| www.delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| X-SWARE-Spam-Status: | No, hits=-1.9 required=5.0 tests=AWL,BAYES_00,SARE_MSGID_LONG40,SPF_PASS |
| X-Spam-Check-By: | sourceware.org |
| MIME-Version: | 1.0 |
| In-Reply-To: | <4AFE1071.5000706@gmail.com> |
| References: | <hdkapr$skt$1 AT ger DOT gmane DOT org> <416096c60911131218q4abb103ew3821a248d6e6015c AT mail DOT gmail DOT com> <4AFE1071 DOT 5000706 AT gmail DOT com> |
| From: | "DePriest, Jason R." <jrdepriest AT gmail DOT com> |
| Date: | Fri, 13 Nov 2009 22:04:52 -0600 |
| Message-ID: | <31b7d2790911132004p4e80f1fp19accd304f1f327a@mail.gmail.com> |
| Subject: | Re: Cygrunsrv behaviour triggers Anti-Virus Program |
| To: | cygwin AT cygwin DOT com |
| X-IsSubscribed: | yes |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Unsubscribe: | <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
On Fri, Nov 13, 2009 at 8:05 PM, Dave Korn <> wrote: > Andy Koppe wrote: >> 2009/11/13 Jacob Jacobson: >>> Output of Kaspersky Anti-Virus 6.0 >>> >>> 11/13/2009 1:03:09 PM =A0 C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE Process is tr= ying to >>> inject into another process. This behavior is typical of some malicious >>> programs (Invader) >>> 11/13/2009 1:03:09 PM =A0 C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE "Quarantine" = action >>> is selected >>> 11/13/2009 1:03:09 PM =A0 C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE Forced to ter= minate >>> the process. >>> 11/13/2009 1:03:09 PM =A0 C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE File quaranti= ned. >>> >>> Output of Kaspersky Anti-Virus 6.0 >> >> Send that to Kaspersky. Cygwin isn't gonna be changed to work around >> that sort of crap. > > =A0BLODA in full effect. =A0It is designed to stop you running anything t= hat > behaves like forking, just in case what you were running wasn't meant to = be > doing that; therefore it is a crude and indiscriminate filter and must > inevitably suffer false positives. > > =A0The problem is that there's no easy way for a simple-minded computer p= rogram > to tell the difference between "suspicious process injecting itself into > another", and "legitimate user-directed application attempting to emulate > posix fork semantics". =A0It is unfortunate, but a lot of the things that= Cygwin > *has* to do are exactly like a lot of the things that some viruses do; he= nce > we run up against the limits of heuristic behaviour blockers. > > =A0 =A0cheers, > =A0 =A0 =A0DaveK > > > -- The real question is whether or not Kaspersky will let you exclude specific processes from this sort of inspection. If so, just exclude cygrunsrv.exe. I routinely have to do this depending on what AV I am running. Heck, if I run the whole Comodo Security Suite, I get pages of prompts every time I run setup.exe and it changes files around. It's all "hey, bash is trusted, but it is doing something it didn't do yesterday and it has a different checksum." Security is pain. -Jason -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |