This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Cygrunsrv behaviour triggers Anti-Virus Program


On Fri, Nov 13, 2009 at 8:05 PM, Dave Korn <> wrote:
> Andy Koppe wrote:
>> 2009/11/13 Jacob Jacobson:
>>> Output of Kaspersky Anti-Virus 6.0
>>>
>>> 11/13/2009 1:03:09 PM ? C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE Process is trying to
>>> inject into another process. This behavior is typical of some malicious
>>> programs (Invader)
>>> 11/13/2009 1:03:09 PM ? C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE "Quarantine" action
>>> is selected
>>> 11/13/2009 1:03:09 PM ? C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE Forced to terminate
>>> the process.
>>> 11/13/2009 1:03:09 PM ? C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE File quarantined.
>>>
>>> Output of Kaspersky Anti-Virus 6.0
>>
>> Send that to Kaspersky. Cygwin isn't gonna be changed to work around
>> that sort of crap.
>
> ?BLODA in full effect. ?It is designed to stop you running anything that
> behaves like forking, just in case what you were running wasn't meant to be
> doing that; therefore it is a crude and indiscriminate filter and must
> inevitably suffer false positives.
>
> ?The problem is that there's no easy way for a simple-minded computer program
> to tell the difference between "suspicious process injecting itself into
> another", and "legitimate user-directed application attempting to emulate
> posix fork semantics". ?It is unfortunate, but a lot of the things that Cygwin
> *has* to do are exactly like a lot of the things that some viruses do; hence
> we run up against the limits of heuristic behaviour blockers.
>
> ? ?cheers,
> ? ? ?DaveK
>
>
> --

The real question is whether or not Kaspersky will let you exclude
specific processes from this sort of inspection.  If so, just exclude
cygrunsrv.exe.

I routinely have to do this depending on what AV I am running.  Heck,
if I run the whole Comodo Security Suite, I get pages of prompts every
time I run setup.exe and it changes files around.  It's all "hey, bash
is trusted, but it is doing something it didn't do yesterday and it
has a different checksum."

Security is pain.

-Jason

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]