Re: ODBC MSI flagged as 'suspicious'

I'm betting the audit software gives installations a "pass" if the msi
package is signed. Since the postgresql one is not, all the other
"suspicious behavior" filters (using crypto, creating folders with
restricted permissions, etc.) are flagging up. So, I think I'd try to take
the tack with our security team that you verified the source of the package
(a postgresql team controlled website with proper cert), and all the other
activities are the expected behavior of an install of a database
connector/communication software.
Ross

On Tue, Mar 5, 2024 at 1:09 PM Jon Raiford <raiford(at)labware(dot)com> wrote:

> Considering this report would likely look the same for all install kits,
> especially for ODBC drivers, this request of yours seems overly vague.
> Surely you aren’t asking why an install kit is creating a directory or
> creating files. I think it would be more prudent for your IT team to
> identify the things they are actually concerned with rather than submitting
> reports that are full of obvious non-issues.
>
>
>
> For instance, it may be perfectly reasonable to ask what exact version of
> libcrypto is being used so that they can check for known exploits in that
> version rather that expect someone on the PostgreSQL team to respond to a
> generic “suspicious” item in a report that cryptography is being used.
> Hopefully it is obvious that encrypting data streams is important for
> database connections.
>
>
>
> Note that this is my personal opinion and not from the PostgreSQL Team,
> which I am not part of.
>
>
>
> Jon
>
>
>
> *From: *Rice, Daniel <Daniel(dot)Rice(at)fisglobal(dot)com>
> *Date: *Tuesday, March 5, 2024 at 7:19 AM
> *To: *Wal, Jan Tjalling van der <jan_tjalling(dot)vanderwal(at)wur(dot)nl>,
> pgsql-odbc(at)postgresql(dot)org <pgsql-odbc(at)postgresql(dot)org>, Dave Cramer
> <davecramer(at)postgres(dot)rocks>
> *Subject: *RE: ODBC MSI flagged as 'suspicious'
>
> Many thanks Jan for your reply (and to Dave on another thread regarding CA
> signing).
>
> Indeed my company’s security team is looking at the install process at the
> moment.
>
> They are happy regarding not having a CA certificate (not present as
> confirmed by Dave).
>
> They are also happy regarding your feedback Jan regarding the point in the
> Dynamic Analysis report, thx.
>
>
>
> However, they ask if you or someone can kindly review the other points in
> the attached, and also the following link.
>
> Free Automated Malware Analysis Service - powered by Falcon Sandbox -
> Viewing online file analysis results for 'psqlodbc_x64.msi'
> (hybrid-analysis.com)
> <https://urldefense.com/v3/__https://www.hybrid-analysis.com/sample/a56b6a093fe39ca024e5c819535f608823c568537e24e945711e8c96380cf177?environmentId=160__;!!BuQPrrmRaQ!kkkBslz3BBOoXlfjq7SCJGrgSw2RshR82JkCkGfewKIa-shkRMsnpUkQHfmvQLIY9dD5unNSbZAlgG8SHJWDkcag$>
>
> To close the topic, they are looking for explicit validation covering all
> points in the report, i.e. that all points are expected.
>
>
>
> Many thanks for your patience,
>
> Dan.
>
> FIS Global.
>
>
>
> *From:* Wal, Jan Tjalling van der <jan_tjalling(dot)vanderwal(at)wur(dot)nl>
> *Sent:* Monday, March 4, 2024 4:13 PM
> *To:* Rice, Daniel <Daniel(dot)Rice(at)fisglobal(dot)com>
> *Subject:* RE: ODBC MSI flagged as 'suspicious'
>
>
>
> Hi Daniel,
>
>
>
> I’m not sure why you are asking this.
>
> The main culprit in the report: Dynamic Analysis, appears to be msiexec,
> the windows installer.
>
> That does things like place information in the registry so the PostgreSQL
> ODBC driver get’s installed and will automatically activate on a reboot
> etc.
> It also cleans-up after itself.
>
> So based on my personal interpretation the installer is doing exactly what
> it is supposed to do.
>
>
>
> I would expect any other windows programme being installed will have very
> similar results.
>
>
>
> The analysis as presented does not say anything about the behaviour of the
> PostgreSQl ODBC driver once installed.
>
>
>
> Kind regards, *Jan Tjalling van der Wal*
>
> Wageningen Marine Reseach (WMR) / formerly IMARES Institute for Marine
> Resources & Ecosystem Studies
>
> Ankerpark 27, 1781 AG Den Helder Postbus 57, 1780 AB Den Helder
>
> Tel. +31 (0)317-4 87147 # GSM. +31 (0)626120915
> (privé) #
>
> # Ma+Di Vr 09:00-18:00, Wo XX, Do+Vr 09:00-18:00
>
> Jan*_*Tjalling(dot)vanderWal(at)wur(dot)nl <Jan_Tjalling(dot)vanderWal(at)wur(dot)nl>
>
> *From:* Rice, Daniel <Daniel(dot)Rice(at)fisglobal(dot)com>
> *Sent:* Monday, March 4, 2024 4:27 PM
> *To:* pgsql-odbc(at)postgresql(dot)org
> *Subject:* RE: ODBC MSI flagged as 'suspicious'
>
>
>
> Hi again,
>
>
>
> I’m told I have until Thurs to obtain a confirmation from PostgreSQL that
> the detections in the attached and following reports can be safely ignored.
>
> Otherwise my company closes my ticket and I will not be allowed to use the
> PostgreSQL ODBC driver ☹.
>
>
>
> Attached the analysis from CrowdStrike.
>
> Link to Hybrid analysis: Free Automated Malware Analysis Service -
> powered by Falcon Sandbox - Viewing online file analysis results for
> 'psqlodbc_x64.msi' (hybrid-analysis.com)
> <https://urldefense.com/v3/__https://www.hybrid-analysis.com/sample/a56b6a093fe39ca024e5c819535f608823c568537e24e945711e8c96380cf177?environmentId=160__;!!BuQPrrmRaQ!kkkBslz3BBOoXlfjq7SCJGrgSw2RshR82JkCkGfewKIa-shkRMsnpUkQHfmvQLIY9dD5unNSbZAlgG8SHJWDkcag$>
>
>
>
> Any help very much appreciated, thx.
>
>
>
> Dan.
>
> FIS Global.
>
>
>
> *From:* Rice, Daniel
> *Sent:* Thursday, February 29, 2024 2:27 PM
> *To:* pgsql-odbc(at)postgresql(dot)org
> *Subject:* RE: ODBC MSI flagged as 'suspicious'
>
>
>
> Hi all,
>
>
>
> Is it possible to confirm detections in those reports can be safely
> ignored?
>
> pgsql-security explained this is more of a packaging matter – please let
> me know if I should address to a different group.
>
>
>
> Many thanks in advance,
>
> Dan.
>
>
>
> *From:* Rice, Daniel
> *Sent:* Tuesday, February 27, 2024 9:57 AM
> *To:* pgsql-odbc(at)postgresql(dot)org
> *Subject:* FW: ODBC MSI flagged as 'suspicious'
>
>
>
> Hi all,
>
>
>
> I want to use the PostgeSQL ODBC driver from psqlodbc - PostgreSQL ODBC
> driver
> <https://urldefense.com/v3/__https://odbc.postgresql.org/__;!!BuQPrrmRaQ!kkkBslz3BBOoXlfjq7SCJGrgSw2RshR82JkCkGfewKIa-shkRMsnpUkQHfmvQLIY9dD5unNSbZAlgG8SHBAz5Qzk$>,
> but my organisations security team explain to me the msi package
> (specifically *psqlodbc_16_00_0000-x64.zip*
> <https://urldefense.com/v3/__https://ftp.postgresql.org/pub/odbc/versions/msi/psqlodbc_16_00_0000-x64.zip__;!!BuQPrrmRaQ!kkkBslz3BBOoXlfjq7SCJGrgSw2RshR82JkCkGfewKIa-shkRMsnpUkQHfmvQLIY9dD5unNSbZAlgG8SHDaiGvq_$>)
> is problematic for them as its not signed by Trusted CA and its flagged
> as Suspicious during sandbox analysis by Falcon & Hybrid Analysis.
>
>
>
> They ask if the detections in those reports be safely ignored?
>
>
>
> Attached the analysis from CrowdStrike.
>
> Link to Hybrid analysis: Free Automated Malware Analysis Service -
> powered by Falcon Sandbox - Viewing online file analysis results for
> 'psqlodbc_x64.msi' (hybrid-analysis.com)
> <https://urldefense.com/v3/__https://www.hybrid-analysis.com/sample/a56b6a093fe39ca024e5c819535f608823c568537e24e945711e8c96380cf177?environmentId=160__;!!BuQPrrmRaQ!kkkBslz3BBOoXlfjq7SCJGrgSw2RshR82JkCkGfewKIa-shkRMsnpUkQHfmvQLIY9dD5unNSbZAlgG8SHJWDkcag$>
>
>
>
> Many thanks in advance,
>
> *Daniel Rice*
>
> Exchange Project Management Lead - London, Americas
>
> Documentation Product Owner
>
> Valdi Global Markets
>
> *T: *+44 20 *8081 3670*
>
> *M:* +44 7802 490 388
>
> *E: *daniel(dot)rice(at)fisglobal(dot)com
>
> *FIS | Empowering the Financial World*
> <https://urldefense.com/v3/__https://www.facebook.com/FIStoday__;!!BuQPrrmRaQ!kkkBslz3BBOoXlfjq7SCJGrgSw2RshR82JkCkGfewKIa-shkRMsnpUkQHfmvQLIY9dD5unNSbZAlgG8SHLSY-eIF$>
> <https://urldefense.com/v3/__https://twitter.com/FISGlobal__;!!BuQPrrmRaQ!kkkBslz3BBOoXlfjq7SCJGrgSw2RshR82JkCkGfewKIa-shkRMsnpUkQHfmvQLIY9dD5unNSbZAlgG8SHBVGbOSf$>
> <https://urldefense.com/v3/__https://www.linkedin.com/company/fis__;!!BuQPrrmRaQ!kkkBslz3BBOoXlfjq7SCJGrgSw2RshR82JkCkGfewKIa-shkRMsnpUkQHfmvQLIY9dD5unNSbZAlgG8SHPnlxyt6$>
>
>
>
> CONFIDENTIALITY: This e-mail (including any attachments) may contain
> confidential, proprietary and privileged information, and unauthorized
> disclosure or use is prohibited. If you receive this e-mail in error,
> please notify the sender and delete this e-mail from your system.
>
>
>
> P *Think before you print*
>
>
>
>
>
> The information contained in this message is proprietary and/or
> confidential. If you are not the intended recipient, please: (i) delete the
> message and all copies; (ii) do not disclose, distribute, or use the
> message in any manner; and (iii) notify the sender immediately. In
> addition, please be aware that any message addressed to our domain is
> subject to archiving and review by persons other than the intended
> recipient. Fidelity National Information Services, Inc., an NYSE listed
> trading Company with the ticker symbol FIS. FIS is a trading name of the
> following companies: Alphakinetic Limited (No: 06897969) | FIS Derivatives
> Utility Services (UK) Limited (No: 9398140) | FIS Energy Solutions Limited
> (No: 1889028) | FIS Global Execution Services Limited (No. 3127109) | FIS
> Capital Markets UK Limited (No: 982833) | Metavante Technologies Limited
> (No: 2659326) | Virtus Partners Limited (No: 06602363) | all registered in
> England & Wales with their registered office: C/O F I S Corporate
> Governance, The Walbrook Building, 25 Walbrook, London, EC4N 8AF | FIS
> Global Execution Services Limited is authorised and regulated by the
> Financial Conduct Authority | FIS Banking Solutions UK Limited (No:
> 3517639) and FIS Payments (UK) Limited (No: 4215488) are registered in
> England & Wales with their registered office at 1st Floor Tricorn House,
> 51-53 Hagley Road, Edgbaston, Birmingham, West Midlands, B16 8TU, United
> Kingdom | FIS Payments (UK) Limited is authorised and regulated by the
> Financial Conduct Authority; some services are covered by the Financial
> Ombudsman Service (in the UK). Torstone Technology Limited (No: 07490275)
> and Percentile Limited (No: 08867031) are registered in England & Wales
> with their registered office at 8 Lloyd's Avenue, London, England, EC3N 3EL
> | Calls to and from the companies may be recorded for quality purposes. |
> All of the above-named companies are ultimately owned by FIS. All of the
> below-named companies are indirectly minority owned by FIS. Worldpay (UK)
> Limited (No: 07316500 / FCA No: 530923 and 712965) | Worldpay Limited (No:
> 03424752 / FCA No: 504504) | Worldpay AP Limited (No: 05593466 / FCA No:
> 502597) all registered in England & Wales with their registered office: The
> Walbrook Building, 25 Walbrook, London, EC4N 8AF. The WorldPay entities are
> authorised by the Financial Conduct Authority under the Payment Service
> Regulations 2017 for the provision of payment services. | Worldpay (UK)
> Limited is authorised and regulated by the Financial Conduct Authority for
> consumer credit activities | Worldpay B.V. has its registered office in
> Amsterdam, the Netherlands (Handelsregister KvK No: 60494344). WPBV holds a
> licence from and is included in the register kept by De Nederlandsche Bank,
> which registration can be consulted through www.dnb.nl
> <https://urldefense.com/v3/__http://www.dnb.nl/__;!!BuQPrrmRaQ!kkkBslz3BBOoXlfjq7SCJGrgSw2RshR82JkCkGfewKIa-shkRMsnpUkQHfmvQLIY9dD5unNSbZAlgG8SHNlPiNBM$>.
> Message Encrypted via TLS connection
>
> The information contained in this message is proprietary and/or
> confidential. If you are not the intended recipient, please: (i) delete the
> message and all copies; (ii) do not disclose, distribute, or use the
> message in any manner; and (iii) notify the sender immediately. In
> addition, please be aware that any message addressed to our domain is
> subject to archiving and review by persons other than the intended
> recipient. Fidelity National Information Services, Inc., an NYSE listed
> trading Company with the ticker symbol FIS. FIS is a trading name of the
> following companies: Alphakinetic Limited (No: 06897969) | FIS Derivatives
> Utility Services (UK) Limited (No: 9398140) | FIS Energy Solutions Limited
> (No: 1889028) | FIS Global Execution Services Limited (No. 3127109) | FIS
> Capital Markets UK Limited (No: 982833) | Metavante Technologies Limited
> (No: 2659326) | Virtus Partners Limited (No: 06602363) | all registered in
> England & Wales with their registered office: C/O F I S Corporate
> Governance, The Walbrook Building, 25 Walbrook, London, EC4N 8AF | FIS
> Global Execution Services Limited is authorised and regulated by the
> Financial Conduct Authority | FIS Banking Solutions UK Limited (No:
> 3517639) and FIS Payments (UK) Limited (No: 4215488) are registered in
> England & Wales with their registered office at 1st Floor Tricorn House,
> 51-53 Hagley Road, Edgbaston, Birmingham, West Midlands, B16 8TU, United
> Kingdom | FIS Payments (UK) Limited is authorised and regulated by the
> Financial Conduct Authority; some services are covered by the Financial
> Ombudsman Service (in the UK). Torstone Technology Limited (No: 07490275)
> and Percentile Limited (No: 08867031) are registered in England & Wales
> with their registered office at 8 Lloyd's Avenue, London, England, EC3N 3EL
> | Calls to and from the companies may be recorded for quality purposes. |
> All of the above-named companies are ultimately owned by FIS. All of the
> below-named companies are indirectly minority owned by FIS. Worldpay (UK)
> Limited (No: 07316500 / FCA No: 530923 and 712965) | Worldpay Limited (No:
> 03424752 / FCA No: 504504) | Worldpay AP Limited (No: 05593466 / FCA No:
> 502597) all registered in England & Wales with their registered office: The
> Walbrook Building, 25 Walbrook, London, EC4N 8AF. The WorldPay entities are
> authorised by the Financial Conduct Authority under the Payment Service
> Regulations 2017 for the provision of payment services. | Worldpay (UK)
> Limited is authorised and regulated by the Financial Conduct Authority for
> consumer credit activities | Worldpay B.V. has its registered office in
> Amsterdam, the Netherlands (Handelsregister KvK No: 60494344). WPBV holds a
> licence from and is included in the register kept by De Nederlandsche Bank,
> which registration can be consulted through www.dnb.nl
> <https://urldefense.com/v3/__http://www.dnb.nl__;!!BuQPrrmRaQ!kkkBslz3BBOoXlfjq7SCJGrgSw2RshR82JkCkGfewKIa-shkRMsnpUkQHfmvQLIY9dD5unNSbZAlgG8SHKQ75IUW$>.
> Message Encrypted via TLS connection
>