I know that firewall software requires virus signatures for scanning, but for some reason Windows (latest update function?) is now allowing ISOs to mount and be readable. So, bitdefender finds it the Gen.Varian.Razy in the iso, attempts to quarantine it, fails, then I see that Untangle is now mounted as debian in File Explorer.
Needless to say these were active payloads. Infection after infection. I just wiped and installed linux and run windows in a vm now.
I uploaded the package in question (*nsis-common.deb) to virustotal.com and the screen turned red. I contacted Untange who are usually quick to respond with support, but no response on this.
Do firewalls actually need active payloads embedded in their ISOs or are they just publishing bad ISOs?
Did you do any research about the file?
Google “nsis-common.deb”. You’ll see it is a program for creating windows installer packages. Google “NSIS”. You’ll see it is a scripting based installer system. It is also commonly used as part of making virus payloads. That’s why windows antivirus considers it suspect. But the program itself is not an active virus payload, and is commonly available in multiple versions of the debian repositories. When making a linux install ISO, you essentially have to include a copy of the whole current repository tree, in case the user needs some odd program in order to get their computer online. So if you want to complain, do it towards Debian not Untangle.
What evidence do you have of that? All you’ve said is that the ISO was mounted, your antivirus scanned what it saw as a new drive, it found what it thinks was a virus, and it failed to quarantine it because it was stored on a read-only “disk” (the ISO). Where did that virus get loaded on your machine? What floodgates were opened?
What if… the logged activity is because your antivirus software also uploaded a copy of the file it thinks is malicious to its own cloud to be scanned, and Untangle saw that and logged it also? Can you share the logs with us?
It could be the case that the Untangle ISO has had a virus slipped into it. That sort of thing does happen from time to time but it’s fairly rare.
Not entirely sure what you mean by “Windows is now allowing ISOs to mount” either. You have been able to mount “cd” iso’s since windows 7 and DVD images I think since 8.
Also a little confused how the .deb file installed a virus on Windows. Not used LSFW yet, does that make you able to just run debs, automatically, without clicking on them?
Did you get the ISO from somewhere a little bit questionable?
I am not up to date on windows, I usually just run a linux desktop…but this forced working from home has forced windows on me…so I didnt know it could mount isos. I thought it just ignored them as a some compressed archive file.
Im used to seeing pentest frameworks pop during a scan, but that was my first regular (well mostly regular) linux iso to pop alerts. I downloaded it from their site, matched the md5 check. I wish they use a sha256 and privacy guard sig. I run dig on every site before I download an os, everything appeared fine.
Untangle support said they “think” its a false positive, but they are still looking at it. I am not trying to waste their time, but they did not just dismiss it out right.
Somehow it became mounted after the bd scan. Again I hat this windows crap, hate it. Maybe my bitdefender infected their iso? Who knows. Ill post a final update from them to close this thread out.
Wrapping it up. Bit defender still pops on it, but I will just accept it as a false positive. Untangle has not closed the ticket. I just uploaded this to them as well.
I am just going to accept this is a false positive from that product.
Aw…well here we go again …
Bitdefender popping 80+ alerts since first scan …and now acronis true image says its infected
BD firewall allowing all kinds of connections through
Subject: Re: Your ticket with Untangle is pending Re: infected iso - linux and windows trojan and gen variants
Message-ID:
I
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=“b1_MHGtaCcGSX20u3HfjlSzqOTlty27NAvvfligiYYU”
X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,
HTML_MESSAGE shortcircuit=no autolearn=disabled version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
mailout.protonmail.ch
Well I have high confidence that it is their ISO. This happened on 16.0.x. Then I downloaded 16.1 onto a brand new machine with the same behavior.
My router/firewall is Untangle 16.0.
I did some research on the razy malware and it likes to hide itself inside compressed/archive type files and typically evades a lot of scanners. I think it just got slipped into that commons lib file somehow. Not saying its their fault at all, but I don’t believe that I am infected.
And it could run just fine and not affect the function of the Untangle firewall itself.