Clamscan: Infected files found in Pinta

Question

I'm currently performing a full system scan with clamscan and found the following message:

/usr/lib/pinta/Clipper.dll: Win.Trojan.Clipper-9942182-0 FOUND

I went online and couldn't find any reference to this type of detection, so I'm starting to believe this is an actual virus and not some random false positive.

Can anyone give me advice on this?

A simple search for "Win.Trojan.Clipper" returns many results. What is not clear or what was missing there? — mentallurg, Apr 30 '22 at 11:54
Does the "Win" mean it's only harmfull to Windows? I'm on a Linux system. — import numpy as np, Apr 30 '22 at 11:59

Arminius · Accepted Answer · 2022-05-15T07:46:44.603

Does the "Win" mean it's only harmfull to Windows? I'm on a Linux system.

No. You probably know DLLs as a Windows-specific concept, but they may run on other OSes too: Pinta is built on top of Microsoft's .NET framework which offers cross-platform support. When you run Pinta on Linux, you're executing a .NET runtime for Linux that enables you to handle those DLLs even though they're not native.

Can anyone give me advice on this?

When dealing with an unknown file on your system, a good start is to try to find out where it comes from and what it's supposed to do. So let's check the Pinta source code.

From Pinta.Core/Pinta.Core.csproj:

<Project Sdk="Microsoft.NET.Sdk">
  ...
  <ItemGroup>
    ...
    <PackageReference Include="ParagonClipper" Version="6.4.2" />
  </ItemGroup>
  ...
</Project>

This PackageReference lists "ParagonClipper" as a dependency. When you download version 6.4.2 of the package from here, you should find that it includes a Clipper.dll identical to the one on your system.

So this appears to be a .NET port of Clipper which "performs clipping and offsetting for both lines and polygons" - i.e. a library used by Pinta for clipping in the computer graphics sense, and not related to the system clipboard as the Trojan.Clipper finding suggest. Also note that 6.4.2 is listed as the latest release since 2018, and a scan report on VirusTotal ~~shows that ClamAV appears to be the only vendor that detects it as malicious~~. Update: The file now scans as unsuspicious by ClamAV as well.)

So, on the surface this may be a legitimate library that Pinta has required for years. But of course this is all circumstantial. And the usual caveats apply, such as not to analyze a potentially infected system from within itself.

Thank you for your answer! However, I have a question. If one shouldn't proceed as said in you last phrase, then how should one scan it's computer? — import numpy as np, May 03 '22 at 15:07
@importnumpyasnp In your scenario your system may already be compromised. If so, you couldn't trust it to report accurate scan results. So you'd want to use a separate, safe environment in order to scan (a snapshot of) the potentially infected FS, e.g. boot a live OS with clamscan from a USB stick. But ofc - whether sophisticated scan-evading malware is a realistic attack scenario or overly paranoid - that's up to your own judgement. — Arminius, May 03 '22 at 23:16

Clamscan: Infected files found in Pinta

1 Answers1