PuTTY semi-bug false-positive-malware

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: PuTTY is persistently misreported as malware
class: semi-bug: This might or might not be a bug, depending on your precise definition of what a bug is.
difficulty: mayhem: Probably impossible
priority: high: This should be fixed in the next release.

PuTTY seems to have a persistent problem with virus-scanning software. Most release builds of the PuTTY tools in the last few years have been accused by one or more virus checker of being malware of some kind.

Top-level summary: We have every reason to believe that all of these reports are false positives. As far as we know, the legitimate, signed builds of PuTTY are free of malware and safe to use. But we don't know why these reports happen; we don't even know whether it's because of anything we are doing; so we also don't know what – if anything – we can do to stop them.

History

Here's a list of accusations we have observed ourselves, or had reported to us by users.

Of course, we weren't able to investigate most of these claims, because proprietary antivirus organisations don't provide much information we could use, and undoubtedly would say they have sound security reasons for keeping quiet. So we mostly don't know what might have caused all those people to flag PuTTY as malware.

ClamAV is a partial exception: because it's free software, we were at least able to find the entries in its database that caused four successive releases of putty.exe to be flagged as various kinds of Win.Trojan.Rozena-NNNN. When we did, it turned out that each of those accusations was based on ClamAV's database containing an MD5 hash of the code segment of the corresponding putty.exe. In other words, it wasn't that PuTTY was exhibiting any kind of general behaviour or matching a general pattern that made it look like malware; it's that ClamAV's database was identifying PuTTY specifically as malware, apparently on purpose – there is no way that a database entry of that kind could have matched anything other than the specific PuTTY executable in question.

In several cases, we submitted a false-positive report to ClamAV, and they withdrew the database entry in question. And then, the next time we put out a release, they turned round and flagged that one as another kind of Rozena.

Analysis

It would be nice if we could give some explanation here of why antivirus software is so keen to call us names. Unfortunately, we don't know!

Some possibilities that have occurred to us in the past include:

Of course, the other possibility is that the accusations might be right, and that there really is malware in PuTTY, either because it managed to get on to our build machine and infected the binaries at build time, or else (someone might imagine) because we put it there on purpose.

We don't believe that is true, and here are some reasons why:


If you want to comment on this web site, see the Feedback page.
Audit trail for this semi-bug.
(last revision of this bug record was at 2017-07-20 23:21:39 +0100)