Install-ChocolateyZipPackage might contribute to VirusTotal false positive about choco HOT 2 CLOSED

I'm unclear on what the issue is.

The files that are in your package are uploaded directly to VirusTotal. Install-ChocolateyZipPackage hasn't done anything to the Zip files that are in the package (or their hashes would have changed) so I'm unsure how this comes in to play to ensure that your files are receiving AV detections.

And I also understand Choco doesn't handle how anti-virus scanners work.

I'm unclear what you mean here. Can you elaborate?

from choco.

Hi @pauby,

I'm new to the process of uploading packages into Chocolatey, so I apologize if I wasn't clear enough. This issue is mostly a question about what things a maintainer can do to avoid false positives.

As I mentioned, I've submitted a package, a zip file that contains a .exe file, and VirusTotal is reporting a warning for a potential vulnerability (trojan.Malware.300983.susgen).
In order to analyze and mitigate the warning, I went ahead and uploaded the zip files and NuGet package to VirusTotal, and no vulnerabilities were detected, as you can see here:

• VirusTotal Report Windows x64
• VirusTotal Report Windows x86
• VirusTotal Report Choco NuGet pkg

As no vulns were detected, I dug deeper into the VirusTotal report provided in the Chocolatey package dashboard, and I noticed this particular one:

Matches rule Password Protected Compressed File Extraction Via 7Zip by Nasreddine Bencherchali (Nextron Systems) at Sigma Integrated Rule Set (GitHub)
Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.

Considering all files don't throw any vulns independently, is it possible that this MEDIUM vuln is caused by Install-ChocolateyZipPackage and the way 7Zip utilities are being used underline? Is there any recommendation to mitigate false positives that can be done on the Choco scripts side?

from choco.