Re: ODBC MSI flagged as 'suspicious' - Mailing list pgsql-odbc
Considering this report would likely look the same for all install kits, especially for ODBC drivers, this request of yours seems overly vague. Surely you aren’t asking why an install kit is creating a directory or creating files. I think it would be more prudent for your IT team to identify the things they are actually concerned with rather than submitting reports that are full of obvious non-issues.
For instance, it may be perfectly reasonable to ask what exact version of libcrypto is being used so that they can check for known exploits in that version rather that expect someone on the PostgreSQL team to respond to a generic “suspicious” item in a report that cryptography is being used. Hopefully it is obvious that encrypting data streams is important for database connections.
Note that this is my personal opinion and not from the PostgreSQL Team, which I am not part of.
Jon
From: Rice, Daniel <Daniel.Rice@fisglobal.com>
Date: Tuesday, March 5, 2024 at 7:19 AM
To: Wal, Jan Tjalling van der <jan_tjalling.vanderwal@wur.nl>, pgsql-odbc@postgresql.org <pgsql-odbc@postgresql.org>, Dave Cramer <davecramer@postgres.rocks>
Subject: RE: ODBC MSI flagged as 'suspicious'Many thanks Jan for your reply (and to Dave on another thread regarding CA signing).
Indeed my company’s security team is looking at the install process at the moment.
They are happy regarding not having a CA certificate (not present as confirmed by Dave).
They are also happy regarding your feedback Jan regarding the point in the Dynamic Analysis report, thx.
However, they ask if you or someone can kindly review the other points in the attached, and also the following link.
To close the topic, they are looking for explicit validation covering all points in the report, i.e. that all points are expected.
Many thanks for your patience,
Dan.
FIS Global.
From: Wal, Jan Tjalling van der <jan_tjalling.vanderwal@wur.nl>
Sent: Monday, March 4, 2024 4:13 PM
To: Rice, Daniel <Daniel.Rice@fisglobal.com>
Subject: RE: ODBC MSI flagged as 'suspicious'
Hi Daniel,
I’m not sure why you are asking this.
The main culprit in the report: Dynamic Analysis, appears to be msiexec, the windows installer.
That does things like place information in the registry so the PostgreSQL ODBC driver get’s installed and will automatically activate on a reboot etc.
It also cleans-up after itself.So based on my personal interpretation the installer is doing exactly what it is supposed to do.
I would expect any other windows programme being installed will have very similar results.
The analysis as presented does not say anything about the behaviour of the PostgreSQl ODBC driver once installed.
Kind regards, Jan Tjalling van der Wal
Wageningen Marine Reseach (WMR) / formerly IMARES Institute for Marine Resources & Ecosystem Studies
Ankerpark 27, 1781 AG Den Helder Postbus 57, 1780 AB Den Helder
Tel. +31 (0)317-4 87147 # GSM. +31 (0)626120915 (privé) #
# Ma+Di Vr 09:00-18:00, Wo XX, Do+Vr 09:00-18:00
From: Rice, Daniel <Daniel.Rice@fisglobal.com>
Sent: Monday, March 4, 2024 4:27 PM
To: pgsql-odbc@postgresql.org
Subject: RE: ODBC MSI flagged as 'suspicious'
Hi again,
I’m told I have until Thurs to obtain a confirmation from PostgreSQL that the detections in the attached and following reports can be safely ignored.
Otherwise my company closes my ticket and I will not be allowed to use the PostgreSQL ODBC driver ☹.
Attached the analysis from CrowdStrike.
Link to Hybrid analysis: Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'psqlodbc_x64.msi' (hybrid-analysis.com)
Any help very much appreciated, thx.
Dan.
FIS Global.
From: Rice, Daniel
Sent: Thursday, February 29, 2024 2:27 PM
To: pgsql-odbc@postgresql.org
Subject: RE: ODBC MSI flagged as 'suspicious'
Hi all,
Is it possible to confirm detections in those reports can be safely ignored?
pgsql-security explained this is more of a packaging matter – please let me know if I should address to a different group.
Many thanks in advance,
Dan.
From: Rice, Daniel
Sent: Tuesday, February 27, 2024 9:57 AM
To: pgsql-odbc@postgresql.org
Subject: FW: ODBC MSI flagged as 'suspicious'
Hi all,
I want to use the PostgeSQL ODBC driver from psqlodbc - PostgreSQL ODBC driver, but my organisations security team explain to me the msi package (specifically psqlodbc_16_00_0000-x64.zip) is problematic for them as its not signed by Trusted CA and its flagged as Suspicious during sandbox analysis by Falcon & Hybrid Analysis.
They ask if the detections in those reports be safely ignored?
Attached the analysis from CrowdStrike.
Link to Hybrid analysis: Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'psqlodbc_x64.msi' (hybrid-analysis.com)
Many thanks in advance,
Daniel Rice
Exchange Project Management Lead - London, Americas
Documentation Product Owner
Valdi Global Markets
T: +44 20 8081 3670
M: +44 7802 490 388
FIS | Empowering the Financial World
CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you receive this e-mail in error, please notify the sender and delete this e-mail from your system.
P Think before you print
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute, or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Fidelity National Information Services, Inc., an NYSE listed trading Company with the ticker symbol FIS. FIS is a trading name of the following companies: Alphakinetic Limited (No: 06897969) | FIS Derivatives Utility Services (UK) Limited (No: 9398140) | FIS Energy Solutions Limited (No: 1889028) | FIS Global Execution Services Limited (No. 3127109) | FIS Capital Markets UK Limited (No: 982833) | Metavante Technologies Limited (No: 2659326) | Virtus Partners Limited (No: 06602363) | all registered in England & Wales with their registered office: C/O F I S Corporate Governance, The Walbrook Building, 25 Walbrook, London, EC4N 8AF | FIS Global Execution Services Limited is authorised and regulated by the Financial Conduct Authority | FIS Banking Solutions UK Limited (No: 3517639) and FIS Payments (UK) Limited (No: 4215488) are registered in England & Wales with their registered office at 1st Floor Tricorn House, 51-53 Hagley Road, Edgbaston, Birmingham, West Midlands, B16 8TU, United Kingdom | FIS Payments (UK) Limited is authorised and regulated by the Financial Conduct Authority; some services are covered by the Financial Ombudsman Service (in the UK). Torstone Technology Limited (No: 07490275) and Percentile Limited (No: 08867031) are registered in England & Wales with their registered office at 8 Lloyd's Avenue, London, England, EC3N 3EL | Calls to and from the companies may be recorded for quality purposes. | All of the above-named companies are ultimately owned by FIS. All of the below-named companies are indirectly minority owned by FIS. Worldpay (UK) Limited (No: 07316500 / FCA No: 530923 and 712965) | Worldpay Limited (No: 03424752 / FCA No: 504504) | Worldpay AP Limited (No: 05593466 / FCA No: 502597) all registered in England & Wales with their registered office: The Walbrook Building, 25 Walbrook, London, EC4N 8AF. The WorldPay entities are authorised by the Financial Conduct Authority under the Payment Service Regulations 2017 for the provision of payment services. | Worldpay (UK) Limited is authorised and regulated by the Financial Conduct Authority for consumer credit activities | Worldpay B.V. has its registered office in Amsterdam, the Netherlands (Handelsregister KvK No: 60494344). WPBV holds a licence from and is included in the register kept by De Nederlandsche Bank, which registration can be consulted through www.dnb.nl. Message Encrypted via TLS connection
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute, or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Fidelity National Information Services, Inc., an NYSE listed trading Company with the ticker symbol FIS. FIS is a trading name of the following companies: Alphakinetic Limited (No: 06897969) | FIS Derivatives Utility Services (UK) Limited (No: 9398140) | FIS Energy Solutions Limited (No: 1889028) | FIS Global Execution Services Limited (No. 3127109) | FIS Capital Markets UK Limited (No: 982833) | Metavante Technologies Limited (No: 2659326) | Virtus Partners Limited (No: 06602363) | all registered in England & Wales with their registered office: C/O F I S Corporate Governance, The Walbrook Building, 25 Walbrook, London, EC4N 8AF | FIS Global Execution Services Limited is authorised and regulated by the Financial Conduct Authority | FIS Banking Solutions UK Limited (No: 3517639) and FIS Payments (UK) Limited (No: 4215488) are registered in England & Wales with their registered office at 1st Floor Tricorn House, 51-53 Hagley Road, Edgbaston, Birmingham, West Midlands, B16 8TU, United Kingdom | FIS Payments (UK) Limited is authorised and regulated by the Financial Conduct Authority; some services are covered by the Financial Ombudsman Service (in the UK). Torstone Technology Limited (No: 07490275) and Percentile Limited (No: 08867031) are registered in England & Wales with their registered office at 8 Lloyd's Avenue, London, England, EC3N 3EL | Calls to and from the companies may be recorded for quality purposes. | All of the above-named companies are ultimately owned by FIS. All of the below-named companies are indirectly minority owned by FIS. Worldpay (UK) Limited (No: 07316500 / FCA No: 530923 and 712965) | Worldpay Limited (No: 03424752 / FCA No: 504504) | Worldpay AP Limited (No: 05593466 / FCA No: 502597) all registered in England & Wales with their registered office: The Walbrook Building, 25 Walbrook, London, EC4N 8AF. The WorldPay entities are authorised by the Financial Conduct Authority under the Payment Service Regulations 2017 for the provision of payment services. | Worldpay (UK) Limited is authorised and regulated by the Financial Conduct Authority for consumer credit activities | Worldpay B.V. has its registered office in Amsterdam, the Netherlands (Handelsregister KvK No: 60494344). WPBV holds a licence from and is included in the register kept by De Nederlandsche Bank, which registration can be consulted through www.dnb.nl. Message Encrypted via TLS connection
Attachment
pgsql-odbc by date: