Hello Fixlet ID 12300301 appears to have a issue. When we download the 32 bit Putty cab file with the sha256 value that starts with 96a49ec17 the AV solution is flagging that file as a Trojan.
Acknowledged.
VirusTotal only flags it on four of their thirty or so file scanners per https://www.virustotal.com/gui/file/96a49ec17e2de11e54bc93b7875f329fbfc1c5093e0fd9388d9cf69ad0fd78a3
I am seeing reports that last month a trojanized version of PuTTY was distributed through WhatsApp, but that version was not digitally signed, does not match these hashes, and should flag a different trojan. The version we’re downloading is linked from the official PuTTY page, is digitally signed, and the hash matches what we’re expecting.
My early impression is this may be a false-positive.
Please raise an issue with your antivirus vendor and request deeper analysis. I will see whether we can find any more on our end.
1 Like
Some notes from the publisher & primary developer of PuTTY, it seems many versions get flagged by a few vendors but no real explanation as to why… https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/false-positive-malware.html
1 Like
I’ve exhausted my options in investigating this, and don’t see anything for us to change on the BigFix side.
I can verify that the file has a valid digital signature from the expected signer, and is the version currently published by the PuTTY project. It appears to be the correct file that we expect.
A re-analysis from virustotal still shows detections in 4 of 59 antivirus products. The 4 detections appear to be generic heuristic behaviors. The one named detection, “Trojan.Zenpak.Win32.9506” from Zillya, is also a thread that should be detected by Windows Defender - and Defender is not flagging the PuTTY download as malicious.
Of course, risk analysis needs to be performed on your own systems but I don’t see anything else for us to pursue on our end.
1 Like
Jason,
Thanks for responding so quickly regarding this issue. Short term we have Globally hidden the fixlet.
1 Like
I do wonder if Putty itself is actually what is being considered malicious since it could be used as a hacking tool? Not that it contains malicious code, but that it being present at all could be the sign of something malicious? I say this because it seems like it is the MSI itself that is getting flagged as malicious, which seems dubious. I would expect the EXE inside the MSI to be flagged as malicious and if the MSI is flagged as malicious, then it would only be because it contains a malicious EXE.
There is an added part to all of this, because these are upgrade fixlets, they are only relevant on systems that already have Putty installed, so if you already have Putty installed, and Putty is bundling malicious code in it’s binaries and has been for a while now, then you already have that malicious code on your system. We are just providing a mechanism to upgrade it to the newest version. If you feel that Putty is malicious, then you would need to investigate every system that our fixlet is relevant on already because they already have it installed, just an earlier version.
We can only assert that our prefetches and hash checks prevent the file from being modified between you and the vendor as long as our hashes match the official installer. We are doing some validations on our end, but it is hard for us to be certain something is benign. We have NOT created update content for software that bundles Adware in it because that is not great, but if you have that software installed in your environment, then you most likely already have the Adware they bundle installed. I have considered making an Audit only fixlet to point out that software that bundles Adware is detected if a system is relevant to it, but that is also complicated.