At the beginning of 2016, a service that would later become known as the Package Scanner Moderation Service, was added to the Chocolatey arsenal. When a package was submitted to the Chocolatey Community Repository, all the files that were included within that package, or downloaded as part of the installation of that package, would be submitted to VirusTotal for scanning. Once completed, the details of any detections would be shown on the package page. See the Google Chrome package page as an example:

Virus scan results being shown on community.chocolatey.org

On top of this, if you are using a licensed version of Chocolatey, then these results will be respected, meaning that any package that contains a file with higher than a configurable number of detections, wouldn't be allowed to be installed. All in all, this is a great security feature.

When this service was introduced to the Chocolatey Community Repository, it was the responsibility of our team of package Moderators to check the results that were returned from VirusTotal, prior to approving a package. As of 27th April 2021, the Package Scanner Moderation Service has now been fully integrated into the overall Package Moderation Service. As a result, any package submitted to the Chocolatey Community Repository, will now have to have completed its VirusTotal scan before being marked as approved on the site. This increases the overall security of all packages, and this is something that we take very seriously at Chocolatey.

Going forward, the Package Scanner Moderation Service will automatically flag all packages using the following criteria:

  • Not Flagged
    • There were no detections found on any of the files within, or downloaded by, the package
  • Flagged - Note: At least one file within this package has greater than 0 detections, but less than, or equal to, 5
    • At least one file within, or downloaded by, the package had between 1 and 5 detections associated with it. Given the nature of false positives within virus scanners, this package is likely very safe to install. As such, a package that falls into this category will be automatically approved, if it is a trusted package.
  • Flagged - Warning: At least one file within this package has between 6 and 10 detections
    • At least one file within, or downloaded by, the package had between 6 and 10 detections. You should take extra steps to ensure that it is safe for you to install. Any package that falls into this category will require to be moderated by a human Moderator.
  • Flagged - Error: At least one file within this package has greater than 10 detections
    • At least one file within, or downloaded by, the package had greater than 10 detections. This is a high number of detections, and you should take extra precautions to ensure that this is safe for you to install. Any package that falls into this category will immediately be sent back to the Package Maintainer to investigate but is going on with the package.

The introduction of this additional flagged status, i.e. Note, Warning, Error, will mean that any package which was submitted to the Chocolatey Community Repository before the 27th April 2021, will not have this flag. As such, an additional warning will be provided on the package page. The details of the virus scan results can still be viewed, it is just that the overall marking of the package will not provide this indication.

If you have any questions or concerns about these changes, then please reach out on our Chocolatey Gitter room or through the Chocolatey Google Group.


comments powered by Disqus