Clamav found virus in winver.exe file of wine

Today libredefender found virus in a number of files:

╰─λ libredefender infections -v
Win.Malware.Ulise-10018340-0 => "/home/akhkharu/Pulpit/foobar2000/drive_c/windows/syswow64/winver.exe"
Win.Malware.Ulise-10018340-0 => "/home/akhkharu/Games/ea-app/drive_c/windows/syswow64/winver.exe"
Win.Malware.Ulise-10018340-0 => "/home/akhkharu/Games/ea-app/drive_c/windows/system32/winver.exe"
Win.Malware.Ulise-10018340-0 => "/home/akhkharu/Games/battlenet/drive_c/windows/system32/winver.exe"
Win.Malware.Ulise-10018340-0 => "/home/akhkharu/Games/path-of-building/drive_c/windows/syswow64/winver.exe"
Win.Malware.Ulise-10018340-0 => "/home/akhkharu/Games/path-of-building/drive_c/windows/system32/winver.exe"
Win.Malware.Ulise-10018340-0 => "/home/akhkharu/Games/epic-games-store/drive_c/windows/system32/winver.exe"
Win.Malware.Ulise-10018340-0 => "/home/akhkharu/Pulpit/foobar2000/drive_c/windows/system32/winver.exe"
Win.Malware.Ulise-10018340-0 => "/home/akhkharu/Games/epic-games-store/drive_c/windows/syswow64/winver.exe"
Win.Malware.Ulise-10018340-0 => "/home/akhkharu/Games/battlenet/drive_c/windows/syswow64/winver.exe"

googling around don’t gave me a definitive solution. I thought its false positive but VirusTotal is showing infection on 31 antivirus https://www.virustotal.com/gui/file/8b81da285744f5829b68a250737ca0c4fcd0933a0ec02e9fcce6e73be24dfbf7

So I dont know what to think about that situation? I am new to linux, using garuda for 1 month. Is my wine infected? Or is it false positive after all?

garuda-inxi please and here,

The process known as Microsoft Windows Status Protocol or Version Reporter Applet appears to belong to software Windows Status or Microsoft Windows Operating System by Microsoft (www.microsoft.com).

Description: Winver.exe is not essential for the Windows OS and causes relatively few problems. Winver.exe is located in a subfolder of “C:\ProgramData”—primarily *C:\ProgramData\Microsoft\Windows\Deep Layers*. The file size on Windows 10/11/7 is 6,786,560 bytes.
Winver.exe is not a Windows core file. The program starts when Windows starts (see Registry key: Run). The program has no visible window. Winver.exe is able to record keyboard and mouse inputs and monitor applications. Therefore the technical security rating is 70% dangerous.

winver.exe is not a file generated by wine. That’s a file provided by the vendor of whatever software you are running with the help of wine.

╰─λ garuda-inxi
System:
Kernel: 6.6.9-AMD arch: x86_64 bits: 64 compiler: gcc v: 13.2.1
clocksource: tsc available: hpet,acpi_pm
parameters: BOOT_IMAGE=/@/boot/vmlinuz-linux-amd
root=UUID=c18d949d-69a4-4160-97bc-bf86a790a7fa rw rootflags=subvol=@
quiet resume=UUID=835dc304-471d-4f63-9dd4-a52860dc3408 loglevel=3 ibt=off
Desktop: KDE Plasma v: 5.27.10 tk: Qt v: 5.15.11 wm: kwin_x11 vt: 2
dm: SDDM Distro: Garuda Linux base: Arch Linux
Machine:
Type: Desktop Mobo: ASRock model: B650E Steel Legend WiFi
serial: <superuser required> UEFI: American Megatrends LLC. v: 2.02
date: 11/17/2023
CPU:
Info: model: AMD Ryzen 5 7500F bits: 64 type: MT MCP arch: Zen 4 gen: 5
level: v4 note: check built: 2022+ process: TSMC n5 (5nm) family: 0x19 (25)
model-id: 0x61 (97) stepping: 2 microcode: 0xA601206
Topology: cpus: 1x cores: 6 tpc: 2 threads: 12 smt: enabled cache:
L1: 384 KiB desc: d-6x32 KiB; i-6x32 KiB L2: 6 MiB desc: 6x1024 KiB
L3: 32 MiB desc: 1x32 MiB
Speed (MHz): avg: 1138 high: 4841 min/max: 400/5074 scaling:
driver: amd-pstate-epp governor: powersave cores: 1: 400 2: 400 3: 4841
4: 400 5: 400 6: 400 7: 400 8: 400 9: 4820 10: 400 11: 400 12: 400
bogomips: 88662
Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
Vulnerabilities: <filter>
Graphics:
Device-1: NVIDIA AD106 [GeForce RTX 4060 Ti 16GB] vendor: Micro-Star MSI
driver: nvidia v: 545.29.06 alternate: nvidia_drm non-free: 545.xx+
status: current (as of 2023-10) arch: Lovelace code: AD1xx
process: TSMC n4 (5nm) built: 2022+ pcie: gen: 2 speed: 5 GT/s lanes: 8
link-max: gen: 4 speed: 16 GT/s bus-ID: 01:00.0 chip-ID: 10de:2805
class-ID: 0300
Display: x11 server: X.Org v: 21.1.10 with: Xwayland v: 23.2.3
compositor: kwin_x11 driver: X: loaded: nvidia gpu: nvidia display-ID: :0
screens: 1
Screen-1: 0 s-res: 1920x1080 s-dpi: 92 s-size: 530x301mm (20.87x11.85")
s-diag: 610mm (24")
Monitor-1: HDMI-0 res: 1920x1080 hz: 60 dpi: 92
size: 531x299mm (20.91x11.77") diag: 609mm (23.99") modes: N/A
API: EGL v: 1.5 hw: drv: nvidia platforms: device: 0 drv: nvidia device: 2
drv: swrast gbm: drv: nvidia surfaceless: drv: nvidia x11: drv: nvidia
inactive: wayland,device-1
API: OpenGL v: 4.6.0 compat-v: 4.5 vendor: nvidia mesa v: 545.29.06
glx-v: 1.4 direct-render: yes renderer: NVIDIA GeForce RTX 4060 Ti/PCIe/SSE2
memory: 15.62 GiB
API: Vulkan v: 1.3.274 layers: 8 device: 0 type: discrete-gpu name: NVIDIA
GeForce RTX 4060 Ti driver: nvidia v: 545.29.06 device-ID: 10de:2805
surfaces: xcb,xlib device: 1 type: cpu name: llvmpipe (LLVM 16.0.6 256
bits) driver: mesa llvmpipe v: 23.3.2-arch1.2 (LLVM 16.0.6)
device-ID: 10005:0000 surfaces: xcb,xlib
Audio:
Device-1: NVIDIA vendor: Micro-Star MSI driver: snd_hda_intel v: kernel
pcie: gen: 4 speed: 16 GT/s lanes: 8 bus-ID: 01:00.1 chip-ID: 10de:22bd
class-ID: 0403
Device-2: Thesycon System & Consulting GmbH SABAJ DA2 v1.2
driver: snd-usb-audio type: USB rev: 2.0 speed: 480 Mb/s lanes: 1 mode: 2.0
bus-ID: 3-2:2 chip-ID: 152a:85df class-ID: fe01
API: ALSA v: k6.6.9-AMD status: kernel-api tools: N/A
Server-1: sndiod v: N/A status: off tools: aucat,midicat,sndioctl
Server-2: PipeWire v: 1.0.0 status: active with: 1: pipewire-pulse
status: active 2: wireplumber status: active 3: pipewire-alsa type: plugin
4: pw-jack type: plugin tools: pactl,pw-cat,pw-cli,wpctl
Network:
Device-1: MEDIATEK MT7921K Wi-Fi 6E 80MHz driver: mt7921e v: kernel pcie:
gen: 2 speed: 5 GT/s lanes: 1 bus-ID: 07:00.0 chip-ID: 14c3:0608
class-ID: 0280
IF: wlp7s0 state: down mac: <filter>
Device-2: Realtek RTL8125 2.5GbE vendor: ASRock driver: r8169 v: kernel
pcie: gen: 2 speed: 5 GT/s lanes: 1 port: e000 bus-ID: 08:00.0
chip-ID: 10ec:8125 class-ID: 0200
IF: enp8s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
Bluetooth:
Device-1: MediaTek Wireless_Device driver: btusb v: 0.8 type: USB rev: 2.1
speed: 480 Mb/s lanes: 1 mode: 2.0 bus-ID: 1-12:5 chip-ID: 0e8d:0608
class-ID: e001 serial: <filter>
Report: btmgmt ID: hci0 rfk-id: 0 state: up address: <filter> bt-v: 5.2
lmp-v: 11 status: discoverable: no pairing: no class-ID: 7c0104
Drives:
Local Storage: total: 3.68 TiB used: 1.22 TiB (33.1%)
SMART Message: Unable to run smartctl. Root privileges required.
ID-1: /dev/nvme0n1 maj-min: 259:4 vendor: Silicon Power
model: SPCC M.2 PCIe SSD size: 1.82 TiB block-size: physical: 512 B
logical: 512 B speed: 31.6 Gb/s lanes: 4 tech: SSD serial: <filter>
fw-rev: VC2S038D temp: 34.9 C scheme: GPT
ID-2: /dev/nvme1n1 maj-min: 259:0 vendor: Lexar model: SSD NM790 2TB
size: 1.86 TiB block-size: physical: 512 B logical: 512 B speed: 63.2 Gb/s
lanes: 4 tech: SSD serial: <filter> fw-rev: 11296 temp: 51.9 C scheme: GPT
Partition:
ID-1: / raw-size: 1.83 TiB size: 1.83 TiB (100.00%) used: 373.08 GiB (19.9%)
fs: btrfs dev: /dev/nvme1n1p2 maj-min: 259:2
ID-2: /boot/efi raw-size: 300 MiB size: 299.4 MiB (99.80%)
used: 584 KiB (0.2%) fs: vfat dev: /dev/nvme1n1p1 maj-min: 259:1
ID-3: /home raw-size: 1.83 TiB size: 1.83 TiB (100.00%)
used: 373.08 GiB (19.9%) fs: btrfs dev: /dev/nvme1n1p2 maj-min: 259:2
ID-4: /var/log raw-size: 1.83 TiB size: 1.83 TiB (100.00%)
used: 373.08 GiB (19.9%) fs: btrfs dev: /dev/nvme1n1p2 maj-min: 259:2
ID-5: /var/tmp raw-size: 1.83 TiB size: 1.83 TiB (100.00%)
used: 373.08 GiB (19.9%) fs: btrfs dev: /dev/nvme1n1p2 maj-min: 259:2
Swap:
Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default) zswap: no
ID-1: swap-1 type: zram size: 30.98 GiB used: 3.19 GiB (10.3%)
priority: 100 comp: zstd avail: lzo,lzo-rle,lz4,lz4hc,842 max-streams: 12
dev: /dev/zram0
ID-2: swap-2 type: partition size: 34.16 GiB used: 0 KiB (0.0%)
priority: -2 dev: /dev/nvme1n1p3 maj-min: 259:3
Sensors:
System Temperatures: cpu: 46.5 C mobo: 34.0 C gpu: nvidia temp: 37 C
Fan Speeds (rpm): N/A gpu: nvidia fan: 0%
Info:
Processes: 340 Uptime: 2h 49m wakeups: 0 Memory: total: 32 GiB note: est.
available: 30.98 GiB used: 4.94 GiB (16.0%) Init: systemd v: 255
default: graphical tool: systemctl Compilers: gcc: 13.2.1 Packages:
pm: pacman pkgs: 1733 libs: 463 tools: octopi,paru Shell: fish v: 3.7.0
running-in: konsole inxi: 3.3.31
Garuda (2.6.22-1):
System install date:     2023-12-08
Last full system update: 2024-01-06 ↻
Is partially upgraded:   No
Relevant software:       snapper NetworkManager dracut nvidia-dkms
Windows dual boot:       No/Undetected
Failed units:

I also have “clamscan -r --bell -i /” and it found so far:

/home/akhkharu/.local/share/lutris/runners/wine/wine-ge-8-25-x86_64/lib/wine/i386-windows/winver.exe: Win.Malware.Ulise-10018340-0 FOUND
/home/akhkharu/.local/share/lutris/runners/wine/wine-ge-8-25-x86_64/lib64/wine/x86_64-windows/winver.exe: Win.Malware.Ulise-10018340-0 FOUND
/home/akhkharu/.local/share/lutris/runners/wine/lutris-GE-Proton8-15-x86_64/lib/wine/i386-windows/winver.exe: Win.Malware.Ulise-10018340-0 FOUND
/home/akhkharu/.local/share/lutris/runners/wine/lutris-GE-Proton8-15-x86_64/lib64/wine/x86_64-windows/winver.exe: Win.Malware.Ulise-10018340-0 FOUND

So maybe it is some lutris thing as I lauch all windows programs through it.

Hmm… Maybe I should ask on some clamav forum as this is not Garuda linux related probably

I think it’s almost safe to assume that this is a false positive.

on clamav site I found only some mailing list and as I am not familiar how this works I just sent file sample as false positive and will wait… maybe someone return to me with answer.

Reboot, please, as indicated.

And don’t panic, AntiVirus/Malware crap is crap, and is notorious for false-positives in Linux.

Screenshot from 2024-01-06 22-51-17910×235 28 KB

Damn that’s a lot

but i will guess the winver.exe is safe
You can look at its behavior, looks normal

Ok, I will wait and see if I get answer from clamav.

Will wait for definitions update and see if it still is detected as virus.

Lastly I can delete it and see if games break because of it.

Anyway as this is not Garuda linux topic, should I mark this thread as solved or something?

The best solution IMHO is to remove ClamAV. I am not joking. If the websites you visit or the Windows software so notorious, you really shouldn’t do so. That’s like having sex with a lady of the night. Protected or not, her pimp is still gonna beat and rob you.

After few definitions update it is still detected as virus. To be safe I deleted all instances of this file. Also scanned computer with few antimalware programs from pacman and they didn’t detect anything important.

I write here because I thought I will get response from someone also using lutris/wine and clamav with similar experience… but I guess either noone use clamav or I really did get some virus from somewhere.
I may not be complete linux newbie but I am newbie to gaming on linux so I follow few tutorials from youtube to set up things so maybe I did not payed enough attention and wget some wired stuff.

Anyway, thanks.

Very, very, very, very, very few people ever use or even need anti-whatever in Linux. A few tinfoil hat wearers, maybe.

Or a few scared Windows users who go places no Linux user would ever go. If you’re that person, you should stick with Windows–there’s much better anti-whatever apps available for that platform.

I’ll do a quick scan when I download something from a source I don’t trust, just for a little piece of mind. I don’t run the full-blown service or anything, I just do occasional one-off scans like this:

sudo freshclam
sudo clamscan -riv /thing/to/scan

Occasionally a false positive will come through, but usually a quick web search will turn up other folks reporting the same scan as a false positive, explaining why it was flagged in the scan, and so on. If you don’t find something like that, I would be hesitant to trust that file.

There are more robust AV tools on Windows, but not free ones. The good ones are typically expensive, and tend to be bloated and resource intensive. The free ones may do some legitimate scanning, but all of them are blatantly spyware and/or adware.

Aside from ClamAV itself, which can be used on Windows, there is no free tool on Windows which is as effective and efficient as ClamAV.

That’s risky enough business right there. Why, in this day & age, untrustworthy sources would be used is beyond my ken. I don’t do so. Nor would I recommend anyone else to do so.

“Gee, I better install an anti-whatever because I can’t safely trust my fingers to do the walking.”

Yeah well…let’s just say in my family we like to watch movies and TV shows, but do not subscribe to many streaming services.

VPN-streaming (ytxs.mx/YIFY) be the way fer sure. I use NordVPN, but not for that.

But we pay for 3 services and I’m about to cut it down to 2 or even 1. Rotation seems to be the key to that maneuver. Plus, the deals they offer if you threaten to leave can be quite sweet.

I’ve gotten away with enough illegal activities in my life. I don’t need the pendulum o’ justice to swing back my way anymore than it has.

One of these days an antivirus may be required when using Linux, I just don’t feel that day is quite here yet. IMO if you don’t run Windows, then there’s very little need to have an antivirus installed when using Linux.

Back in the days when I still used Windows (and Linux) I would scan my Windows drives from within Linux using clamscan. To me that is one of the few worthwhile reasons for using an AV with Linux. If you use Windows, or are on a network with Windows machines, or share files with Windows users, then scanning the files from within Linux is a good preventative measure to be sure you’re not responsible for spreading Windows viri.

Scanning from outside of Windows is a good precaution to take, because advanced Windows viri can surreptiously disable your Windows AV and get away with all manner of nastiness without the Windows user even knowing. After I quit using Windows completely, I realized I no longer had a legitimate need for running an AV with Linux.

Although I found a ton of viri using clamscan, none were ever actually a virus that could cause a problem with Linux. Clamscan reported lots of infected files on Linux drives, but every one was a false positive. The whole time using an AV on Linux, I never actually found one legitimate concern. After I quit using Windows, I realized I was simply wasting time and effort scanning my files and chasing down false positives.

The day may arrive when AV is required in Linux, I just don’t feel that time is quite on us yet. As always YMMV, and always use a prophylactic if regularly engaged in risky activities.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.