Re: [Gimp-user] Update blocked by trend micro

From: Joel Rees <joel rees gmail com>
To: gimp <gimp-user-list gnome org>
Subject: Re: [Gimp-user] Update blocked by trend micro
Date: Sun, 14 Nov 2021 15:22:42 +0900

On Sun, Nov 14, 2021 at 1:00 PM Baz Shaw <bshaw53 att net> wrote:


Here is the report

Report from Trend Micro antivirus during download:

 Time: 11/11/2021 16:36
File: gimp-2.20.28-setup.exe-part
Threat: TSPY.Win32.TRX.XXPE50FSX016E0002
Action: Quarantined


Putting quotes around that and doing a web search yields no results.
If Trend Micro has a specific record for this, they haven't published
it, or it's really new.

Best thing to do is contact them and see if they are willing to share
what they have.

This similar report on the language Go may shed some light for you, BTW:

https://github.com/golang/go/issues/45191

Note the phrase "out of an abundance of caution".

I would use other words, such as "lazy", but I don't know if that
would or should put your mind at ease. You don't know me from Adam,
and I don't regularly respond on this list.

But I'll tell you what I go through when I prepare to install
free/libre software:

(1) Do I trust the developer(s)?

If not, I don't even download. I go looking for another alternative.

In the GIMP's case, I've been watching the community long enough to
trust the developers enough to install it if i think it hasn't been
tampered with.

(2) So it comes down to detecting tampering.

(2a) Is the download available on HTTPS servers?

The URLs for the website for downloading the GIMP start with HTTPS,
starting from here:

https://www.gimp.org/downloads/

If it isn't showing you the download information for MSWIndows, you
can click the button for MSWindows. (I assume you want that, since
your URL ended in .exe.)

HTTPS (as opposed to unencrypted HTTP) gives a fairly high degree of
confidence that the owners and operators of the web site is who they
say they are, and that what you download makes it to your computer
safely. For many people it's enough. For me, it helps.

In addition, if you have a torrent client, they provide a link for
torrent download on the MSWindows version download page. Torrent
download is a bit more secure than simple download, for what it's
worth.

(2b) Do they make checksums available?

The GIMP makes checksums available, publishing the checksum for the
MSWIndows download on the download page underneath the download
buttons. The current checksum (SHA256) is

2c2e081ce541682be1abdd8bc6df13768ad9482d68000b4a7a60c764d6cec74e

You can use the certutil.exe utility in MSWindows to check that from a
shell or powershell window. The command is

certutil -hashfile filename SHA256

I think. (I'll try to check tonight or later this week.) Substitute
the name of the file, "gimp-2.10.28-setup.exe" for "filename", of
course. Also, make sure you are in the download directory before you
issue the command.

Below the checksum, the site gives a link to VirusTotal, which you can
use to check whether vendors are blacklisting this particular
checksum. But if you do that, copy the entire checksum and use your
search engine to go direct to VirusTotal and paste the checksum in.
That way, in the very slight chance that you are seeing a spoof of the
GIMP's website, you avoid the possibility of jumping to a spoofed
VirusTotal, as well. I'm not sure how useful that information is, but
some will find it useful.

If you're worried that the download page is being spoofed by a
man-in-the-middle, and that the checksum is faked, there is a way to
get some confidence that is not the case.

Run down the download page to the source code download section and
find the link to the mirrors. Look through the list of mirrors and
pick one at random.

I happen to be familiar with the XMission mirror in the US, so I'll
use that as an example. Search the web for XMission and note the URL.
Open the site and copy the domain name:

https://xmission.com

Use right-click to copy (don't jump to) the link in the mirrors list:

https://mirrors.xmission.com/

Note that the xmission.com domain name is the same. Now you can paste
the domain name into the URL blank of your browser and go to their
downloads section and be pretty sure your safe from everything but a
look-ahead DNS poisoning.

Drill down into the gimp section, into the gimp section of that, into
the current version (2.10) and into the windows section of that. For
the XMission mirror, the URL you end up at is

https://mirrors.xmission.com/gimp/gimp/v2.10/windows/

From there, you can download the SHA256SUMS file, save it on your

computer, open it with a text editor, and look at the line for
gimp-2.10.28-setup.exe (the last line right now).

Copy the checksum from the web page and paste it below that line like this:

2c2e081ce541682be1abdd8bc6df13768ad9482d68000b4a7a60c764d6cec74e
gimp-2.10.28-setup.exe
2c2e081ce541682be1abdd8bc6df13768ad9482d68000b4a7a60c764d6cec74e

and you can visually check that the checksums are the same.

If you need even more assurance, try one or two more, and you have two
or three witnesses that the checksum is valid.

To recap, what I've walked you through is a way to get more than one
witness that you got what the GIMP project put up there for you,
which, if you trust the project, should be enough to trust the
download, even if random security vendor is too lazy to be sure that
it isn't giving false positives on free/libre software.

Sent from my iPhone

On Nov 13, 2021, at 7:42 PM, Joel Rees via gimp-user-list <gimp-user-list gnome org> wrote:

On Fri, Nov 12, 2021 at 7:21 AM James Moe via gimp-user-list
<gimp-user-list gnome org> wrote:

On 2021-11-11 15:02, Baz Shaw wrote:

I just tried to download the latest update from

https://download.gimp.org/mirror/pub/gimp/v2.10/windows/gimp-2.10.28-setup.exe

It was blocked by trend micro with this report:

Report was removed?

It would be interesting to see the actual report.

Is "trend micro" a firewall product?

Trend Micro is a Japanese company specializing cyber security, FWIW.

If so, you may need to whitelist gimp.org.

Yeah.

Or if Baz wants to be a little more sure that there is no
man-in-the-middle or DNS cache poisoning, explicitly identifying
mirrors and checking their stated checksums for the download against
the checksum he gets on what he downloaded can give a reasonable level
of confidence. When I do that, it takes me an hour or two of hunting
around the web for the mirrors and the checksums and digging up the
MSWindows command.

(I've posted a page somewhere to remind myself and forgotten where I
posted it, so I usually end up looking for it on Microsoft's sites
again. FCIV is old news, BTW. Here's the command:

certutil -hashfile filename MD5

or whatever. But SHA-1 is better than MD5.)

--
Joel Rees

http://reiisi.blogspot.jp/p/novels-i-am-writing.html
_______________________________________________
gimp-user-list mailing list
List address: gimp-user-list gnome org
List membership: https://mail.gnome.org/mailman/listinfo/gimp-user-list
List archives: https://mail.gnome.org/archives/gimp-user-list




-- 
Joel Rees

http://reiisi.blogspot.jp/p/novels-i-am-writing.html

Follow-Ups:
- Re: [Gimp-user] Update blocked by trend micro
  - From: Liam R E Quin
- Re: [Gimp-user] Update blocked by trend micro
  - From: Ruben Safir

References:
- Re: [Gimp-user] Update blocked by trend micro
  - From: Joel Rees
- Re: [Gimp-user] Update blocked by trend micro
  - From: Baz Shaw

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]