter a false positive, please test the file in another antivirus product before reporting the issue to us in the forums to ensure that it's not an error in their software.

That, is good, solid, true advice. It says to test the file with more than one scanner to ensure that it is not a false positive as many different scanners will find many different false positives as described by the third party organization AV-Comparative.

So, before you attack anything else on the site for being "dodgy advice", please ensure that you've read the item in question in its' entirety. You seem to have a habit of doing so on this site very often, without any true support or factual information to backup your opinions.

In the future, it would be good form and very courteous to keep your uninformed opinions to yourself before you accuse people/organizations of something that they have not done.

Thanks Smile

And to the OP - Yes, this is a false positive. It is VERY unlikely that John T. Haller would allow anything that could be potentially harmful to your computer be posted, hosted, and endorsed by PortableApps.com

spg SCOTT
spg SCOTT's picture
Offline
Last seen: 12 years 4 months ago
Joined: 2008-08-26 14:11
Ok...

@truthseeker,

Yes, I am hinting at a FP.

I will admit (and even suggest this myself) that NO av product will detect 100% of malware out there.

When I see this kind of thing, on the avast! forum, the first thing that I (and many others) will do is advise the user to upload it to virustotal etc. to confirm/correct the suspicious of the detection. In my experience, a file with a minimal amount of detections on something like virustotal is most likely a false positive.

Next is to send the file to the av company (in my case avast!) with the reasons why I believe that it is a FP. One of the main considerations in this case would be the fact that the involvement of not only John (et al) here, but Sourceforge and the gimp devs also.
(As suggested by Tim Clark also)
This will often result in the company responding with 'yes it is infected/no it is clean, we will correct it.'

@jamcomm,

I agree with Tim Clark and Gizmokid here, the advice is to investigate further, as opposed to ignore the issue, why would anyone suggest this?

@all,

I personally would not rely on clam as a first line of defense, mainly because it has no real time scanning. I will occasionally use it as a second opinion...
One other issue I have with Clam, is that they don't encrypt their virus database, causing other AVs to detect it and alert to it, up to the point where another av should have to implement a change on their side to resolve the issue...this should not be the way...

-Scott-

Wow...long post...sorry for the story guys...:lol:

“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Pyromaniac
Pyromaniac's picture
Offline
Last seen: 9 years 7 months ago
Developer
Joined: 2008-09-30 19:18
What have portableapps users come to???

Let me give you a short version...

There is (guaranteed) NO virus in any of the supported portableapps (period)

These are simply false positives that all these so called "anti-virus programs find"

If you just search the website you will find PLENTY of examples of false positives.

Topic locked