Description: I've started creating winget manifests for the LibreOffice pre-releases. The validation stage is failing because of a, presumably!, false positive for inprocserv.dll in LibreOfficeDev_26.2.0.0.beta1_Win_x86.msi , shown as W32/Patcher, which I kind of understand. The AV causing this result is TRELLIXENS, and I've not been able to report it there. I'm hoping you have better contacts/skills than me. For reference, the Pull Request is https://github.com/microsoft/winget-pkgs/pull/321771 and I've had some discussions already with the team there. Steps to Reproduce: 1.See https://github.com/microsoft/winget-pkgs/pull/321771 2.Trigger a validation run Actual Results: One or more ESRP Scan Blocking detections found: Installer: LibreOfficeDev_26.2.0.0.beta1_Win_x86.msi InstallerSha256: fa171e7038eb863ca25f7039bcd411d60fb5f933117c49bdf6ccd84a2b97cd7c FileName SHA256HexFileHash Detection Engine Detection Description inprocserv.dll 4f50e5b881c2abfc0afc129899a5af3223b6af6cbcfc8080d501dc227632c4e2 TRELLIXENS the W32/Patcher virus !!! Expected Results: A clean run. Reproducible: Always User Profile Reset: No Additional Info: This hasn't been seen on production LibreOffice winget packages, nor 26.2.0.0.alpha1 nor other architectures. So far anyway. By the way, any help on winget is appreciated!
Reported to Trellix. FALSE POSITIVE REPORT Detection Details: Product: Trellix ENS (Endpoint Security) Threat Name: W32/Patcher virus Detected File: inprocserv.dll File SHA-256: 4f50e5b881c2abfc0afc129899a5af3223b6af6cbcfc8080d501dc227632c4e2 Source Information: Origin: LibreOffice Development Build Source URL: https://downloadarchive.documentfoundation.org/libreoffice/old/26.2.0.0.beta1/win/x86/LibreOfficeDev_26.2.0.0.beta1_Win_x86.msi MSI SHA-256: fa171e7038eb863ca25f7039bcd411d60fb5f933117c49bdf6ccd84a2b97cd7c Evidence This Is a False Positive: 1. Microsoft Defender does not flag this file as malicious 2. LibreOffice's official security page (https://www.libreoffice.org/about-us/security/) explicitly states: "If your virus checker is flagging a LibreOffice download as containing a virus, this is almost certainly a false positive" 3. LibreOffice is a reputable open-source project maintained by The Document Foundation 4. LibreOffice releases undergo extensive testing and are used by millions globally Impact: Blocking winget packaging of LibreOffice preview beta1
Ambiguous response from Trellix: Trellix Labs Current Scan Engine Version:6810.10716 Current DAT Version:5000.0000 Thank you for your submission. Analysis ID: 11196545 File Name Findings Detection Type Extra --------------------|------------------------------|----------------------------|------------|----- inprocserv.dll.sampl|current detection |w32/patcher |Virus |no current detection [inprocserv.dll.sample] The file submitted is malware that can be detected with current DAT files. It is recommended that you update your DAT and engine files and scan your computer again. Regards, Trellix Labs