Untangle ISO and Virus Inclusions

I know that firewall software requires virus signatures for scanning, but for some reason Windows (latest update function?) is now allowing ISOs to mount and be readable. So, bitdefender finds it the Gen.Varian.Razy in the iso, attempts to quarantine it, fails, then I see that Untangle is now mounted as debian in File Explorer.

Needless to say these were active payloads. Infection after infection. I just wiped and installed linux and run windows in a vm now.

I uploaded the package in question (*nsis-common.deb) to virustotal.com and the screen turned red. I contacted Untange who are usually quick to respond with support, but no response on this.

Do firewalls actually need active payloads embedded in their ISOs or are they just publishing bad ISOs?

Did you do any research about the file?
Google “nsis-common.deb”. You’ll see it is a program for creating windows installer packages. Google “NSIS”. You’ll see it is a scripting based installer system. It is also commonly used as part of making virus payloads. That’s why windows antivirus considers it suspect. But the program itself is not an active virus payload, and is commonly available in multiple versions of the debian repositories. When making a linux install ISO, you essentially have to include a copy of the whole current repository tree, in case the user needs some odd program in order to get their computer online. So if you want to complain, do it towards Debian not Untangle.

Edit: here’s the first result of googling “nsis virus”: https://nsis.sourceforge.io/NSIS_False_Positives

Thank you. I do understand it is an old scripting-install package, it loaded Gen.Variant.Razy onto my machine …and that just opened the flood gates.

I understand what you are saying, but Detection Engines should not be popping on it and it be active locally?

Download their ISO and try it yourself. I hope you are right and it is all false positives.

Virtualize it though lol

What evidence do you have of that? All you’ve said is that the ISO was mounted, your antivirus scanned what it saw as a new drive, it found what it thinks was a virus, and it failed to quarantine it because it was stored on a read-only “disk” (the ISO). Where did that virus get loaded on your machine? What floodgates were opened?

Ironically Untangle logs … I already a have the complete solution running on a qotom box.

Honestly, I love the product. Maybe this is something odd that happened…The Firewall itself appears to be running clean.

I just thought I would ask being that I have always used prebuilt turnkey solutions

What if… the logged activity is because your antivirus software also uploaded a copy of the file it thinks is malicious to its own cloud to be scanned, and Untangle saw that and logged it also? Can you share the logs with us?

Sorry multitasking with a work conference at the moment. WIll try to post some log snaps tonight.

Thanks for replying.

The ISO for 16.10 has been submitted to Virus Total and is marked clean.

Yeah, something seems a bit suspect here.

It could be the case that the Untangle ISO has had a virus slipped into it. That sort of thing does happen from time to time but it’s fairly rare.

Not entirely sure what you mean by “Windows is now allowing ISOs to mount” either. You have been able to mount “cd” iso’s since windows 7 and DVD images I think since 8.

Also a little confused how the .deb file installed a virus on Windows. Not used LSFW yet, does that make you able to just run debs, automatically, without clicking on them?

Did you get the ISO from somewhere a little bit questionable?

I am not up to date on windows, I usually just run a linux desktop…but this forced working from home has forced windows on me…so I didnt know it could mount isos. I thought it just ignored them as a some compressed archive file.

Im used to seeing pentest frameworks pop during a scan, but that was my first regular (well mostly regular) linux iso to pop alerts. I downloaded it from their site, matched the md5 check. I wish they use a sha256 and privacy guard sig. I run dig on every site before I download an os, everything appeared fine.

Untangle support said they “think” its a false positive, but they are still looking at it. I am not trying to waste their time, but they did not just dismiss it out right.

Somehow it became mounted after the bd scan. Again I hat this windows crap, hate it. Maybe my bitdefender infected their iso? Who knows. Ill post a final update from them to close this thread out.

Thanks

Wrapping it up. Bit defender still pops on it, but I will just accept it as a false positive. Untangle has not closed the ticket. I just uploaded this to them as well.

I am just going to accept this is a false positive from that product.

Thanks for all the replies.

image5120×1440 619 KB

Aw…well here we go again …
Bitdefender popping 80+ alerts since first scan …and now acronis true image says its infected
BD firewall allowing all kinds of connections through

image5120×1440 499 KB

Cant send the iso file to Untangle

image5120×1440 635 KB

ISO scan from VirusTotal shows nothing.

https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection

However, after write the ISO to bootable USB…
And its the same problem:
D:\pool\main\n\nsis\nsis-common_3.04-1_all.deb

VirusTotal Scan: https://www.virustotal.com/gui/file/306e83b492d3160be645ad62c70a42f84d33a4059fc7deaeedec7610b27f8c78/detection

So there ya go

And I cant mail to untangle because the mail security is picking it up ( i have bd/acronis turned off)

Final-Recipient: rfc822; support@untangle.com
Original-Recipient: rfc822;support@untangle.com
Action: failed
Status: 5.7.0
Remote-MTA: dns; aspmx.l.google.com
Diagnostic-Code: smtp; 552-5.7.0 This message was blocked because its content
presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0
https://support.google.com/mail/?p=BlockedMessage to review our 552 5.7.0
message content and attachment content guidelines. dc8si2639847ejb.647 -
gsmtp

text/rfc822-headers

Date: Sat, 07 Nov 2020 09:02:14 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pm.me; s=protonmail;
t=1604739741; bh=i78JHvgDV/cZ478+SYMd5wjDtQCfPBhWluGPNAsy1yc=;
h=Date:To:From:Reply-To:Subject:In-Reply-To:References:From;
b=V+glwd6k75nNsxAir4lWaLVhk7LRyWxUnPKr5uwRCGjVc2UiBqmU2OEs3pfwjIgkE
2Tu3cjUtftkB5rVpzjopfydi1239rMh1I1sO7qF+WNL36R6PaG7ZucDm+/XKGAbHxe
DTO14aH9I/6Oost5TfBhdEkzfPLvyrSBKRLPuZ+Ezv5BzEB4MfPJ6Bs5oU33e1+Zrh
cCovfWjlp/nHBp8+LauVtmzG3K8pAJvdXvOKTa0HTTVCH8j+S3eR/xMu5p9Kgdf1Cz
tyy2Iznt04SPZly/+hAO2R0abDWF7tPekWADrYGk4SjdmE6EiVuUmvyLraNwg0R7EU
58XRJap8eVj1g==

Subject: Re: Your ticket with Untangle is pending Re: infected iso - linux and windows trojan and gen variants
Message-ID:
I
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=“b1_MHGtaCcGSX20u3HfjlSzqOTlty27NAvvfligiYYU”
X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,
HTML_MESSAGE shortcircuit=no autolearn=disabled version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
mailout.protonmail.ch

Do we still think its false positives?

No, I think you either got a bad ISO somehow or had a virus on your windows box.

I downloaded the iso the same day you posted and it scans fine with Windows Defender.

Well I have high confidence that it is their ISO. This happened on 16.0.x. Then I downloaded 16.1 onto a brand new machine with the same behavior.

My router/firewall is Untangle 16.0.

I did some research on the razy malware and it likes to hide itself inside compressed/archive type files and typically evades a lot of scanners. I think it just got slipped into that commons lib file somehow. Not saying its their fault at all, but I don’t believe that I am infected.

And it could run just fine and not affect the function of the Untangle firewall itself.