Gearlock scripts detected as Trojan.Linux.Fubas.a virus in Bliss OS 11.13

Question

Gearlock scripts detected as Trojan.Linux.Fubas.a virus in Bliss OS 11.13

samkhan13 opened this issue 3 years ago · 8 comments

Describe the bug

Kaspersky detected a number of Gearlock components as a virus titled Trojan.Linux.Fubas.a in "Bliss-v11.13--OFFICIAL-20201113-1525_x86_64_k-k4.19.122-ax86-ga-rmi_m-20.1.0-llvm90_dgc-t3_gms_intelhd.iso"

To Reproduce
Steps to reproduce the behavior:
Use Kaspersky Total Security to scan the above mentioned iso that was downloaded from https://blissos.org/

Expected behavior

An antivirus scanner shouldn't find a viral signature within packaged and promoted software. Kaspersky appears to think of various components of Gearlock as parts of a rootkit.

Desktop (please complete the following information):

OS: Bliss-v11.13

GearDump logs

Not Applicable

Additional context

Routine antivirus scan detected the issue.

Screenshots

Answer 1 · 2021-10-06T02:55:48.000Z

It might be because BlissOS 11.13 contain an old version of Gearlock, or your PC got infected with something
I tried to pick up a file in the list core/smark.src/5 and all the antivirus scan report safe, even Kas
https://www.virustotal.com/gui/url/9feb71e675afd2c8d5d1b4b016363cdaac892aaffad321a7eb42ab8c551de6bf?nocache=1

Answer 2 · 2021-10-06T02:57:02.000Z

Irony, it's assuming a bunch of plain bash scripts as viruses, which in fact are readable code and not even compiled executables.

I don't have access to a windows machine ATM to look over this, sorry. Although I should note that any Linux specific program such a gearlock can't run under windows normally, so nothing to worry about even if this isn't a false alert

Answer 3 · 2021-10-06T02:59:49.000Z

It might be because BlissOS 11.13 contain an old version of Gearlock.

It's actually not. OhMyRam(a file with this name exists in his screenshot) feature was added in a very recent version of gearlock.

Answer 4 · 2021-10-06T03:01:39.000Z

It might be because BlissOS 11.13 contain an old version of Gearlock.

It's actually not. OhMyRam(a file with this name exists in his screenshot) feature was added in a very recent version of gearlock.

But it's 11.13, weird

Answer 5 · 2021-10-06T03:05:49.000Z

It might be because BlissOS 11.13 contain an old version of Gearlock.

It's actually not. OhMyRam(a file with this name exists in his screenshot) feature was added in a very recent version of gearlock.

But it's 11.13, weird

After looking at the logs, OhMyRam feature was added on 6.8.9 release, so it's either exactly that version or above.

Answer 6 · 2021-10-06T03:10:33.000Z

Another thing worth nothing is that any file being uploaded to sourceforge gets scanned before actually appearing publicly.
Ref: https://sourceforge.net/blog/sourceforge-now-scans-all-projects-for-malware-and-displays-warnings-on-downloads/

Answer 7 · 2021-10-18T05:31:46.000Z

thank you for looking into this. Bliss OS team's github page isn't allowing me to open an issue there. The compiled iso was indeed being detected as a trojan virus but it's a false detection. The iso file was to be used in a virtual machine so it wouldn't have been any kind of a problem for the base OS. This issue can be closed. Thanks again for looking into it :)

Answer 8 · 2024-08-31T10:21:09.000Z

So what fix made it closed? Reporting to virus databases for false positive?