ClamAV flagged a file in wine-platform-5-stable

Hi everyone,

Yesterday (December 22, 2024), during a ClamAV scan, the file /icacls.exe from the wine-platform-5-stable snap package was flagged as Win.Malware.Trickbot-10018337-0 FOUND. Unfortunately, I don’t recall the exact path of the file within the snap.

To get more clarity, I also uploaded the file to VirusTotal. However, the results were all over the place—different antivirus engines flagged it as unrelated threats. This has left me unsure whether this is a real issue or just a series of false positives.

I’m also not sure if this is the right section to post about such problems. If someone could point me in the right direction or share their thoughts on this, I’d really appreciate it.

Thanks in advance for your help!

Best regards

Wine as a project is well known for creating false positives for Windows AV.

Keeping in mind how WINE works, it reimplements the win32 API, but can never match the Microsoft official DLL’s and platform behaviour one to one, which will often also be cryptographically signed by Microsoft themselves whilst the Wine ones never will be. Every Wine DLL, from the perspective of Windows itself, is a foreign component that tries to immitate the original Windows but is clearly not part of Windows itself.

A game engine could view these DLL’s as being attempts to cheat if they can’t recognise them. An antivirus could view the files as suspicious as they’re pretending to be common files “everybody already has” but clearly aren’t and mess around with the OS at a pretty deep layer.

Ultimately, I’d personally reserve doubt that these files are actually infected because it’s the nature of Wine as a project to be confusing to Antivirus software, combined with those snaps are very commonly used in hundreds of other snaps that use it as as a dependency.

We can see that wine-platform-5-stable was last updated:

* 24 September 2021 - latest/stable
* 24 September 2021 - latest/edge

So perhaps knowing that this is the same code as hundreds of thousands of other people have been running for 3 years already helps.

The best thing to do would be to report them as false positives to the AV vendor, but this might not get very far because outside of situations like ClamAV being used (moreso on servers), not many Linux users have antiviruses running to make false positives with so it’s probably a low priority. Ultimately, Wine 5 is now nearly half a decade old and I don’t imagine the platform is likely to suddenly get any investment on it to fight false positive heuristics.

Hi,

Thank you so much for the comprehensive and well-structured response. I’ll follow your advice and report the file as a false positive to the antivirus vendor, although, as you mentioned, it might not lead to immediate results. In the meantime, I’ll keep the file isolated for extra safety and consider whether it makes sense to continue using this version of Wine or look for more up-to-date alternatives.

Thanks again for the clarification and for taking the time to explain this in such detail! If I have further questions in the future, I now know where to turn. :blush:

Have a great day and happy holidays!