Minishift detected as malware

[sobkowiak]

General information

• Minishift version: 1.25.0
• OS: Windows
• Hypervisor: VirtualBox

Steps to reproduce

1. Invoke any command using minishift

Expected

Command successfully invoked

Actual

Each time following window is opened by Symantec

It looks like the latest executable is no more signed

The previous versions were signed by Red Hat

The executable is now detected as malware. I have got following email from my security department

SOC team noticed Command and Control domain ummydownloader.com detected for user : ksobkowi and last ip address of system is 10.42.16.43

PFB details of malicious connection.

Endpoint : CE16231

Malicious Files
File Name : minishift.exe
Path : c:\trainings\ocp
Certificate : Not Available
Blocked : No

SOC recommendations:

Kindly contact onsite support team to delete the malicious file and perform below actions:

- Make sure  system has updated with latest Antivirus Signature and Version  
- Make sure system has updated with latest Microsoft patches.
- Remove malicious software’s from system if any.
- Run full system scan and make sure there is no infection.

Was it intended that the executable is no more signed?

[gbraad]

Can you provide the SHA1 and download location of this binary?

[gbraad]

#2911, #2912, #2913 are duplicates

[sobkowiak]

Downloaded from https://github.com/minishift/minishift/releases/download/v1.25.0/minishift-1.25.0-windows-amd64.zip

SHA1:

9abed6c6ef0d59cf6c6e9b41dbcf313a622c697a *minishift-1.25.0-windows-amd64.zip

[anjannath]

Where did you get the minishift executable? you can check the sha256sum of the archives in the release page. https://github.com/minishift/minishift/releases

…

On Mon, Oct 22, 2018 at 10:47 AM Krzysztof Sobkowiak < ***@***.***> wrote: General information - Minishift version: 1.25.0 - OS: Windows - Hypervisor: VirtualBox Steps to reproduce 1. Invoke any command using minishift Expected Command successfully invoked Actual Each time following window is opened by Symantec [image: grafik] <https://user-images.githubusercontent.com/803814/47278202-4fdea680-d5c7-11e8-95fa-6f5fdf594ba1.png> It looks like the latest executable is no more signed [image: grafik] <https://user-images.githubusercontent.com/803814/47278212-65ec6700-d5c7-11e8-8caa-6af4a3e78d33.png> The previous versions were signed by Red Hat [image: grafik] <https://user-images.githubusercontent.com/803814/47278224-7d2b5480-d5c7-11e8-9c7e-defd07905e73.png> The executable is now detected as malware. I have got following email from my security department SOC team noticed Command and Control domain ummydownloader.com detected for user : ksobkowi and last ip address of system is 10.42.16.43 PFB details of malicious connection. Endpoint : CE16231 Malicious Files File Name : minishift.exe Path : c:\trainings\ocp Certificate : Not Available Blocked : No SOC recommendations: Kindly contact onsite support team to delete the malicious file and perform below actions: - Make sure system has updated with latest Antivirus Signature and Version - Make sure system has updated with latest Microsoft patches. - Remove malicious software’s from system if any. - Run full system scan and make sure there is no infection. Was it intended that the executable is no more signed? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#2914>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AIeV7sxbTcYpsNXfbeuuyTzxJk4uHuwEks5unVTxgaJpZM4Xy1_-> .

-- ANJAN J NATH nathearthling.me

[sobkowiak]

I have downloaded from this url https://github.com/minishift/minishift/releases/download/v1.25.0/minishift-1.25.0-windows-amd64.zip

Here the sums

ksobkowi@CE16231 MINGW64 /c/trainings/ocp
$ sha256sum.exe minishift-1.25.0-windows-amd64.zip
256fc7e039234ba34e15cb18837f054c9e2239aff81cd34af9cb4ca44f07eaf6 *minishift-1.25.0-windows-amd64.zip

ksobkowi@CE16231 MINGW64 /c/trainings/ocp
$ sha1sum.exe minishift-1.25.0-windows-amd64.zip
9abed6c6ef0d59cf6c6e9b41dbcf313a622c697a *minishift-1.25.0-windows-amd64.zip

[praveenkumar]

@sobkowiak Also what I am suspecting is, you used to use CDK (downstream product) (https://developers.redhat.com/products/cdk/download/) which have signed binary from Red Hat side and you shift to upstream minishift.

[sobkowiak]

My screenshot was for oc, not minishift. But there is still a problem that 1.25.0 is detected as malware, but the older versions not

[praveenkumar]

@sobkowiak we didn't change anything in the process for creating the binary, that is done using the CI, not a manual process, oc binaries are still signed as usual and older version of minishift is also not signed so I am not sure why Symantec doesn't show same with the older version.

[gbraad]

maybe we are dealing with a false negative (or false positive depending on the viewpoint) Have the binary scanned by another scanner

[gbraad]

The sha is identical with https://github.com/minishift/minishift/releases/download/v1.25.0/minishift-1.25.0-windows-amd64.zip.sha256

This binary was produced in and uplodaed from a clean environment (CI). it would seem unlikely something got added in the process. i have not been able to find anything.

[gbraad]

Please collect findings here, @gh0st.

It seems #2948 Trend Micro reports it as Ransomware

[gbraad]

Perhaps this is related to the intermediate proxy functionality we added

This indication happened after the v1.24 release.

[LalatenduMohanty]

@gh0st @sobkowiak Can you check if you are seeing the same issue with 1.26.1 version of Minishift https://github.com/minishift/minishift/releases/tag/v1.26.1

[anjannath]

@gh0st Which trend micro product do you use, is their free RansomBuster or is it one of the generic anti virus/network security product?

[anjannath]

@sobkowiak So in order to find out why it is been flagged as unsafe, i installed Endpoint Protection Manager and exported the client binary and installed in the same system, but i did not get any warning or error. [Screen-shots are attached]

I guess this might be related to some custom policies that your organization have, in order to debug this further please provide us with more details, maybe also scan that binary in virustotal.com to eliminate any false positives.

The version of Endpoint Protection Manager i tried was: 1.14.1023.0100 you can get the version by launching Symantec Endpoint Protection -> then click on Help -> Click on About
and the definitions are of 10/29/18r7

[anjannath]

@sobkowiak Are you able to run minishift without any issues now? please let us know the version of endpoint protection that flagged it as malware.

[anjannath]

@gh0st We have filed a reclassification request to trend micro, they haven't replied to us yet, but i'd suggest you to also file a reclassification request.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.