[SOLVED] AV Dr.Web for Linux identified two viruses in WPS-Office
Tofloor
poster avatar
edson1967
deepin
2020-07-12 04:40
Author
Edited by edson1967 at 2020-7-13 19:06

Hello Team UOS Deepin V20 Beta

AV Dr.Web for Linux identified two viruses in WPS-Office when installing via flatpak
The files were sent to the Dr.Web team and I am waiting for a response to make sure it is not a false positive.

Here is data and images of the "viruses" below:
hreat: Trojan.Inject2.38336 ‌
Isolated: 10/07/2020 21:56
Quarantine type: System

Object name: c5b879b26f88aec08b4d7926b178e9491ee895326762a6149b185e55eaab36.file
Owner: root
Modified: 31/12/1969 21:00
Size: 320.50 KB

Origin path:
/var/lib/flatpak/repo/objects/f5/c5b879b26f88aec08b4d7926b178e9491ee895326762a6149b185e55eaab36.file

*********************

Threat: Exploit.Siggen.24070 ‌
Isolated: 10/07/2020 21:55
Quarantine type: System

Object name: f4254f56f15ead9f08be82d060fa0eb8b47dc2b7030f79553d2eee0e70c26f.file
Owner: root
Modified: 31/12/1969 21:00
Size: 601.50 KB

Origin path:
/var/lib/flatpak/repo/objects/eb/f4254f56f15ead9f08be82d060fa0eb8b47dc2b7030f79553d2eee0e70c26f.file

************************





Reply Favorite View the author
All Replies
SamLukeYes
deepin
2020-07-12 04:50
#1
本帖最后由 samlukeyes123 于 2020-7-11 20:55 编辑

Let's at a WPS developer, though I don't know whether he's active currently.
https://bbs.deepin.org/user/129823
Reply View the author
神末shenmo
deepin
Spark-App
2020-07-12 05:05
#2
A little shocked when hearing that https://bbs.deepin.org/user/129823
Reply View the author
SamLukeYes
deepin
2020-07-12 05:29
#3
You can also post an issue here: https://github.com/flathub/com.wps.Office/issues
Reply View the author
edson1967
deepin
2020-07-12 05:35
#4
https://bbs.deepin.org/post/197044
A little shocked when hearing that @cryfeifei

No doubt we are shocked by this type of information, but I believe it is not a false positive, as I have tried numerous times to install wps-office on Windows 10 with AV Eset Internet Security and it does not even allow to download the download file from the official website. In an attempt to disable av eset and install the file, it also accuses viruses in the wps-office and did not allow its installation.

This episode was reported here:
It's in Brazilian Portuguese, but just translate

https://twitter.com/edsonmartim/status/1230635219037847552

https://twitter.com/edsonmartim/status/1225203675775295489/photo/1

Reply View the author
edson1967
deepin
2020-07-12 06:04
#5
https://bbs.deepin.org/post/197044
You can also post an issue here: https://github.com/flathub/com.wps.Office/issues

Thanks for pointing the way samlukeyes

Just sent
Reply View the author
DavidTavares
deepin
2020-07-12 06:07
#6
I use the deb file for WPS Office and i don't have this. Do you try ?
Reply View the author
SamLukeYes
deepin
2020-07-12 06:16
#7
本帖最后由 samlukeyes123 于 2020-7-11 22:36 编辑

I'm using wps-office from ArchlinuxCN repo (the same PKGBUILD can also be found on AUR). Just scanned all the files owned by wps-office using ClamAV, but no virus detected. The Arch package is built from the official Debian package.
Reply View the author
edson1967
deepin
2020-07-12 06:57
#8
https://bbs.deepin.org/post/197044
I use the deb file for WPS Office and i don't have this. Do you try ?

Hello

I prefer the updates coming from the official repositories, whether from the Deepin UOS store, flatpak or snap.
As the deepin store never has the latest updated versions of applications with rare exceptions, I ended up installing this version of wps-office via flatpak to see how it works and I ended up finding it.
Reply View the author
edson1967
deepin
2020-07-12 07:08
#9
https://bbs.deepin.org/post/197044
本帖最后由 samlukeyes123 于 2020-7-11 22:36 编辑

I'm using wps-office from ArchlinuxCN repo (the  ...

The experience at the time was installing the wps-office via flatpak

I have also installed the wps-office on the updated Archlinux Deepin and Arcolinuxb-deepin and do not have the same problem, but detected by Dr.Web, an exploit in the translation files as seen below. I also reported to the Dr.Web laboratory for analysis.

Threat: Exploit.Siggen.24070 ‌
Isolated: 09/07/2020 14:32
Quarantine type: System

Object name: Business Plan.dpt
Owner: edson
Modified: 07/07/2020 12:03
Size: 601.50 KB

Origin path:
/var/tmp/pamac-build-edson/wps-office-mui/src/ja_JP/templates/wpp/business/Business Plan.dpt

Try installing this wps-office flatpak using AV Dr.Web for Linux.

Thanks for the feedback



Reply View the author
神末shenmo
deepin
Spark-App
2020-07-12 16:18
#10
https://bbs.deepin.org/post/197044
The experience at the time was installing the wps-office via flatpak

I have also installed the wp ...

I think that was a misinform
Since there are very few Chinese Software use outside China,sometimes they thought it is an virus.
I've tried some Chinese anti-virus software like 360,the result was no-virus found
Reply View the author
edson1967
deepin
2020-07-12 21:31
#11
Edited by edson1967 at 2020-7-12 02:44
https://bbs.deepin.org/post/197044
I think that was a misinform
Since there are very few Chinese Software use outside China,sometimes ...

Hello shenmo

Eset and Dr.Web are two reputable companies in the information security market and would not be liable to create false positives if there were no grounds.

More information on this is available on the wps-office no git website.
https://github.com/wps-community/wps_i18n/issues/411
https://github.com/flathub/com.wps.Office/issues/74#issuecomment-657072287

The 360 does not yet follow the level of security of these companies, as well, the antivirus of Microsoft.
Reply View the author
edson1967
deepin
2020-07-14 14:04
#12
Hello Deepin UOS V20 Beta Team

I just received an email from the Dr.Web team about the files accused as viruses where they do not present a danger to the system.

Greetings,

Your submission has been analyzed. This file presents no threat to your system.

Thank you for the cooperation.

Чтобы получать оповещения на русском языке, отправьте пустое сообщение на адрес [email protected]
--
Yours sincerely,
Virus Monitoring Service
Doctor Web Ltd.

Category: SUSPICIOUS FILE
-------------------Request-------------------------------------
Hello,

User sent us a suspicious file.
User ip:
User agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
User comment:
User language: en
User email:
Original file name: qentry_Business Plan.dpt.txt
File size: 280
File time: 2020-07-11 06:46:59
File mime type: text/plain
MD5: bea102c68c025b712645e40e0d9800f5
SHA1: b174f3c634ef69e2b586238136f32ba9a184513e
--
WBR, send-suspic-file.pl v2

****************************************
Hello,

User sent us a suspicious file.
User ip:
User agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
User comment:
User language: en
User email:
Original file name: qentry_f4254f56f15ead9f08be82d060fa0eb8b47dc2b7030f79553d2eee0e70c26f.file.txt
File size: 337
File time: 2020-07-11 04:39:18
File mime type: text/plain
MD5: ff68b3c772cfcb27970494494d6c42c3
SHA1: 86f7244e725db484181f9e165d9004a49fe648eb
--
WBR, send-suspic-file.pl v2

*************************************
Hello,

User sent us a suspicious file.
User ip:
User agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
User comment:
User language: en
User email:
Original file name: qentry_c5b879b26f88aec08b4d7926b178e9491ee895326762a6149b185e55eaab36.file.txt
File size: 337
File time: 2020-07-11 04:39:58
File mime type: text/plain
MD5: 800c6d987e11f11acebe119743d5afab
SHA1: 6fdb92e678c2091b8e719c4a3b04010c7da0d482
--
WBR, send-suspic-file.pl v2

Your Considerations

Edson
Reply View the author