Piero Bosio Social Web Site Personale

#ClamAV is falsely reporting that #PuTTY 0.83 is infected with malware: allegedly the "Win.Exploit.Marte-10058127-0" virus. We were notified this morning: the ClamAV database entry is brand new. But the binary it accuses is six months old.As usual, we believe this report is a falsehood. PuTTY has a long history of being insulted by virus checkers, and we've never worked out why, though we have a number of theories in our wishlist page for the phenomenon https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/false-positive-malware.html.In this case, the analysis in the screenshot shows that the identification is based on finding particular _text strings_ in the binary. Those text strings are the names of PuTTY source files, baked into the executable by something in the build process (most likely __FILE__, via assert statements). The full pathname includes a randomised build directory name created by mkstemp(), which identifies these strings as ones that would appear _only_ in the release build of PuTTY 0.83 – any other build would have chosen a different build directory. So this alleged virus signature is actually a signature of that particular PuTTY binary build.Of course, I've submitted a false-positive report. (Quite a grumpy one, since this isn't the first time.) But I do wonder how this keeps happening. I could certainly believe that putty.exe was reused unchanged by some actual malware, and then somehow the signature of putty.exe got into the virus db entry instead of the signature of anything specific to the malware. But another possibility is that someone is maliciously making these database entries. I wonder if there's any way to tell which is true.