PostgreSQL\12\bin\pg_ctl.exe - Trojan detected

On Sun, Dec 22, 2019 at 4:26 PM Manoj Agrawal <manoj.agrawal@hotmail.com>
wrote:

Dear PostgreSQL Team,

I am a regular ordinary user of your application.
I apologies for not following your bug and security template. I suppose
this will be OK with you.

Kindly look at this screen from Windows 10 machine.

I have downloaded "postgresql-12.1-3-windows-x64.exe" from your website
and during installation it is reporting Malware in one of your executable.

Exactly which URL did you download it from? And please provide a checksum
(md5, sha1 or similar) of the file downloaded to your system.

*PostgreSQL\12\bin\pg_ctl.exe*

*Threat detected: Trojan:Win32/Detplock *

*Alert level: Severe *

*Date: 22-12-2019 07:32 PM *

*Category: Trojan *

*Details: This program is dangerous and executes commands from an
attacker. *

I need you to look into this on priority basis. As I am stuck-up

Hi!

Can you please take the file from your system and upload it to
https://www.virustotal.com/gui/home/upload, and let us know what the
detection there says? It also gives you a link to the finished analysis,
so please post the link to that one as well.

//Magnus

Hi,

On December 22, 2019 10:38:57 AM EST, Magnus Hagander <magnus@hagander.net> wrote:

On Sun, Dec 22, 2019 at 4:26 PM Manoj Agrawal
<manoj.agrawal@hotmail.com>
wrote:

Dear PostgreSQL Team,

I am a regular ordinary user of your application.
I apologies for not following your bug and security template. I

suppose

this will be OK with you.

Kindly look at this screen from Windows 10 machine.

I have downloaded "postgresql-12.1-3-windows-x64.exe" from your

website

and during installation it is reporting Malware in one of your

executable.

Exactly which URL did you download it from? And please provide a
checksum
(md5, sha1 or similar) of the file downloaded to your system.

*PostgreSQL\12\bin\pg_ctl.exe*

*Threat detected: Trojan:Win32/Detplock *

*Alert level: Severe *

*Date: 22-12-2019 07:32 PM *

*Category: Trojan *

*Details: This program is dangerous and executes commands from an
attacker. *

I need you to look into this on priority basis. As I am stuck-up

Hi!

Can you please take the file from your system and upload it to
https://www.virustotal.com/gui/home/upload, and let us know what the
detection there says? It also gives you a link to the finished
analysis,
so please post the link to that one as well.

Fwiw, there's a note on MS's page about recent false positives for this"virus":
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Detplock
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Hi Magnus,

I apologies for troubling you at this time. But your questions are important I will try to answer all.

1. URL from where I downloaded the installer
https://www.enterprisedb.com/thank-you-downloading-postgresql?anid=1257093

image as below:
[cid:ba9dcf68-3830-4f08-b212-f8811c45046a]

I have not taken checksum of the file.
[cid:e1f8c5f7-4d06-4ffe-810b-fc4a50a436a0]

2. I did scanned the file with the url you below. Attaching the screen shot for your ref.
[cid:2e773f13-c56f-4810-a42b-cc6b22673db7]

Here are some of the details from the details tab. Attaching .pdf also for your reference.
MD5
457c9ea7f38663bd7f425f4418a6dcba
SHA-1
eb8ffab9532224ee2e722013b08311bc91b009d2
SHA-256
076a334a624e71744f5659d5d4576ba88cd064c47a486f0316db85dbbe7cd5b2
Vhash
015056656d15155188z34!z
Authentihash
39c368326cfb7d605ba7228d6fdbc98ad9f680e8c45fda55ef66e305b38c01b7
Imphash
76881c88796d93158906531d1f6a2529
SSDEEP
1536:ixwCY+BeiOs1V8u9TyMYR7PRdUQjqKZZY0Z3n3DJTY3B/eeLuB5oGqZ:ixwCY+siDUQu97PzULKZT3na3nO5oZ
File type
Win32 EXE
Magic
PE32+ executable for MS Windows (console) Mono/.Net assembly
File size
113.50 KB (116224 bytes)

Sir, please do let me know if any more information i can share with you. I will be more than happy to share with you.

________________________________

Thanks and Regards

Manoj Agrawal
manoj.agrawal@hotmail.com<mailto:manoj.agrawal@hotmail.com>

________________________________
From: Magnus Hagander <magnus@hagander.net>
Sent: 22 December 2019 09:08 PM
To: Manoj Agrawal <manoj.agrawal@hotmail.com>
Cc: security@postgresql.org <security@postgresql.org>; pgsql-bugs@lists.postgresql.org <pgsql-bugs@lists.postgresql.org>
Subject: Re: PostgreSQL\12\bin\pg_ctl.exe - Trojan detected

On Sun, Dec 22, 2019 at 4:26 PM Manoj Agrawal <manoj.agrawal@hotmail.com<mailto:manoj.agrawal@hotmail.com>> wrote:
Dear PostgreSQL Team,

I am a regular ordinary user of your application.
I apologies for not following your bug and security template. I suppose this will be OK with you.

Kindly look at this screen from Windows 10 machine.

I have downloaded "postgresql-12.1-3-windows-x64.exe" from your website and during installation it is reporting Malware in one of your executable.

Exactly which URL did you download it from? And please provide a checksum (md5, sha1 or similar) of the file downloaded to your system.

PostgreSQL\12\bin\pg_ctl.exe
Threat detected: Trojan:Win32/Detplock
Alert level: Severe
Date: 22-12-2019 07:32 PM
Category: Trojan
Details: This program is dangerous and executes commands from an attacker.

I need you to look into this on priority basis. As I am stuck-up

Hi!

Can you please take the file from your system and upload it to https://www.virustotal.com/gui/home/upload, and let us know what the detection there says? It also gives you a link to the finished analysis, so please post the link to that one as well.

//Magnus

Hello!

The fact that only a single scanning engine considers that being a problem,
means it's almost certainly an issue with the virus scanner, and not an
actual trojan. Especially given that as Andres pointed out, Mirosoft's
scanner has had problems with false positives about this trojan before.

//Magnus

On Sun, Dec 22, 2019 at 5:03 PM Manoj Agrawal <manoj.agrawal@hotmail.com>
wrote:

Hi,

It certainly looks like a false positive. Can you please try installing on
some other Windows server?

On Mon, Dec 23, 2019 at 6:15 PM Magnus Hagander <magnus@hagander.net> wrote:

Hello!

The fact that only a single scanning engine considers that being a
problem, means it's almost certainly an issue with the virus scanner, and
not an actual trojan. Especially given that as Andres pointed out,
Mirosoft's scanner has had problems with false positives about this trojan
before.

//Magnus

On Sun, Dec 22, 2019 at 5:03 PM Manoj Agrawal <manoj.agrawal@hotmail.com>
wrote:

Hi Magnus,

I apologies for troubling you at this time. But your questions are
important I will try to answer all.

1. URL from where I downloaded the installer

https://www.enterprisedb.com/thank-you-downloading-postgresql?anid=1257093

image as below:
I have not taken checksum of the file.

2. I did scanned the file with the url you below. Attaching the
screen shot for your ref.

Here are some of the details from the details tab. Attaching .pdf
also for your reference.
MD5
457c9ea7f38663bd7f425f4418a6dcba
SHA-1
eb8ffab9532224ee2e722013b08311bc91b009d2
SHA-256
076a334a624e71744f5659d5d4576ba88cd064c47a486f0316db85dbbe7cd5b2
Vhash
015056656d15155188z34!z
Authentihash
39c368326cfb7d605ba7228d6fdbc98ad9f680e8c45fda55ef66e305b38c01b7
Imphash
76881c88796d93158906531d1f6a2529
SSDEEP
1536:ixwCY+BeiOs1V8u9TyMYR7PRdUQjqKZZY0Z3n3DJTY3B/eeLuB5oGqZ:ixwCY+siDUQu97PzULKZT3na3nO5oZ

File type
Win32 EXE
Magic
PE32+ executable for MS Windows (console) Mono/.Net assembly
File size
113.50 KB (116224 bytes)

Sir, please do let me know if any more information i can share with you.
I will be more than happy to share with you.

------------------------------

Thanks and Regards

Manoj Agrawal
manoj.agrawal@hotmail.com

------------------------------
*From:* Magnus Hagander <magnus@hagander.net>
*Sent:* 22 December 2019 09:08 PM
*To:* Manoj Agrawal <manoj.agrawal@hotmail.com>
*Cc:* security@postgresql.org <security@postgresql.org>;
pgsql-bugs@lists.postgresql.org <pgsql-bugs@lists.postgresql.org>
*Subject:* Re: PostgreSQL\12\bin\pg_ctl.exe - Trojan detected

On Sun, Dec 22, 2019 at 4:26 PM Manoj Agrawal <manoj.agrawal@hotmail.com>
wrote:

Dear PostgreSQL Team,

I am a regular ordinary user of your application.
I apologies for not following your bug and security template. I suppose
this will be OK with you.

Kindly look at this screen from Windows 10 machine.

I have downloaded "postgresql-12.1-3-windows-x64.exe" from your website
and during installation it is reporting Malware in one of your executable.

Exactly which URL did you download it from? And please provide a checksum
(md5, sha1 or similar) of the file downloaded to your system.

*PostgreSQL\12\bin\pg_ctl.exe*

*Threat detected: Trojan:Win32/Detplock *

*Alert level: Severe *

*Date: 22-12-2019 07:32 PM *

*Category: Trojan *

*Details: This program is dangerous and executes commands from an
attacker. *

I need you to look into this on priority basis. As I am stuck-up

Hi!

Can you please take the file from your system and upload it to
https://www.virustotal.com/gui/home/upload, and let us know what the
detection there says? It also gives you a link to the finished analysis,
so please post the link to that one as well.

//Magnus

--
Sandeep Thakkar