-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub Portable with .7z.exe extension #2238
Comments
No. This is done on purpose, to indicate to users that they can also use 7-Zip to extract the files. I am not sure that it is worth bending to security software's ideas of what we should use as file extension, and risk breaking users' scripts (that possibly might have come to rely on the exact file name that pretty much every single portable Git used since the first one was published). |
Is there an option to change the first |
I would agree with PhilipOakley comment. I would have an understanding about some scripts but I brought this up since it has been becoming more often that the double extension trick has been attempted to be used in a lot of recent malware attacks. |
Sure, but that changes the file name pattern, something I am loathe to do lest I break scripted setups that have long been working. If we break the pattern, then we should just delete the It will take two things:
|
A further option, to cover a transition period, maybe to duplicate the file with an alternate, agreed, filename, so that both sets of folks can plan/implement their changes. It does double the storage size for the Portable resources, but not for the user, as long as they have selected the appropriate version. Would still need a PR and convincing commit message ! ! |
I would need some really good argument that convinces me. So far, I haven't heard anything convincing (@cliffporterx take that as a clear encouragement to try harder).
Indeed. |
@cliffporterx Having worked in the anti-malware industry until the beginning of this year for well over a decade I can tell you that you should never try to appease an AV by adjusting your behavior. Instead I advise you to report this as a false positive to the AV vendor whose product you chose. Also, you may want to reconsider your choice of product if someone seriously considers this a sensible heuristic. Most AV solutions are rife with false positives and just like all detections these spread. But unlike detections of malicious software, which we want included, the news of something being a false positive doesn't spread equally throughout the AV industry and so these tend to stick around much longer (or never go away). If you look at VirusTotal you can tell that it's an insurmountable task for ISVs to contact all those vendors. More so because there is no unified way to contact them, let alone one place to contact them all. |
Okay, I think the consensus is that this ticket can be closed without further work on the issue. |
I wanted to advise on something I was seeing with security software with the Git releases available on:
https://github.com/git-for-windows/git/releases
When it comes to the portable versions, I have security software that is hitting on those files because the file extension ends in '.7z.exe'.
The reason the security software hits on this is because of the tactic of a double extension in Windows to make something that is made to look like something else, but it is actually an executable, which they call 'masquerading'. So something like Evilfile.doc.exe and things like that the software would hit on as suspicious. While it is not detecting it as malicious in this case, it is detecting it as suspicious simply due to it being an executable with a double file extension.
I can see that the files are signed and the exe is created using 7zip SFX. My guess is that the original packed file, such as 'PortableGit-2.22.0-64-bit.7z' is being repacked to the self extracting executable. However instead of creating it as 'PortableGit-2.22.0-64-bit.exe', it is creating it as 'PortableGit-2.22.0-64-bit.7z.exe' instead, probably by some way it is identified in the original config script being used to repack this.
I just wanted to advise of this, wanting to suggest to see if the script used to repack this can be updated to not retain the .7z in the middle, so it would create the file like 'PortableGit-2.22.0-64-bit.exe' instead. This should prevent the security software from detect it as a possible masqueraded file.
The text was updated successfully, but these errors were encountered: