Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rhv44-00E471-1S for pgsql-odbc@arkaria.postgresql.org; Wed, 06 Mar 2024 17:28:24 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rhv42-00CPlu-HO for pgsql-odbc@arkaria.postgresql.org; Wed, 06 Mar 2024 17:28:23 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rhv41-00CPEu-Qp for pgsql-odbc@lists.postgresql.org; Wed, 06 Mar 2024 17:28:22 +0000 Received: from mx0b-0010f301.pphosted.com ([148.163.153.244]) by magus.postgresql.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rhv3s-0037WZ-59 for pgsql-odbc@postgresql.org; Wed, 06 Mar 2024 17:28:20 +0000 Received: from pps.filterd (m0102859.ppops.net [127.0.0.1]) by mx0b-0010f301.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 426H3kob031419 for ; Wed, 6 Mar 2024 11:28:09 -0600 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rice.edu; h= mime-version:references:in-reply-to:from:date:message-id:subject :to:cc:content-type; s=ricemail; bh=0w1QWUs/fZFeP7h5KPLxo329iHjE Q9dfjd0I6MlFZ44=; b=miZ5AABkoOWwK8cFJ2OMhm2kXo2tiG6Cdj6WtdwsN2XF VdhfHoC3GQOimbBsmlDmQLwLRAMWrF4MBFWRnbVXVUupv9cu1XDvmMOB+gjxO+HH bWKbYfBK2z3aKtQ3YQJo6xzEZJGOVB+ZrDGeYb/0vxeqU+n9x2hRlOlRsi8IrCvu SI0iIm4S8mBkNf6G5fsqwTCaUTWMpJNEbeg7ISBZ4D5V6M+32PFoRzFbNQk007u5 8fS+T/in5U5sYPdHz+ql9M3klSgchu/H5ZjS7mZ+77JamujS0fzw1PuxzqbhklHA E7af4A9w6iiBKHpdaQ6DOCQ/bpiLaXirGZ0IhfOVbA== Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) by mx0b-0010f301.pphosted.com (PPS) with ESMTPS id 3wm0bwr22n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 06 Mar 2024 11:28:09 -0600 (CST) Received: by mail-ej1-f71.google.com with SMTP id a640c23a62f3a-a45851b0030so977166b.3 for ; Wed, 06 Mar 2024 09:28:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709746087; x=1710350887; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GJcveUcR9whjq3hkD1QZZHa5nsZ3J3Y48txkj3NnM4A=; b=c6aBneiG8l4EAce5ePmUVoZLuIEsSiUofoMECsIPSDelVKOSp/JjtaBOInb+7lS/jQ A8sXOQ36KMztG6Lp3hSxcU1JBmXi0Poxoi+oSfCI+r4WIbVWNnlRp+H6qoX7dr10zlXd b5YceqN/Kgmei2XNbIWQnl2XopYAbfTe6zoj4+zwrni0raS3yJWsAbw+KdI8xQQ9d17d rJrteC8OORnhMwW7/N8caNWwRjGKkHqfq3fBa6joaRoEuNQgE0tHPg2u9El4ki19xHgY cGiT/0lVW7AVVel8sT1pAtXgJ9x8eUlz9JusuHrGUXuqMY47PbFEZUVRotVuMgWE2Sk9 nVag== X-Forwarded-Encrypted: i=1; AJvYcCUpfg6JxFQCkbAjOngAjcylAhTwxXId9pMgwv61hFDaxbpN0odH4fl3yx1R5pgyoh18gUgG3CZVF6x2IoNGj0Ml+ERBJDY5ulMP X-Gm-Message-State: AOJu0YxQNjTjdZ/t+u8RzHE79KEyCX6paHh7NdQ8KyXxhJU0YmcnxXVJ GKihLL2l//ftIe96zk47GTNV7cfCNvhG2NRG/naQcV6wdOlx1ZSZZct7x3LEsxftOc0gd8SI2Y5 ctxIO44VV0rQWVSMJoSsCRdKHHJUF8bQcsAzSk6shPdhvUQ0Qf+zr7IWCpBjeOIl4Hvg6EDClpQ 6QKntWi46Nb3dzYQyelFdP/YvG4cQS8V5SiuFwlFt3tfuObUVStNHx4tQ5x0I= X-Received: by 2002:a17:906:6b91:b0:a45:b2d0:87e6 with SMTP id l17-20020a1709066b9100b00a45b2d087e6mr2459936ejr.44.1709746087163; Wed, 06 Mar 2024 09:28:07 -0800 (PST) X-Google-Smtp-Source: AGHT+IEffwaOmGE6JtkGVZdKUly2nFXS9mwox0wCtz9pruLMewdqy0eERkmJKE/6rrq3cizVT3icswOmyCq/kiRn52I= X-Received: by 2002:a17:906:6b91:b0:a45:b2d0:87e6 with SMTP id l17-20020a1709066b9100b00a45b2d087e6mr2459921ejr.44.1709746086623; Wed, 06 Mar 2024 09:28:06 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Ross Reedstrom Date: Wed, 6 Mar 2024 11:27:54 -0600 Message-ID: Subject: Re: ODBC MSI flagged as 'suspicious' To: Jon Raiford Cc: "Rice, Daniel" , "Wal, Jan Tjalling van der" , "pgsql-odbc@postgresql.org" , Dave Cramer Content-Type: multipart/related; boundary="000000000000281b670613014868" X-Proofpoint-DLP: Gmail-Outbound X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-06_11,2024-03-05_01,2023-05-22_02 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000281b670613014868 Content-Type: multipart/alternative; boundary="000000000000281b640613014867" --000000000000281b640613014867 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I'm betting the audit software gives installations a "pass" if the msi package is signed. Since the postgresql one is not, all the other "suspicious behavior" filters (using crypto, creating folders with restricted permissions, etc.) are flagging up. So, I think I'd try to take the tack with our security team that you verified the source of the package (a postgresql team controlled website with proper cert), and all the other activities are the expected behavior of an install of a database connector/communication software. Ross On Tue, Mar 5, 2024 at 1:09=E2=80=AFPM Jon Raiford wr= ote: > Considering this report would likely look the same for all install kits, > especially for ODBC drivers, this request of yours seems overly vague. > Surely you aren=E2=80=99t asking why an install kit is creating a directo= ry or > creating files. I think it would be more prudent for your IT team to > identify the things they are actually concerned with rather than submitti= ng > reports that are full of obvious non-issues. > > > > For instance, it may be perfectly reasonable to ask what exact version of > libcrypto is being used so that they can check for known exploits in that > version rather that expect someone on the PostgreSQL team to respond to a > generic =E2=80=9Csuspicious=E2=80=9D item in a report that cryptography i= s being used. > Hopefully it is obvious that encrypting data streams is important for > database connections. > > > > Note that this is my personal opinion and not from the PostgreSQL Team, > which I am not part of. > > > > Jon > > > > *From: *Rice, Daniel > *Date: *Tuesday, March 5, 2024 at 7:19=E2=80=AFAM > *To: *Wal, Jan Tjalling van der , > pgsql-odbc@postgresql.org , Dave Cramer > > *Subject: *RE: ODBC MSI flagged as 'suspicious' > > Many thanks Jan for your reply (and to Dave on another thread regarding C= A > signing). > > Indeed my company=E2=80=99s security team is looking at the install proce= ss at the > moment. > > They are happy regarding not having a CA certificate (not present as > confirmed by Dave). > > They are also happy regarding your feedback Jan regarding the point in th= e > Dynamic Analysis report, thx. > > > > However, they ask if you or someone can kindly review the other points in > the attached, and also the following link. > > Free Automated Malware Analysis Service - powered by Falcon Sandbox - > Viewing online file analysis results for 'psqlodbc_x64.msi' > (hybrid-analysis.com) > > > To close the topic, they are looking for explicit validation covering all > points in the report, i.e. that all points are expected. > > > > Many thanks for your patience, > > Dan. > > FIS Global. > > > > *From:* Wal, Jan Tjalling van der > *Sent:* Monday, March 4, 2024 4:13 PM > *To:* Rice, Daniel > *Subject:* RE: ODBC MSI flagged as 'suspicious' > > > > Hi Daniel, > > > > I=E2=80=99m not sure why you are asking this. > > The main culprit in the report: Dynamic Analysis, appears to be msiexec, > the windows installer. > > That does things like place information in the registry so the PostgreSQL > ODBC driver get=E2=80=99s installed and will automatically activate on a = reboot > etc. > It also cleans-up after itself. > > So based on my personal interpretation the installer is doing exactly wha= t > it is supposed to do. > > > > I would expect any other windows programme being installed will have very > similar results. > > > > The analysis as presented does not say anything about the behaviour of th= e > PostgreSQl ODBC driver once installed. > > > > Kind regards, *Jan Tjalling van der Wal* > > Wageningen Marine Reseach (WMR) / formerly IMARES Institute for Marine > Resources & Ecosystem Studies > > Ankerpark 27, 1781 AG Den Helder Postbus 57, 1780 AB Den Helder > > Tel. +31 (0)317-4 87147 # GSM. +31 (0)626120915 > (priv=C3=A9) # > > # Ma+Di Vr 09:00-18:00, Wo XX, Do+Vr 09:00-18:00 > > Jan*_*Tjalling.vanderWal@wur.nl > > *From:* Rice, Daniel > *Sent:* Monday, March 4, 2024 4:27 PM > *To:* pgsql-odbc@postgresql.org > *Subject:* RE: ODBC MSI flagged as 'suspicious' > > > > Hi again, > > > > I=E2=80=99m told I have until Thurs to obtain a confirmation from Postgre= SQL that > the detections in the attached and following reports can be safely ignore= d. > > Otherwise my company closes my ticket and I will not be allowed to use th= e > PostgreSQL ODBC driver =E2=98=B9. > > > > Attached the analysis from CrowdStrike. > > Link to Hybrid analysis: Free Automated Malware Analysis Service - > powered by Falcon Sandbox - Viewing online file analysis results for > 'psqlodbc_x64.msi' (hybrid-analysis.com) > > > > > Any help very much appreciated, thx. > > > > Dan. > > FIS Global. > > > > *From:* Rice, Daniel > *Sent:* Thursday, February 29, 2024 2:27 PM > *To:* pgsql-odbc@postgresql.org > *Subject:* RE: ODBC MSI flagged as 'suspicious' > > > > Hi all, > > > > Is it possible to confirm detections in those reports can be safely > ignored? > > pgsql-security explained this is more of a packaging matter =E2=80=93 ple= ase let > me know if I should address to a different group. > > > > Many thanks in advance, > > Dan. > > > > *From:* Rice, Daniel > *Sent:* Tuesday, February 27, 2024 9:57 AM > *To:* pgsql-odbc@postgresql.org > *Subject:* FW: ODBC MSI flagged as 'suspicious' > > > > Hi all, > > > > I want to use the PostgeSQL ODBC driver from psqlodbc - PostgreSQL ODBC > driver > , > but my organisations security team explain to me the msi package > (specifically *psqlodbc_16_00_0000-x64.zip* > ) > is problematic for them as its not signed by Trusted CA and its flagged > as Suspicious during sandbox analysis by Falcon & Hybrid Analysis. > > > > They ask if the detections in those reports be safely ignored? > > > > Attached the analysis from CrowdStrike. > > Link to Hybrid analysis: Free Automated Malware Analysis Service - > powered by Falcon Sandbox - Viewing online file analysis results for > 'psqlodbc_x64.msi' (hybrid-analysis.com) > > > > > Many thanks in advance, > > *Daniel Rice* > > Exchange Project Management Lead - London, Americas > > Documentation Product Owner > > Valdi Global Markets > > *T: *+44 20 *8081 3670* > > *M:* +44 7802 490 388 > > *E: *daniel.rice@fisglobal.com > > *FIS | Empowering the Financial World* > > > > > > > CONFIDENTIALITY: This e-mail (including any attachments) may contain > confidential, proprietary and privileged information, and unauthorized > disclosure or use is prohibited. If you receive this e-mail in error, > please notify the sender and delete this e-mail from your system. > > > > P *Think before you print* > > > > > > The information contained in this message is proprietary and/or > confidential. If you are not the intended recipient, please: (i) delete t= he > message and all copies; (ii) do not disclose, distribute, or use the > message in any manner; and (iii) notify the sender immediately. In > addition, please be aware that any message addressed to our domain is > subject to archiving and review by persons other than the intended > recipient. Fidelity National Information Services, Inc., an NYSE listed > trading Company with the ticker symbol FIS. FIS is a trading name of the > following companies: Alphakinetic Limited (No: 06897969) | FIS Derivative= s > Utility Services (UK) Limited (No: 9398140) | FIS Energy Solutions Limite= d > (No: 1889028) | FIS Global Execution Services Limited (No. 3127109) | FIS > Capital Markets UK Limited (No: 982833) | Metavante Technologies Limited > (No: 2659326) | Virtus Partners Limited (No: 06602363) | all registered i= n > England & Wales with their registered office: C/O F I S Corporate > Governance, The Walbrook Building, 25 Walbrook, London, EC4N 8AF | FIS > Global Execution Services Limited is authorised and regulated by the > Financial Conduct Authority | FIS Banking Solutions UK Limited (No: > 3517639) and FIS Payments (UK) Limited (No: 4215488) are registered in > England & Wales with their registered office at 1st Floor Tricorn House, > 51-53 Hagley Road, Edgbaston, Birmingham, West Midlands, B16 8TU, United > Kingdom | FIS Payments (UK) Limited is authorised and regulated by the > Financial Conduct Authority; some services are covered by the Financial > Ombudsman Service (in the UK). Torstone Technology Limited (No: 07490275) > and Percentile Limited (No: 08867031) are registered in England & Wales > with their registered office at 8 Lloyd's Avenue, London, England, EC3N 3= EL > | Calls to and from the companies may be recorded for quality purposes. | > All of the above-named companies are ultimately owned by FIS. All of the > below-named companies are indirectly minority owned by FIS. Worldpay (UK) > Limited (No: 07316500 / FCA No: 530923 and 712965) | Worldpay Limited (No= : > 03424752 / FCA No: 504504) | Worldpay AP Limited (No: 05593466 / FCA No: > 502597) all registered in England & Wales with their registered office: T= he > Walbrook Building, 25 Walbrook, London, EC4N 8AF. The WorldPay entities a= re > authorised by the Financial Conduct Authority under the Payment Service > Regulations 2017 for the provision of payment services. | Worldpay (UK) > Limited is authorised and regulated by the Financial Conduct Authority fo= r > consumer credit activities | Worldpay B.V. has its registered office in > Amsterdam, the Netherlands (Handelsregister KvK No: 60494344). WPBV holds= a > licence from and is included in the register kept by De Nederlandsche Ban= k, > which registration can be consulted through www.dnb.nl > . > Message Encrypted via TLS connection > > The information contained in this message is proprietary and/or > confidential. If you are not the intended recipient, please: (i) delete t= he > message and all copies; (ii) do not disclose, distribute, or use the > message in any manner; and (iii) notify the sender immediately. In > addition, please be aware that any message addressed to our domain is > subject to archiving and review by persons other than the intended > recipient. Fidelity National Information Services, Inc., an NYSE listed > trading Company with the ticker symbol FIS. FIS is a trading name of the > following companies: Alphakinetic Limited (No: 06897969) | FIS Derivative= s > Utility Services (UK) Limited (No: 9398140) | FIS Energy Solutions Limite= d > (No: 1889028) | FIS Global Execution Services Limited (No. 3127109) | FIS > Capital Markets UK Limited (No: 982833) | Metavante Technologies Limited > (No: 2659326) | Virtus Partners Limited (No: 06602363) | all registered i= n > England & Wales with their registered office: C/O F I S Corporate > Governance, The Walbrook Building, 25 Walbrook, London, EC4N 8AF | FIS > Global Execution Services Limited is authorised and regulated by the > Financial Conduct Authority | FIS Banking Solutions UK Limited (No: > 3517639) and FIS Payments (UK) Limited (No: 4215488) are registered in > England & Wales with their registered office at 1st Floor Tricorn House, > 51-53 Hagley Road, Edgbaston, Birmingham, West Midlands, B16 8TU, United > Kingdom | FIS Payments (UK) Limited is authorised and regulated by the > Financial Conduct Authority; some services are covered by the Financial > Ombudsman Service (in the UK). Torstone Technology Limited (No: 07490275) > and Percentile Limited (No: 08867031) are registered in England & Wales > with their registered office at 8 Lloyd's Avenue, London, England, EC3N 3= EL > | Calls to and from the companies may be recorded for quality purposes. | > All of the above-named companies are ultimately owned by FIS. All of the > below-named companies are indirectly minority owned by FIS. Worldpay (UK) > Limited (No: 07316500 / FCA No: 530923 and 712965) | Worldpay Limited (No= : > 03424752 / FCA No: 504504) | Worldpay AP Limited (No: 05593466 / FCA No: > 502597) all registered in England & Wales with their registered office: T= he > Walbrook Building, 25 Walbrook, London, EC4N 8AF. The WorldPay entities a= re > authorised by the Financial Conduct Authority under the Payment Service > Regulations 2017 for the provision of payment services. | Worldpay (UK) > Limited is authorised and regulated by the Financial Conduct Authority fo= r > consumer credit activities | Worldpay B.V. has its registered office in > Amsterdam, the Netherlands (Handelsregister KvK No: 60494344). WPBV holds= a > licence from and is included in the register kept by De Nederlandsche Ban= k, > which registration can be consulted through www.dnb.nl > . > Message Encrypted via TLS connection > --000000000000281b640613014867 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I'm betting the audit software gives installation= s a "pass" if the msi package is signed. Since the postgresql one= is not, all the other "suspicious behavior" filters (using crypt= o, creating folders with restricted permissions, etc.) are flagging up. So,= I think I'd try to take the tack with our security team that you verif= ied the source of the package (a postgresql team controlled website with pr= oper cert), and all the other activities are the expected behavior of an in= stall of a database connector/communication software.
Ross


On Tue, Mar 5, 2024 at 1:09=E2=80=AFPM Jon Raiford <raiford@labware.com> wrote:

Considering this report would likely look the same for = all install kits, especially for ODBC drivers, this request of yours seems = overly vague. Surely you aren=E2=80=99t asking why an install kit is creating a directory or creating files. I think it would be= more prudent for your IT team to identify the things they are actually con= cerned with rather than submitting reports that are full of obvious non-iss= ues.

=C2=A0

For instance, it may be perfectly reasonable to ask wha= t exact version of libcrypto is being used so that they can check for known= exploits in that version rather that expect someone on the PostgreSQL team to respond to a generic =E2=80=9Csuspicious= =E2=80=9D item in a report that cryptography is being used. Hopefully it is= obvious that encrypting data streams is important for database connections= .

=C2=A0

Note that this is my personal opinion and not from the = PostgreSQL Team, which I am not part of.

=C2=A0

Jon

=C2=A0

From: Rice, Daniel <Daniel.Rice@fisglobal.com> Date: Tuesday, March 5, 2024 at 7:19= =E2=80=AFAM
To: Wal, Jan Tjalling van der <jan_tjalling.vanderwal@wur.nl>, pgsql-odbc@post= gresql.org <pgsql-odbc@postgresql.org>, Dave Cramer <davecramer@postgr= es.rocks>
Subject: RE: ODBC MSI flagged as 'suspicious'<= /span>

Many t= hanks Jan for your reply (and to Dave on another thread regarding CA signin= g).

Indeed= my company=E2=80=99s security team is looking at the install process at th= e moment.

They a= re happy regarding not having a CA certificate (not present as confirmed by= Dave).

They a= re also happy regarding your feedback Jan regarding the point in the Dynami= c Analysis report, thx.

=C2=A0=

Howeve= r, they ask if you or someone can kindly review the other points in the att= ached, and also the following link.

Free Automated Malw= are Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'psqlodbc_x64.msi' (hybrid-analysis.com)=

To clo= se the topic, they are looking for explicit validation covering al= l points in the report, i.e. that all points are expected.

=C2=A0=

Many t= hanks for your patience,

Dan.

FIS Gl= obal.

=C2=A0=

From: Wal, Jan Tjalling van der <jan_tjalling.vanderwal@= wur.nl>
Sent: Monday, March 4, 2024 4:13 PM
To: Rice, Daniel <Daniel.Rice@fisglobal.com>
Subject: RE: ODBC MSI flagged as 'suspicious'

=C2=A0=

Hi Daniel,

=C2=A0

I=E2=80=99m not sure why you are= asking this.

The main culprit in the report: = Dynamic Analysis, appears to be msiexec, the windows installer.

That does things like place info= rmation in the registry so the PostgreSQL ODBC driver get=E2=80=99s install= ed and will automatically activate on a reboot etc.
It also cleans-up after itself.

So based on my personal interpre= tation the installer is doing exactly what it is supposed to do. <= /p>

=C2=A0

I would expect any other windows= programme being installed will have very similar results. <= /p>

=C2=A0

The analysis as presented does n= ot say anything about the behaviour of the PostgreSQl ODBC driver once inst= alled. <= /p>

=C2=A0

Kind regards, =C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Jan Tjalling van der Wal

=C2=A0Wageningen Marine Reseach (WMR)=C2=A0 /=C2= =A0formerly IMARES=C2=A0Institute=C2=A0for Marine Resources &=C2=A0Ecosystem Studies

Ankerpark 27, 1781=C2=A0AG Den Helder=C2= =A0 =C2=A0 =C2=A0 =C2=A0Postbus 57, 1780 AB Den Helder

Tel. +31 (0)317-4 87147 #=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0GSM. +31 (0)626120915 (priv=C3=A9) #

# Ma+Di Vr 09:00-18:00, Wo XX, Do+Vr 09:= 00-18:00=

Jan_Tjalling.vanderWal@wur.nl

From: Rice, Daniel <Daniel.Rice@fisglobal.com>
Sent: Monday, March 4, 2024 4:27 PM
To: p= gsql-odbc@postgresql.org
Subject: RE: ODBC MSI flagged as 'suspicious'

=C2=A0=

Hi aga= in,

=C2=A0=

I=E2= =80=99m told I have until Thurs to obtain a confirmation from PostgreSQL th= at the detections in the attached and following reports can be safely ignor= ed.

Otherw= ise my company closes my ticket and I will not be allowed to use the Postgr= eSQL ODBC driver =E2=98=B9.

=C2=A0=

Attach= ed the analysis from CrowdStrike.

Link t= o Hybrid analysis: Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewi= ng online file analysis results for 'psqlodbc_x64.msi' (hybrid-anal= ysis.com)

=C2=A0=

Any he= lp very much appreciated, thx.

=C2=A0=

Dan.

FIS Gl= obal.

=C2=A0=

From: Rice, Daniel
Sent: Thursday, February 29, 2024 2:27 PM
To: p= gsql-odbc@postgresql.org
Subject: RE: ODBC MSI flagged as 'suspicious'

=C2=A0=

Hi all= ,

=C2=A0=

Is it = possible to confirm detections in those reports can be safely ignored?

pgsql-= security explained this is more of a packaging matter =E2=80=93 please let = me know if I should address to a different group.

=C2=A0=

Many t= hanks in advance,

Dan. <= u>

=C2=A0=

From: Rice, Daniel
Sent: Tuesday, February 27, 2024 9:57 AM
To: p= gsql-odbc@postgresql.org
Subject: FW: ODBC MSI flagged as 'suspicious'

=C2=A0=

Hi all= ,

=C2=A0=

I want= to use the PostgeSQL ODBC driver from psqlodbc - PostgreSQL ODBC driver, but my organisations security team e= xplain to me the msi package (specifically psqlodbc_16_00_0000-x64.zip) is p= roblematic for them as its not signed by Trusted = CA and its flagged as Suspicious during sandbox analysis by Falcon & Hy= brid Analysis.<= u>

=C2=A0=

They a= sk if the detections in those reports be safely ignored?

=C2=A0=

Attach= ed the analysis from CrowdStrike.

Link t= o Hybrid analysis: Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewi= ng online file analysis results for 'psqlodbc_x64.msi' (hybrid-anal= ysis.com)

=C2=A0=

Many t= hanks in advance,

Daniel Rice

Exchange Project Management Lead - London, Am= ericas

Documentation Product Owner

Valdi Global Markets

T: +44 20 8081 3670

M: +44 7802 490 388

E: daniel.rice@fisglob= al.com

FIS | Empowering the Financial World=C2=A0<= span style=3D"color:rgb(111,172,70)">=

=C2=A0

CONFIDENTIALITY: This e-mail (including= any attachments) may contain confidential, proprietary and privileged info= rmation, and unauthorized disclosure or use is prohibited.=C2=A0 If you receive this e-mail in error, please notify the sender and delete t= his e-mail from your system.

=C2=A0

P Think before you print <= /p>

=C2=A0=

=C2=A0=

The in= formation contained in this message is proprietary and/or confidential. If = you are not the intended recipient, please: (i) delete the message and all = copies; (ii) do not disclose, distribute, or use the message in any manner; and (iii) notify the sender immediately.= In addition, please be aware that any message addressed to our domain is s= ubject to archiving and review by persons other than the intended recipient= . Fidelity National Information Services, Inc., an NYSE listed trading Company with the ticker symbol FIS.= FIS is a trading name of the following companies: Alphakinetic Limited (No= : 06897969) | FIS Derivatives Utility Services (UK) Limited (No: 9398140) |= FIS Energy Solutions Limited (No: 1889028) | FIS Global Execution Services Limited (No. 3127109) | FIS Capit= al Markets UK Limited (No: 982833) | Metavante Technologies Limited (No: 26= 59326) | Virtus Partners Limited (No: 06602363) | all registered in England= & Wales with their registered office: C/O F I S Corporate Governance, The Walbrook Building, 25 Walbrook, London= , EC4N 8AF | FIS Global Execution Services Limited is authorised and regula= ted by the Financial Conduct Authority | FIS Banking Solutions UK Limited (= No: 3517639) and FIS Payments (UK) Limited (No: 4215488) are registered in England & Wales with their reg= istered office at 1st Floor Tricorn House, 51-53 Hagley Road, Edgbaston, Bi= rmingham, West Midlands, B16 8TU, United Kingdom | FIS Payments (UK) Limite= d is authorised and regulated by the Financial Conduct Authority; some services are covered by the Financial Om= budsman Service (in the UK). Torstone Technology Limited (No: 07490275) and= Percentile Limited (No: 08867031) are registered in England & Wales wi= th their registered office at 8 Lloyd's Avenue, London, England, EC3N 3EL | Calls to and from the companies may be= recorded for quality purposes. | All of the above-named companies are ulti= mately owned by FIS. All of the below-named companies are indirectly minori= ty owned by FIS. Worldpay (UK) Limited (No: 07316500 / FCA No: 530923 and 712965) | Worldpay Limited (No: 0342475= 2 / FCA No: 504504) | Worldpay AP Limited (No: 05593466 / FCA No: 502597) a= ll registered in England & Wales with their registered office: The Walb= rook Building, 25 Walbrook, London, EC4N 8AF. The WorldPay entities are authorised by the Financial Conduct Au= thority under the Payment Service Regulations 2017 for the provision of pay= ment services. | Worldpay (UK) Limited is authorised and regulated by the F= inancial Conduct Authority for consumer credit activities | Worldpay B.V. has its registered office in Amsterdam, = the Netherlands (Handelsregister KvK No: 60494344). WPBV holds a licence fr= om and is included in the register kept by De Nederlandsche Bank, which reg= istration can be consulted through www.dnb.nl. Message Encrypted via TLS connection <= /p>

The information contained in this messag= e is proprietary and/or confidential. If you are not the intended recipient= , please: (i) delete the message and all copies; (ii) do not disclose, distribute, or use the message in any manner; and (i= ii) notify the sender immediately. In addition, please be aware that any me= ssage addressed to our domain is subject to archiving and review by persons= other than the intended recipient. Fidelity National Information Services, Inc., an NYSE listed trading Compa= ny with the ticker symbol FIS. FIS is a trading name of the following compa= nies: Alphakinetic Limited (No: 06897969) | FIS Derivatives Utility Service= s (UK) Limited (No: 9398140) | FIS Energy Solutions Limited (No: 1889028) | FIS Global Execution Services Lim= ited (No. 3127109) | FIS Capital Markets UK Limited (No: 982833) | Metavant= e Technologies Limited (No: 2659326) | Virtus Partners Limited (No: 0660236= 3) | all registered in England & Wales with their registered office: C/O F I S Corporate Governance, The Wa= lbrook Building, 25 Walbrook, London, EC4N 8AF | FIS Global Execution Servi= ces Limited is authorised and regulated by the Financial Conduct Authority = | FIS Banking Solutions UK Limited (No: 3517639) and FIS Payments (UK) Limited (No: 4215488) are registered i= n England & Wales with their registered office at 1st Floor Tricorn Hou= se, 51-53 Hagley Road, Edgbaston, Birmingham, West Midlands, B16 8TU, Unite= d Kingdom | FIS Payments (UK) Limited is authorised and regulated by the Financial Conduct Authority; some servi= ces are covered by the Financial Ombudsman Service (in the UK). Torstone Te= chnology Limited (No: 07490275) and Percentile Limited (No: 08867031) are r= egistered in England & Wales with their registered office at 8 Lloyd's Avenue, London, England, EC3N 3EL= | Calls to and from the companies may be recorded for quality purposes. | = All of the above-named companies are ultimately owned by FIS. All of the be= low-named companies are indirectly minority owned by FIS. Worldpay (UK) Limited (No: 07316500 / FCA No: 530923 and 712= 965) | Worldpay Limited (No: 03424752 / FCA No: 504504) | Worldpay AP Limit= ed (No: 05593466 / FCA No: 502597) all registered in England & Wales wi= th their registered office: The Walbrook Building, 25 Walbrook, London, EC4N 8AF. The WorldPay entities are authori= sed by the Financial Conduct Authority under the Payment Service Regulation= s 2017 for the provision of payment services. | Worldpay (UK) Limited is au= thorised and regulated by the Financial Conduct Authority for consumer credit activities | Worldpay B.V. has its r= egistered office in Amsterdam, the Netherlands (Handelsregister KvK No: 604= 94344). WPBV holds a licence from and is included in the register kept by D= e Nederlandsche Bank, which registration can be consulted through www.dnb.nl. Message Encrypted via TLS connection <= /p>

--000000000000281b640613014867-- --000000000000281b670613014868 Content-Type: image/png; name="image001.png" Content-Disposition: inline; filename="image001.png" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: ii_18e14cb23fb4cff311 iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAABGdBTUEAA1teXP8meAAAAfNJREFU OBGdVUsrRGEYft1mDjKiJJesLJSVsBD5ATYolywVZcGW7KwUFqixY2MnuZewUoiFW5PbYlDMUEMR 5TKuz3PMmc7MnHMYz/T0fd/7Pu8z33nnO9/EZDm7xAA2xGoCLMOYDfpBD7gHzoBzIGMhiA9Z/Sxq MfSD+WE5fklBgE0Y3SB3Mw0GERucicRh3gdSEG6mkwWn1EyBrGGtCv0OexHpDMSjGbQatXfaDuv+ aaZ9MU3pIdwhezPIhRmKM/OkrahSUu2KLJ8fy5hrw0g6hOA8DevBXCMFY+lKskxUt0hSgk2e39/k 4PbaTJqDRAMNeTxMUZiRpZqte06lcW5UvvCxQA17WGomcNgTJU1JUtP3r0/iwCMr8QlmcsZLYnCw XzCxG6lOWnvEYVNCUr2bS+LcXQ2J6RZ+7jDitGuCTe+ZHN5eqUvf06OsXbpl33eppQ1HGpp2uXlx XPq2VtTCDfZwflTYSwtc09BlIYg2tU3D2WirLPSzNJwEPRaiv6a89IpLqar4CBjygEfg9fNd3Hc+ 9M4tFw93EXldoAVzFw0ZOwKTwXIu9Hj0v4jrxvub2QBqhlnHR9bQjYlTW0QxjkDLWhV6Qz56B8hb g5fnb6CGbWoHWauC73I4eGkugBTz9i4G+eITbPwOyL8A/pgRL8U3jYF9VfPt59AAAAAASUVORK5C YII= --000000000000281b670613014868 Content-Type: image/png; name="image002.png" Content-Disposition: inline; filename="image002.png" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: ii_18e14cb23fd5b16b22 iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAABGdBTUEAA1teXP8meAAAAkdJREFU OBGlVU1IVFEYPW/ejFpDoUaZjbRpxBZFZEU/lFCLiIgwmILaRCAtpBa2yITWRQXZwrYtgiKMaiII WgS1SaiJ0EVCk23UAklGmKxUxumc27zbvDcPSvuG8+73nft959173713nMa+boRYFbn2EnayXUPM EmPEO+IR8ZgQ57OoL/odHGFzlUgG+vSS9SUcZ/uR0GgeEtYi1gNc+lcIJQTFytKsq5wHhGpUa6x8 hJfInC/xC2m8GrN23ghTixTzXixRaUCCWpteBf9pN1hfpSkfJZqCYjHXxVyhYOloJIJUSysa4stx 9/1rVLsxjOVztp9OgjimEWp7+KzajaL/cAfqa+KWv7DjAK7vS6F7+35kTvags7UNDn8Ba5fgtgCJ QnEeLfUNeHGiC52b29Bctwp71zbbtFjERfrDIIr8BWyrprw6QMJxHIxyOhtXJnBx10GDYM7w5Jcg pbhRI6zY7Vq7kamvYQWGk1h+dia0X4Khr+p98xzf5sKLbg0NhIpJS4JDYb3Z3AQuDzxD7ud3X/fL 0SzuDWd8XFmQkWC6jDBubc1SnN60G4eSG1BHXzZfLOIOt8upp7fNRzNk5SPt8LbRxh4hfHtxxZI4 9jQlkVhWi4npPF59/oTx/FSlxB9mnO46fWV9lHNEP2Ft8sc00tlBG/+D08WcGU1Zdp+4ZrzFPVQr DXOWPYkeOn1esID2JnNVa8wboQId3LOEbg1dnn8z5egeOEPYQ19+H3oCujSfEErW7b2F0MGXaeHf EvoL0BQrDsUvTR2MjQn98IQAAAAASUVORK5CYII= --000000000000281b670613014868 Content-Type: image/png; name="image003.png" Content-Disposition: inline; filename="image003.png" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: ii_18e14cb23fd692e333 iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAABGdBTUEAA1teXP8meAAAAfdJREFU OBGdVU0rRGEUPgzD+NyYMoMSsyBjxSwUJUlRikJJ/gELEtlYWCgUFmxYWFrIV/gBYodESvkqReOj yCBGvp7nmnvdO65mzFPPvOec95znvvd933smyjHeIyawIlYXYAlGJ/gKnoM74AK4BDJmQIzB+3bq MQyBrqA5PiQvwGaMxyBXMw9qiNYsEQvsQZAJwWK6NM1kzhzIGtYq0K9wAJHuQPw/g1qj7J26woYI xdQHU5QaQkHuzSgdPWpy3FJoz9CHQtljSLBSsBHM1Gc7klJlqrpFhsp5PmGDT2/iHvJ6GHD56JO+ 9RU5vLsyxMNw6ijoCU78lE+pys6XNFuiXD89SH9praydH0lZpktSrPEyubshS0e7wWX0i/nK6WYz ZVkuKbA7JTXOJrS7PJXy9vEh7jSnjFQ0SJxFf0E0BQcFf912bVpnzBxsSuvKtKye7ostJlbsCcm6 2R+Tgt4f92/Li30l7v3PyshtMYGXgnsmE5GGtii4aFZ95ruVGxyI//1NaPtev1d2+/Kk+NxPEyxG odvwYp+AhrtokhwqdIGEXPVQOkNlhzHfgRw/BYlZcFixIvthLTWUb1mV6IUxrjr/GCeQy1oF6grp vIPtILsGm2coMId9oA1krQKz686muQwymd2hCFTbDjd+G+RfAF/x10fxBUHfdXwSyJc0AAAAAElF TkSuQmCC --000000000000281b670613014868 Content-Type: image/jpeg; name="image004.jpg" Content-Disposition: inline; filename="image004.jpg" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: ii_18e14cb23fe772f6c4 /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwkHBgoJCAkLCwoMDxkQDw4ODx4WFxIZJCAmJSMg IyIoLTkwKCo2KyIjMkQyNjs9QEBAJjBGS0U+Sjk/QD3/2wBDAQsLCw8NDx0QEB09KSMpPT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT3/wAARCABCAEwDASIA AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3 ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3 uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwDuVEEH ijVg1tHIm2BVQplRu4J9utSafb7fEKaXMwkt7C1DIh+6WLcMR3IHFN069tJ/ED3fn20kGrAJaqJM lzFnfgY7YqK78R6HZ63a6rHq1ntvIDHsd8b1DYDA44wQRzge9c6g9/P9TijTe9ur+67/AOAPvttv qWr2KKPsz2JuFjI+VHGQSo7Z/nUVmqPB4dWzAjuxteR8bN0YX5gT/Fnjjn1pl3qmmnW9RguNQtE1 W6iW0itTJ9wEZGWxjJJBx/OnySQxeH9PujdWqpotwEuZDJ8qlRtcZx1ycVLi77f1cl05czdv6uTX WmRWGoeH7cojEyyeYdv3yQTz68mkvNNistb0W32IyNcTtjb/AAkZAP0zTbnXdP1i/wBLvbG+tJIL ad1J83BZthJXpwQATzjgVN/aVj4ovLS80C+tbyXTpC0kIcjKsMdcfkelU4b2Xb9CnS+Ky6r7tP8A I1JreFtbkLQxsfsndAf4sfyrBsz/AGV5umXID2d7AZ7UuMhX25ZP6ir669ZSWl5rcl1apaQIbdmE uQrBudxxxyQMVS1TUtHvbO30S61C2t9U2obdDJkh8fLyOm706805Rb1W5U4N+9Fa6/8ADFrVYII9 R0DECbWdgyqg+YbOmO9Mm0CTUyt5aPFbJMoZowpGD07ewFV9T8QaZLrtpFHqFn52ll5LiMy/MAFw wHHJHcViat4k03UbwSWfiCytoFUIkaSv9TnC46k1M476XInDWXut6/ojHnlGm6yXBIXQru5IA/hE 0px+hp5tPsWh6tbso3L4Wtt3H8RLk/qTV74hSaNoWry2VxZzz/8ACTNEbx1m2eSsbKqsvB7nnPpV r4nW1ppX2K5jgvZpdR2aa9vb3QiWZBkqrZU9yRxjrXSdxm3LXE3iO708RRLaXeqaerXLvzG6wo4X bjndtwDnqau6gc/DTxaf+orP/wCj1qLTrpNQ8TS6Jr+hXmj3eqPFeQSLcrIA8AG3bgccJ7/rUHg+ bT/G994j0qRtRtIpHeWSAXStGzNJlnUbMqQVHc9aAOhXSbXV/EPi+G7YRqFh2yk4EZa3KlvTgE9a n8H4h1mWx1C0jTVrSwhiF1A5aK5tgSEYDscg5H9KwLbWLCz8fX3g4w3OoHUx5d5fXNxlz+6PygBQ AAOPxqpo/iW28OaDrevQ2t3dT6fcJpai6ug2YlbCgEKMDn0NAGJIp/4Ru/0sn91fPJqBUekXmh// AB5I63p/+PbXTgE/2ppn/oEVMtNUW1Wx0bX/AAtcada6ostpBe/aFlkXzm3MMgcAlh/9eoL+We58 Z6rZaRoN/frYzQNcxR36xxSsijy2ZSuc/KOh7UAdLYWsWj+J7SyvYYru1n1C4uNOvIZOYpmDF45F 9cFgD+YFa/w+APh6fgf8f91/6NauHlurnSvGdpbafoN9eX/lHU/sLX6iK3llyJMDbzgk9+9WtC+K Oi+G7a403VLC/sLyO6laWAkTYZm3H5hjjJPFAGf8RI21jxR4k2HI0vRkxjsxkVz+n8q0/Hl8NS0L wPeKcie/t5M+5UE1j2X9vavrHjW60XTbO8tb2Z7SWSeXaVVQRhR34IP5VSfUVufh14IaZwv2TV1h dmOAoVj1P0xQB2/iT/ks/hX/AK9pv5NXIeAp/wCzPFGlXmNsN5c3tjK3qQQ65/E102ralZ6n8ZfD J0+6huhHbzbzC4cL8rdSK5rTtK1DUPhtcXGjQvNqNjrkk8KoMk9FPH0OfwoAZ4bka9+IGg6s+M6n f304OOSgG1f5GqV1/wAk08Yf9hz/ANnFdNFpTaH4x+Hmnuu2SCzlDj0YqS36k1zN1/yTPxh/2HP/ AGcUAb+oeIIPHGt+FdN0W2vGn0+4S4uTNFsCIoXJ5p2m+KbTwx8TPFz3ltezieWMKLWAyYwD19Ot aGun/hH/AB94S1wYWC9gFhcN2OQNufzH/fNL4X1Oy0z4n+M2v7y3tleSLb50gTdgHpmgCwjiT49K 4BAbR8gHr96vH/iH/wAlA1v/AK+m/pXrE2p2Vv8AHFLua8t47Z9HBSZ5AEbLcYPSvJfHMqX3jjWb izYTwvcsVki+ZT06EUAer+F9c1LT9OsNQtdG06LRtUkmkaG0STzItqsQzscg52YPA61lxzAaNpw1 LQtDfTtSt7nULaCJJB5MqRb8tk85AAOMVu+FdWtdP+E2k2tw5WW/t54YAFJBbDnBPbgVh3f/ACK/ g3/sD3v/AKTGgCzpmtWWg/DtvEelaDp9rrby/ZWjjQ7d2cnvnG0ZxmpbXxHqmk2usPoNjo9tY6db w308TJJulaWMO2CDx3H5ViPbzfZ5LPY4txpX9shsfLu+yCLH13ZNa3h/w4PEur6zay6je2tsbKwW aK3KgTKYBkMSCfyx1oA27LX4Nc+JEUFzp1tm2sxJa3BBMkchRHdc5xjbIO1YOm61Yah4JZpNE09Z LvWYoby32NscOwxJjOc49+oqnomr2y+KNOuIo50L63cQhzC3l+S0flIBIeCfkHGapWq/ZNE8OyNx FqUsMf8A21gujj80Y/lQB0uo63c6/bWWnNp2lSsdansYRcxuUjEQO1uDnOKqazps95rWrK2gaBea hp9ql1eyPFKxuXYEhYwDkcLjnvVWG1e9u7C3juZrVpPFF8BNAQHT5TyMgj9K6LxFa29vLf3ekapd w+ItCsUknncZFzHtLBZRjDZweR0oAW88PWE2m2F5faHp8rSQhYopECtDHszHGcsOhOCetT6Ssml2 ht9N0/So4N27awjjO4gZ4DHP1zV/VL/7Zo2jajMIYzPEJWB2kjcgJ27gRj1qk9zPauUabTYgwDKt wiMxBA5yi4wa5akmpPU4K02pvVnA+CIY2+M97aNGhtoHufKhKjZH1Hyr0HB7VneCVEms+KEcBktt NvBAp5EQ5Hy/3eOOKKK6jvPV5QP+FNscc/2L/wC0qz/AXGt68R1+w2H/AKT0UUAYsAx8IPDbDhhq kLZ7589uajdFPw28KEqMrrkeDjp++eiigDm/GcjxeFZHjZkdfEl7hlOCKyfEEjnT/Cb7m3XNntnb PMoEzABv73HrRRQB7rrgEE/h5IQI0FysYVOBt242/T2rkQAbm6XHyxzuiDsqg8Aegoorhr/F/Xke TjPjf9dEf//Z --000000000000281b670613014868--