I don't want to sound paranoid but I've just scanned geany binaries with Hybrid Anlisys. I've got these results: https://www.hybrid-analysis.com/sample/109748fc6e6276462258ee104996fe29c9d82... In particular, could you explain me why the installer connects to the Swiss IP Address 194.230.81.170? Thanks
Hi,
On 12/16/18 10:37 PM, dany111@email.it wrote:
I don't want to sound paranoid but I've just scanned geany binaries with Hybrid Anlisys. I've got these results: https://www.hybrid-analysis.com/sample/109748fc6e6276462258ee104996fe29c9d82... In particular, could you explain me why the installer connects to the Swiss IP Address 194.230.81.170?
Interesting. I have not yet an explanation but am not panicly. The IP belongs to Akamai which is not per se anything bad but just a CDN. I'll try to get some more details.
In general, information of that "analysis" should be taken with care, e.g.
"Ransomware The analysis extracted file with a known ransomware suffix"
This is based on the file "filetypes.abc" which is included in the Geany distribution. But a "Risk Assessment" based on filename extensions seems not very serious to me.
Later, on the network section they say "This report was generated with enabled TOR analysis". So route potential harmful traffic through the TOR network to save themselves from the trouble. If I myself try to open hybrid-analysis.com through the TOR network, I'm presented with a CloudFlare captcha because CloudFlare likes to assume all TOR users are bots or criminals. In my opinion, Hybrid Analysis behaves paradox here: CloudFlare arguments their captchas with unwanted traffic they see from the TOR network but Hybrid Analysis potentially generates this unwanted traffic.
Regards, Enrico
On 12/16/18 11:29 PM, Enrico Tröger wrote:
Hi,
On 12/16/18 10:37 PM, dany111@email.it wrote:
I don't want to sound paranoid but I've just scanned geany binaries with Hybrid Anlisys. I've got these results: https://www.hybrid-analysis.com/sample/109748fc6e6276462258ee104996fe29c9d82... In particular, could you explain me why the installer connects to the Swiss IP Address 194.230.81.170?
Interesting. I have not yet an explanation but am not panicly. The IP belongs to Akamai which is not per se anything bad but just a CDN. I'll try to get some more details.
I tested with my Windows system and the only network activity I saw was a request to www.msftncsi.com/ncsi.txt which is Microsoft's network connectivity check (https://blog.superuser.com/2011/05/16/windows-7-network-awareness/).
While www.msftncsi.com actually resolves to an IP address of the Akamai CDN IP range, it might be just accidental.
I would assume that Hybrid Analysis is smart enough to filter out Windows' own connectivity check from the tests.
Furthermore, I grepped my whole Windows system used for the release binaries for that IP address - without any matches.
If you are interested enough, it might help to contact Hybrid Analysis for support and/or debug the installer yourself to get more information than I gathered.
It might help to get some insights about how Geany for Windows is built. The used software and build instructions are documented in the wiki at https://wiki.geany.org/howtos/win32/msys2.
Regards, Enrico
Thanks for the answer. So, the installer connects to internet, not Geany itself, right? In conclusion, the installer is safe, isn't it?
PS:Could I ask you which tools you use to monitor network activity and to grep whole Windows system?
----- Original Message -----
On 12/16/18 11:29 PM, Enrico Tröger wrote:
Hi,
On 12/16/18 10:37 PM, dany111@email.it wrote:
I don't want to sound paranoid but I've just scanned geany binaries with Hybrid Anlisys. I've got these results: https://www.hybrid-analysis.com/sample/109748fc6e6276462258ee104996fe29c9d82... In particular, could you explain me why the installer connects to the Swiss IP Address 194.230.81.170?
Interesting. I have not yet an explanation but am not panicly. The IP belongs to Akamai which is not per se anything bad but just a CDN. I'll try to get some more details.
I tested with my Windows system and the only network activity I saw was a request to www.msftncsi.com/ncsi.txt which is Microsoft's network connectivity check (https://blog.superuser.com/2011/05/16/windows-7-network-awareness/).
While www.msftncsi.com actually resolves to an IP address of the Akamai CDN IP range, it might be just accidental.
I would assume that Hybrid Analysis is smart enough to filter out Windows' own connectivity check from the tests.
Furthermore, I grepped my whole Windows system used for the release binaries for that IP address - without any matches.
If you are interested enough, it might help to contact Hybrid Analysis for support and/or debug the installer yourself to get more information than I gathered.
It might help to get some insights about how Geany for Windows is built. The used software and build instructions are documented in the wiki at https://wiki.geany.org/howtos/win32/msys2.
Regards, Enrico
Hi,
I don't think your conclusion is correct:
in my opinion it is not yet proven that the installer actually connects to the internet yet it is possible (I could not reproduce it on my system but this does not necessarily mean it does not happen). And if it connects to the internet, then it is not safe because it should not do it.
But yes, Geany does not connect to the internet except for the UpdateChecker plugin which does this by design by connecting to geany.org to check for the latest version. It does this only if it is explicitly activated.
Tools: the network traffic I monitored with "tcpdump" on the router and for searching the IP I used "grep" from the MSYS2 distribution. "grep" is also available as a normal Windows binary for download and you probably can also use the native Windows search.
Regards, Enrico
On 12/17/18 2:09 PM, dany111@email.it wrote:
Thanks for the answer. So, the installer connects to internet, not Geany itself, right? In conclusion, the installer is safe, isn't it?
PS:Could I ask you which tools you use to monitor network activity and to grep whole Windows system?
----- Original Message -----
On 12/16/18 11:29 PM, Enrico Tröger wrote:
Hi,
On 12/16/18 10:37 PM, dany111@email.it wrote:
I don't want to sound paranoid but I've just scanned geany binaries with Hybrid Anlisys. I've got these results: https://www.hybrid-analysis.com/sample/109748fc6e6276462258ee104996fe29c9d82... In particular, could you explain me why the installer connects to the Swiss IP Address 194.230.81.170?
Interesting. I have not yet an explanation but am not panicly. The IP belongs to Akamai which is not per se anything bad but just a CDN. I'll try to get some more details.
I tested with my Windows system and the only network activity I saw was a request to www.msftncsi.com/ncsi.txt which is Microsoft's network connectivity check (https://blog.superuser.com/2011/05/16/windows-7-network-awareness/).
While www.msftncsi.com actually resolves to an IP address of the Akamai CDN IP range, it might be just accidental.
I would assume that Hybrid Analysis is smart enough to filter out Windows' own connectivity check from the tests.
Furthermore, I grepped my whole Windows system used for the release binaries for that IP address - without any matches.
If you are interested enough, it might help to contact Hybrid Analysis for support and/or debug the installer yourself to get more information than I gathered.
It might help to get some insights about how Geany for Windows is built. The used software and build instructions are documented in the wiki at https://wiki.geany.org/howtos/win32/msys2.
Regards, Enrico
Hi Enrico, I understand that the installer contains more binaries which are not signed by you, but I think that a GPG-signed .exe would be more trustable than a md5-certificated .exe. I think it would be an improvement simple to add.
Best regards, Daniel
----- Original Message ----- Hi <whoever you are>,
On 12/16/18 10:29 PM, dany111@email.it wrote:
Given that you already sign the source packages, could you sign the Windows Installer too?
I could. The installer as well as all binaries created from the Geany sources itself (that is geany.exe, libgeany.dll and the plugin DLLs) are signed with a SSL certificate from cacert.org. You can check these signatures on Windows in the file properties dialog on the "Digital Signatures" tab.
Usually you get a verification failure because Windows doesn't know the CA the certificate is signed with (cacert.org). But this is a problem of Windows, not of Geany. You can download the root certificate of the cacert.org CA on http://www.cacert.org/index.php?id=3.
The installer contains more binaries which are not signed by us as they are not created by us but taken from the MSYS2 project. Detailed information about the included runtime libraries are where they were downloaded from can be found in the installation directory in the file called "ReadMe.Dependencies.Geany.txt".
Regards, Enrico
Hi,
OK, I added a GPG signature on https://www.geany.org/Download/Releases.
Just note, that it is signed with my key which is a different key used for signing the source tarballs.
Regards, Enrico
On 12/17/18 3:48 PM, dany111@email.it wrote:
Hi Enrico, I understand that the installer contains more binaries which are not signed by you, but I think that a GPG-signed .exe would be more trustable than a md5-certificated .exe. I think it would be an improvement simple to add.
Best regards, Daniel
----- Original Message ----- Hi <whoever you are>,
On 12/16/18 10:29 PM, dany111@email.it wrote:
Given that you already sign the source packages, could you sign the Windows Installer too?
I could. The installer as well as all binaries created from the Geany sources itself (that is geany.exe, libgeany.dll and the plugin DLLs) are signed with a SSL certificate from cacert.org. You can check these signatures on Windows in the file properties dialog on the "Digital Signatures" tab.
Usually you get a verification failure because Windows doesn't know the CA the certificate is signed with (cacert.org). But this is a problem of Windows, not of Geany. You can download the root certificate of the cacert.org CA on http://www.cacert.org/index.php?id=3.
The installer contains more binaries which are not signed by us as they are not created by us but taken from the MSYS2 project. Detailed information about the included runtime libraries are where they were downloaded from can be found in the installation directory in the file called "ReadMe.Dependencies.Geany.txt".
So, if I run the installer offline, I should be safe, right? Because the suspicious behavior is restricted to internet connection and to the installation, when installer acts, and never again. Regards, Daniel ----- Original Message -----
Hi,
I don't think your conclusion is correct:
in my opinion it is not yet proven that the installer actually connects to the internet yet it is possible (I could not reproduce it on my system but this does not necessarily mean it does not happen). And if it connects to the internet, then it is not safe because it should not do it.
But yes, Geany does not connect to the internet except for the UpdateChecker plugin which does this by design by connecting to geany.org to check for the latest version. It does this only if it is explicitly activated.
Tools: the network traffic I monitored with "tcpdump" on the router and for searching the IP I used "grep" from the MSYS2 distribution. "grep" is also available as a normal Windows binary for download and you probably can also use the native Windows search.
Regards, Enrico
On 12/17/18 2:09 PM, dany111@email.it wrote:
Thanks for the answer. So, the installer connects to internet, not Geany itself, right? In conclusion, the installer is safe, isn't it?
PS:Could I ask you which tools you use to monitor network activity and to grep whole Windows system?
----- Original Message -----
On 12/16/18 11:29 PM, Enrico Tröger wrote:
Hi,
On 12/16/18 10:37 PM, dany111@email.it wrote:
I don't want to sound paranoid but I've just scanned geany binaries with Hybrid Anlisys. I've got these results: https://www.hybrid-analysis.com/sample/109748fc6e6276462258ee104996fe29c9d82... In particular, could you explain me why the installer connects to the Swiss IP Address 194.230.81.170?
Interesting. I have not yet an explanation but am not panicly. The IP belongs to Akamai which is not per se anything bad but just a CDN. I'll try to get some more details.
I tested with my Windows system and the only network activity I saw was a request to www.msftncsi.com/ncsi.txt which is Microsoft's network connectivity check (https://blog.superuser.com/2011/05/16/windows-7-network-awareness/).
While www.msftncsi.com actually resolves to an IP address of the Akamai CDN IP range, it might be just accidental.
I would assume that Hybrid Analysis is smart enough to filter out Windows' own connectivity check from the tests.
Furthermore, I grepped my whole Windows system used for the release binaries for that IP address - without any matches.
If you are interested enough, it might help to contact Hybrid Analysis for support and/or debug the installer yourself to get more information than I gathered.
It might help to get some insights about how Geany for Windows is built. The used software and build instructions are documented in the wiki at https://wiki.geany.org/howtos/win32/msys2.
Regards, Enrico
Hi,
The installer doesn't connect to the Internet, your report shows Windows connecting to the Internet (svchost.exe). As suggested, it's most likely Windows checking your Internet connection by connecting to a (somewhat) regional IP which will always be online (ex. a CDN). For more info, google for "EnableActiveProbing".
I personally installed it with Internet connected and a subsequent full virus scan showed no threats.
Regards, Matthew Brush
On 2018-12-17 5:07 p.m., dany111@email.it wrote:
So, if I run the installer offline, I should be safe, right? Because the suspicious behavior is restricted to internet connection and to the installation, when installer acts, and never again. Regards, Daniel ----- Original Message -----
Hi,
I don't think your conclusion is correct:
in my opinion it is not yet proven that the installer actually connects to the internet yet it is possible (I could not reproduce it on my system but this does not necessarily mean it does not happen). And if it connects to the internet, then it is not safe because it should not do it.
But yes, Geany does not connect to the internet except for the UpdateChecker plugin which does this by design by connecting to geany.org to check for the latest version. It does this only if it is explicitly activated.
Tools: the network traffic I monitored with "tcpdump" on the router and for searching the IP I used "grep" from the MSYS2 distribution. "grep" is also available as a normal Windows binary for download and you probably can also use the native Windows search.
Regards, Enrico
On 12/17/18 2:09 PM, dany111@email.it wrote:
Thanks for the answer. So, the installer connects to internet, not Geany itself, right? In conclusion, the installer is safe, isn't it?
PS:Could I ask you which tools you use to monitor network activity and to grep whole Windows system?
----- Original Message -----
On 12/16/18 11:29 PM, Enrico Tröger wrote:
Hi,
On 12/16/18 10:37 PM, dany111@email.it wrote:
I don't want to sound paranoid but I've just scanned geany binaries with Hybrid Anlisys. I've got these results: https://www.hybrid-analysis.com/sample/109748fc6e6276462258ee104996fe29c9d82... In particular, could you explain me why the installer connects to the Swiss IP Address 194.230.81.170?
Interesting. I have not yet an explanation but am not panicly. The IP belongs to Akamai which is not per se anything bad but just a CDN. I'll try to get some more details.
I tested with my Windows system and the only network activity I saw was a request to www.msftncsi.com/ncsi.txt which is Microsoft's network connectivity check (https://blog.superuser.com/2011/05/16/windows-7-network-awareness/).
While www.msftncsi.com actually resolves to an IP address of the Akamai CDN IP range, it might be just accidental.
I would assume that Hybrid Analysis is smart enough to filter out Windows' own connectivity check from the tests.
Furthermore, I grepped my whole Windows system used for the release binaries for that IP address - without any matches.
If you are interested enough, it might help to contact Hybrid Analysis for support and/or debug the installer yourself to get more information than I gathered.
It might help to get some insights about how Geany for Windows is built. The used software and build instructions are documented in the wiki at https://wiki.geany.org/howtos/win32/msys2.
Regards, Enrico
Users mailing list Users@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/users
On Tue, 18 Dec 2018 at 11:23, Matthew Brush mbrush@codebrainz.ca wrote:
Hi,
The installer doesn't connect to the Internet, your report shows Windows connecting to the Internet (svchost.exe).
Oh dear, Windows is a virus, quick remove it :)
Hi,
I got a Windows Defender warning with the just-released installer, similar to Issue #990[0]. In order to install you have to run as administrator and then allow it.
I expect it's because it's a random .exe from the internet with lots of compressed, executable code, which makes system-wide changes. These are the times in which we live.
Regards, Matthew Brush
[0]: https://github.com/geany/geany/issues/990
On 2018-12-16 1:37 p.m., dany111@email.it wrote:
I don't want to sound paranoid but I've just scanned geany binaries with Hybrid Anlisys. I've got these results: https://www.hybrid-analysis.com/sample/109748fc6e6276462258ee104996fe29c9d82... In particular, could you explain me why the installer connects to the Swiss IP Address 194.230.81.170? Thanks _______________________________________________ Users mailing list Users@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/users