ClamWin antivirus found BC.Gif.Exploit.Agent-1425366.Agent

Feedback & Ideas
1

Hi

My apologies, if I wrongly posted my finding here. I did not see a better place.

I just finished an antivirus scan on the installation folder of KNIME (the first one ever on any of my systems) and it detected an issue:
imagen

Windows defender did not detect an issue, however, XnViewMP crashed, when I tried to open the 10.1.0 version.

ClamWin Engine version: 0.103.2
Last virus DB update: 2024-01-11 08:55 CET

Kind regards

Thiemo

The whole summary of ClamWin.

Scan Started Tue Jan 09 08:50:11 2024

B:\Progis\KNIME\bundling\root\pkgs\pillow-10.1.0-py311h4dd8a23_0\info\test\tests\images\decompression_bomb.gif: BC.Gif.Exploit.Agent-1425366.Agent FOUND
B:\Progis\KNIME\bundling\root\pkgs\pillow-9.4.0-py39haa1d754_2\info\test\tests\images\decompression_bomb.gif: BC.Gif.Exploit.Agent-1425366.Agent FOUND
B:\Progis\KNIME\bundling\root\pkgs\pillow-9.5.0-py39ha9166d5_1\info\test\tests\images\decompression_bomb.gif: BC.Gif.Exploit.Agent-1425366.Agent FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8682298
Engine version: 0.103.2
Scanned directories: 68144
Scanned files: 600780
Infected files: 3

Total errors: 17
Data scanned: 193090.06 MB
Data read: 283158.32 MB (ratio 0.68:1)
Time: 192518.405 sec (3208 m 38 s)
Start Date: 2024:01:09 08:50:11
End Date: 2024:01:11 14:18:49

Completed

2

@Thiemo.Kellner sounds like this:

3

@mlauber71
Thanks for getting at this so quickly.

You are right. It definitively sounds like that. But as far as I have understood, they moved it explicitly to a test directory for being problematic and only for internal testing. So, I feel, the whole test directory should not be included in KNIME.

4

@Thiemo.Kellner as far as I understand the discussion the files in question are not actually harmful, but they are flagged as such by some antivirus software. And the preferred solution is to get these scanners to drop the alarm.

2 Likes
5

Sure, but I do not see, what the business is to have test files in a productive delivery.

Just my dime.

6

@Thiemo.Kellner that might be a question for the developers of the pillow package.

1 Like
7

I agree that it would be best solved at the place of its origin. Every (re-)distributor, however, decides on how much risk they want to run by distributing non-productive files. This implies that I am mere reporter.

8

@Thiemo.Kellner from what I read the ClamWin virus scanner is maybe not the most advanced tool, has been criticized in the past and their github repository does not seem to be very recent (latest release is from 2021). No other virus scanner seems to identify these gifs as a problem from what I see.

And indeed I hope that KNIME does scan its files for threads before they distribute them. @ScottF maybe you can enlighten us on that?

9

Yes, we do. With Windows Defender which obviously doesn’t see this as a threat.

2 Likes
10

I did not mean to offend anyone. I just was trying to point at something that might be a problem.

Surely, Clamav is not the best scanner. But this is holely independent from non-productive files in productive packages. I am sorry to have brought up this.

2 Likes
11

@Thiemo.Kellner no offence :slight_smile: I think it is good to investigate such things since with large open source projects where one incrorporates masses of third party modules something might very well go wrong. So better to check and make sure.

2 Likes