www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - 2.095 and antivirus

reply Ivan Kazmenko <gassa mail.ru> writes:
Hi,

The site virustotal.com doesn't like the new 2.095.0 release for 
Windows: three engines find a threat in "rdmd.exe" file in the 7z 
archive.  One engine finds BScope.TrojanRansom.Encoder in it, and 
two others find Hacktool.Win32.Krasnoglaz.Gena.  The latter is 
new: detected in 2.095.0-rc1 version, but not in 2.094.2 release. 
  One engine detects a threat in some other executables from the 
archive as well.

Note: when given the whole 7-zip archive, some of the engines 
time out, so it's best to upload and check the ".exe" files 
separately.

What's the next thing to do here?  Obviously, I'd like the 
release to not contain threats (or false alarms), so that we can 
feel safe about installing dmd on servers and such.

Ivan Kazmenko.
Jan 10 2021
next sibling parent reply "H. S. Teoh" <hsteoh quickfur.ath.cx> writes:
On Sun, Jan 10, 2021 at 10:59:57AM +0000, Ivan Kazmenko via Digitalmars-d wrote:

 Hi,
 
 The site virustotal.com doesn't like the new 2.095.0 release for
 Windows: three engines find a threat in "rdmd.exe" file in the 7z
 archive.  One engine finds BScope.TrojanRansom.Encoder in it, and two
 others find Hacktool.Win32.Krasnoglaz.Gena.  The latter is new:
 detected in 2.095.0-rc1 version, but not in 2.094.2 release.  One
 engine detects a threat in some other executables from the archive as
 well.
 
 Note: when given the whole 7-zip archive, some of the engines time
 out, so it's best to upload and check the ".exe" files separately.
 
 What's the next thing to do here?  Obviously, I'd like the release to
 not contain threats (or false alarms), so that we can feel safe about
 installing dmd on servers and such.


[...]

I'm 99.9% sure that these are false positives. We've had this problem in
the past. It would be nice if someone filed false-positive reports for
these cases to virustotal.com so that this problem can be corrected.


T

-- 
I am not young enough to know everything. -- Oscar Wilde
Jan 10 2021
parent reply Ivan Kazmenko <gassa mail.ru> writes:
On Sunday, 10 January 2021 at 15:25:33 UTC, H. S. Teoh wrote:

 On Sun, Jan 10, 2021 at 10:59:57AM +0000, Ivan Kazmenko via 
 Digitalmars-d wrote:

 What's the next thing to do here?  Obviously, I'd like the 
 release to not contain threats (or false alarms), so that we 
 can feel safe about installing dmd on servers and such.


 I'm 99.9% sure that these are false positives. We've had this 
 problem in the past. It would be nice if someone filed 
 false-positive reports for these cases to virustotal.com so 
 that this problem can be corrected.


OK, but what is the exact process?  What I found was a paid / 
trial version of VirusTotal services.

-----

More details on "rdmd.exe" from the 7-zip archive
(http://downloads.dlang.org/releases/2.x/2.095.0/dmd.2.095.0.windows.7z):

https://www.virustotal.com/gui/file/0943e40d04aa6f6e9a59dac8a0ec49d49542fe40af70c07a30f1389a42e40323/detection

1. Kaspersky reports "HackTool.Win32.Krasnoglaz.gena".  However, 
the Kaspersky site itself marks the file as clean:
https://opentip.kaspersky.com/0943E40D04AA6F6E9A59DAC8A0EC49D49542FE40AF70C07A30F1389A42E40323/
My understanding is that the VirusTotal's version of Kaspersky is 
some conservative one, and Kaspersky site provides a more current 
version.

2. ZoneAlarm by Check Point reports 
"HackTool.Win32.Krasnoglaz.gena".  Turns out this engine uses 
Kaspersky for virus detection.

3. VBA32 reports "BScope.TrojanRansom.Encoder".  Can't find an 
online version of this antivirus.

There is also the case of Windows Defender reported here and by a 
fellow user also, which I myself didn't experience.

Ivan Kazmenko.
Jan 10 2021
parent kinke <noone nowhere.com> writes:
On Sunday, 10 January 2021 at 20:15:50 UTC, Ivan Kazmenko wrote:

 https://www.virustotal.com/gui/file/0943e40d04aa6f6e9a59dac8a0ec49d49542fe40af70c07a30f1389a42e40323/detection


I've retriggered the analysis; Kaspersky and ZoneAlarm are now 
good there as well, only VBA32 and newly Qihoo-360 still detect 
something.


 There is also the case of Windows Defender reported here and by 
 a fellow user also, which I myself didn't experience.


I've just downloaded, extracted and manually scanned the .7z 
successfully on an up-to-date Win10 machine with enabled Windows 
Defender.

I am hitting an 'Operation did not complete successfully because 
the file contains a virus or potentially unwanted software' error 
with PowerShell's Net.WebClient.DownloadFile() on a CI box 
though; not sure if that comes from Windows Defender.
Jan 12 2021
prev sibling next sibling parent reply notna <notna.remove.this ist-einmalig.de> writes:
On Sunday, 10 January 2021 at 10:59:57 UTC, Ivan Kazmenko wrote:

 Hi,

 The site virustotal.com doesn't like the new 2.095.0 release 
 for Windows: three engines find a threat in "rdmd.exe" file in 
 the 7z archive.  One engine finds BScope.TrojanRansom.Encoder 
 in it, and two others find Hacktool.Win32.Krasnoglaz.Gena.  The 
 latter is new: detected in 2.095.0-rc1 version, but not in 
 2.094.2 release.
  One engine detects a threat in some other executables from the 
 archive as well.

 Note: when given the whole 7-zip archive, some of the engines 
 time out, so it's best to upload and check the ".exe" files 
 separately.

 What's the next thing to do here?  Obviously, I'd like the 
 release to not contain threats (or false alarms), so that we 
 can feel safe about installing dmd on servers and such.

 Ivan Kazmenko.


MS Defender on my company Win10 laptop blocks 2.095 also :(((
No update / installation possible.
And no, I cannot add exclusions in Defender as it's company 
managed...
Jan 10 2021
parent notna <notna.remove.this ist-einmalig.de> writes:
On Sunday, 10 January 2021 at 16:10:55 UTC, notna wrote:

 MS Defender on my company Win10 laptop blocks 2.095 also :(((
 No update / installation possible.
 And no, I cannot add exclusions in Defender as it's company 
 managed...


to be more precise...
* I want to "install" the 
"downloads.dlang.org/releases/2.x/2.095.0/dmd.2.095.0.windows.7z"
* As soon as I open it, it triggers MS Defender with a 
"Trojan:Win32/Zpevdo.B" hit and the 7z file is removed

Even after running the commands mentioned in 
https://github.com/electrumsv/electrumsv/issues/510#issuecomment-690651691 I
still cannot "open" the 7z file :(
Jan 12 2021
prev sibling next sibling parent reply Anonymouse <zorael gmail.com> writes:
On Sunday, 10 January 2021 at 10:59:57 UTC, Ivan Kazmenko wrote:

 Hi,

 The site virustotal.com doesn't like the new 2.095.0 release 
 for Windows: three engines find a threat in "rdmd.exe" file in 
 the 7z archive.  One engine finds BScope.TrojanRansom.Encoder 
 in it, and two others find Hacktool.Win32.Krasnoglaz.Gena.  The 
 latter is new: detected in 2.095.0-rc1 version, but not in 
 2.094.2 release.
  One engine detects a threat in some other executables from the 
 archive as well.


I couldn't even download the installer .exe on my Windows machine 
without manually copying the link and pasting it into the address 
bar. Pressing the download link did nothing. This was with Chrome 
and its own malware protection.
Jan 10 2021
next sibling parent Guillaume Piolat <first.last gmail.com> writes:
On Sunday, 10 January 2021 at 18:11:24 UTC, Anonymouse wrote:

 I couldn't even download the installer .exe on my Windows 
 machine without manually copying the link and pasting it into 
 the address bar. Pressing the download link did nothing. This 
 was with Chrome and its own malware protection.


Same, you have to get the file back from Windows Defender.
Jan 10 2021
prev sibling parent Mathias LANG <geod24 gmail.com> writes:
On Sunday, 10 January 2021 at 18:11:24 UTC, Anonymouse wrote:

 On Sunday, 10 January 2021 at 10:59:57 UTC, Ivan Kazmenko wrote:

 Hi,

 The site virustotal.com doesn't like the new 2.095.0 release 
 for Windows: three engines find a threat in "rdmd.exe" file in 
 the 7z archive.  One engine finds BScope.TrojanRansom.Encoder 
 in it, and two others find Hacktool.Win32.Krasnoglaz.Gena.  
 The latter is new: detected in 2.095.0-rc1 version, but not in 
 2.094.2 release.
  One engine detects a threat in some other executables from 
 the archive as well.


 I couldn't even download the installer .exe on my Windows 
 machine without manually copying the link and pasting it into 
 the address bar. Pressing the download link did nothing. This 
 was with Chrome and its own malware protection.


That's a different issue: 
https://issues.dlang.org/show_bug.cgi?id=21292
Jan 10 2021
prev sibling next sibling parent reply Jacob Carlborg <doob me.com> writes:
On Sunday, 10 January 2021 at 10:59:57 UTC, Ivan Kazmenko wrote:


 What's the next thing to do here?  Obviously, I'd like the 
 release to not contain threats (or false alarms), so that we 
 can feel safe about installing dmd on servers and such.


Perhaps you can check if rdmd is compiled -m32mscof or -m32. If 
it's compiled with -m32 it will produce OMF object files and link 
with the DMC runtime. Perhaps compiling for COFF and linking with 
the MS runtime makes a difference?

--
/Jacob Carlborg
Jan 12 2021
parent Ivan Kazmenko <gassa mail.ru> writes:
On Tuesday, 12 January 2021 at 13:40:49 UTC, Jacob Carlborg wrote:

 On Sunday, 10 January 2021 at 10:59:57 UTC, Ivan Kazmenko wrote:


 What's the next thing to do here?  Obviously, I'd like the 
 release to not contain threats (or false alarms), so that we 
 can feel safe about installing dmd on servers and such.


 Perhaps you can check if rdmd is compiled -m32mscof or -m32. If 
 it's compiled with -m32 it will produce OMF object files and 
 link with the DMC runtime. Perhaps compiling for COFF and 
 linking with the MS runtime makes a difference?


Definitely looks like -m32, both 2.094.2 and 2.095.0 versions.

I don't see a tool to do an exact check, but hello-worlds 
compiled with -m32mscoff have "This program cannot be run in DOS 
mode." near the start of executable, whereas -m32 produces a 
"Requires Win32" there.

Anyway, this didn't change between 2.094.2 and 2.095.0.

Ivan Kazmenko.
Jan 12 2021
prev sibling parent reply Imperatorn <johan_forsberg_86 hotmail.com> writes:
On Sunday, 10 January 2021 at 10:59:57 UTC, Ivan Kazmenko wrote:

 Hi,

 The site virustotal.com doesn't like the new 2.095.0 release 
 for Windows: three engines find a threat in "rdmd.exe" file in 
 the 7z archive.  One engine finds BScope.TrojanRansom.Encoder 
 in it, and two others find Hacktool.Win32.Krasnoglaz.Gena.  The 
 latter is new: detected in 2.095.0-rc1 version, but not in 
 2.094.2 release.
  One engine detects a threat in some other executables from the 
 archive as well.

 Note: when given the whole 7-zip archive, some of the engines 
 time out, so it's best to upload and check the ".exe" files 
 separately.

 What's the next thing to do here?  Obviously, I'd like the 
 release to not contain threats (or false alarms), so that we 
 can feel safe about installing dmd on servers and such.

 Ivan Kazmenko.


False positive or not, anyone knows if/how we scan for viruses 
when doing releases? 🤔

It's highly unlikely that an actual virus sneaked in, but it 
gives a "bad" impression...

This has happened at my previous company before when writing 
software that copied files between computers. I'm not surprised 
tho if some part of rdmd looks suspicious to an anti-virus 😏
Jan 13 2021
parent solidstate1991 <laszloszeremi outlook.com> writes:
On Thursday, 14 January 2021 at 06:47:15 UTC, Imperatorn wrote:

 False positive or not, anyone knows if/how we scan for viruses 
 when doing releases? 🤔

 It's highly unlikely that an actual virus sneaked in, but it 
 gives a "bad" impression...

 This has happened at my previous company before when writing 
 software that copied files between computers. I'm not surprised 
 tho if some part of rdmd looks suspicious to an anti-virus 😏


That can happen to other dev tools. For me, one antivirus flagged 
a debugger as a hacktool dot something. Some sites of dev tools 
warn the users that some antiviruses can create false positives, 
most likely due to debuggers having similarities to certain 
malware programs.
Jan 16 2021