trojan warning!

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

trojan warning!

Octave - General mailing list

Trying to install from the following links triggered my virus-scanner on a trojan:

 

https://mirror.kumi.systems/gnu/octave/windows/octave-5.2.0_1-w64.7z

https://mirror.kumi.systems/gnu/octave/windows/octave-5.2.0-w64.7z

 



Reply | Threaded
Open this post in threaded view
|

Re: trojan warning!

nrjank


On Mon, Feb 17, 2020 at 9:32 AM Lans, I.B.N. van der (Ivo) via Help list for GNU Octave <[hidden email]> wrote:

Octave has no control over that mirror.  Did you try downloading from the official Octave repository and see if you get the same report? If so which virus scanner are you using and do you have a method of reporting false positives?

Official download page:

 



image001.png (85K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: trojan warning!

siko1056
In reply to this post by Octave - General mailing list
On 2/17/20 9:34 PM, Lans, I.B.N. van der (Ivo) via Help list for GNU
Octave wrote:
> Trying to install from the following links triggered my virus-scanner on
> a trojan:
>
>  
>
> https://mirror.kumi.systems/gnu/octave/windows/octave-5.2.0_1-w64.7z
>
> https://mirror.kumi.systems/gnu/octave/windows/octave-5.2.0-w64.7z
>


Thanks for sharing your concern.  I am very sure that no Octave
developer has packaged any malware.

If you are not convinced, you are free to create all necessary
distribution tarballs and installers yourself.  Octave provides several
guides how to do it in the wiki [1,2].

In my humble opinion it is more likely, that your company's malware
detection system is reporting a false positive [3].  Please contact them
[4] if you share your trust with them.  The description
"Artemis...Trojan" is not really helpful, unless you study Greek history.

HTH,
Kai

[1] https://wiki.octave.org/Building
[2] https://wiki.octave.org/MXE
[3]
https://en.wikipedia.org/wiki/False_positives_and_false_negatives#False_positive_error
[4] https://kumi.systems/



Reply | Threaded
Open this post in threaded view
|

Re: trojan warning!

turmewr3ck
I also get a Trojan message, but I'm using the official download site. McAfee
points out libsqlite in this case. Not sure if you build that library from
scratch or you use a precompiled DLL.

<https://octave.1599824.n4.nabble.com/file/t373647/octave_libsqlite_trojan_mcafee.png>




--
Sent from: https://octave.1599824.n4.nabble.com/Octave-General-f1599825.html


Reply | Threaded
Open this post in threaded view
|

Re: trojan warning!

turmewr3ck
In reply to this post by siko1056
I also get a trojan message, and this is from McAfee. It reports only one
file, namely the libsqlite3-0.dll. (Not sure if that library is compiled
from scratch or included as DLL.)
I have downloaded Octave from the official repository.

<https://octave.1599824.n4.nabble.com/file/t373647/octave_libsqlite_trojan_mcafee.png>



--
Sent from: https://octave.1599824.n4.nabble.com/Octave-General-f1599825.html


Reply | Threaded
Open this post in threaded view
|

Re: trojan warning!

nrjank
On Thu, Feb 20, 2020 at 07:12 turmewr3ck <[hidden email]> wrote:
I also get a trojan message, and this is from McAfee. It reports only one
file, namely the libsqlite3-0.dll. (Not sure if that library is compiled
from scratch or included as DLL.)
I have downloaded Octave from the official repository.

<https://octave.1599824.n4.nabble.com/file/t373647/octave_libsqlite_trojan_mcafee.png>

Which installer? And from where exactly?

We’ve seen a few false positive reports recently.  First time on that dll.  

mcafee false positive reports can be made following info at







Reply | Threaded
Open this post in threaded view
|

Re: trojan warning!

turmewr3ck
The following location and file:
https://www.gnu.org/software/octave/download.html
https://ftpmirror.gnu.org/octave/windows/octave-5.2.0_1-w64-installer.exe

I have not yet reported this as a false positive candidate to McAfee, as I
wanted to wait on the reaction in this forum.



--
Sent from: https://octave.1599824.n4.nabble.com/Octave-General-f1599825.html


Reply | Threaded
Open this post in threaded view
|

Re: trojan warning!

nrjank
On Thu, Feb 20, 2020 at 7:50 AM turmewr3ck <[hidden email]> wrote:
The following location and file:
https://www.gnu.org/software/octave/download.html
https://ftpmirror.gnu.org/octave/windows/octave-5.2.0_1-w64-installer.exe

I have not yet reported this as a false positive candidate to McAfee, as I
wanted to wait on the reaction in this forum.

this thread started with a similar conversation over the weekend, regarding different files in the installer and also mcafee product.  do you get the same warnings about the zip or 7z file?  bundled executables are notorious for setting off false positive warnings in virus scanners.  This past weekend I downloaded and scanned both zip and executable files with no detections. 
 I just uploaded it to virustotal.com and got no warnings. 

it sounds like a recent mcafee update is setting off false positives. I'd recommend following the false positive reporting procedures.

in the meantime, you can check the non executable packages.  You can always compile from source if you're set up to do so, then you dont have to trust any precompiled package.


Reply | Threaded
Open this post in threaded view
|

Re: trojan warning!

nrjank
In reply to this post by turmewr3ck


On Thu, Feb 20, 2020 at 9:01 AM turmewr3ck <[hidden email]> wrote:
I also get a Trojan message, but I'm using the official download site. McAfee
points out libsqlite in this case. Not sure if you build that library from
scratch or you use a precompiled DLL.

<https://octave.1599824.n4.nabble.com/file/t373647/octave_libsqlite_trojan_mcafee.png>


he was using the official download site too.  so was i. I didn't build anything, I just use the same download you are. someone else will have to answer about the dll  what happens if you upload libsqlite to virustotal?


Reply | Threaded
Open this post in threaded view
|

Re: trojan warning!

nrjank
i just downloaded the 64bit windows 7z version, extracted libsqlite3-0.dll, did a local scan with Windows Defender (passed) and uploaded to virustotal. got the following:
this version with v5.2.0-1:

shows 11 of the 72 engines are set off by this file, mcafee included.  

checking the v5.1.0 file from the exe installer, it shows up clean

so not sure what about 5.2.0 is setting off the false positives.  the files linked above by the original poster all set off one scanner i never heard of out of the 72 it tests. 



On Thu, Feb 20, 2020 at 9:10 AM Nicholas Jankowski <[hidden email]> wrote:


On Thu, Feb 20, 2020 at 9:01 AM turmewr3ck <[hidden email]> wrote:
I also get a Trojan message, but I'm using the official download site. McAfee
points out libsqlite in this case. Not sure if you build that library from
scratch or you use a precompiled DLL.

<https://octave.1599824.n4.nabble.com/file/t373647/octave_libsqlite_trojan_mcafee.png>


he was using the official download site too.  so was i. I didn't build anything, I just use the same download you are. someone else will have to answer about the dll  what happens if you upload libsqlite to virustotal?


Reply | Threaded
Open this post in threaded view
|

Re: Re: trojan warning!

John W. Eaton
Administrator
On 2/20/20 9:31 AM, Nicholas Jankowski wrote:

> i just downloaded the 64bit windows 7z version, extracted
> libsqlite3-0.dll, did a local scan with Windows Defender (passed) and
> uploaded to virustotal. got the following:
> this version with v5.2.0-1:
> https://www.virustotal.com/gui/file/e1656cdb03908796a9c90eb7409ca44f8e859ab73f44a498cadc68c00a3b5ff8/detection 
>
>
> shows 11 of the 72 engines are set off by this file, mcafee included.
>
> checking the v5.1.0 file from the exe installer, it shows up clean
> https://www.virustotal.com/gui/file/4792812c498d011b5e1914bf67a320c409fe3de1e70230a7a95bcf45bba9f4b7/detection 
>
>
> so not sure what about 5.2.0 is setting off the false positives.  the
> files linked above by the original poster all set off one scanner i
> never heard of out of the 72 it tests.
I gpg signed the files that I uploaded to ftp.gnu.org.  The signatures
that I generated and uploaded are also included in the attached file.
These files have been on my system since I created them.  I did not
download them from ftp.gnu.org or any mirror.  Do they still match the
ones on ftp.gnu.org and the mirrors?  If not, we have a problem.  But if
they do match, as I expect they do, then using those signatures, does
gpg --verify show any problems for the files downloaded from ftp.gnu.org
or any of the mirrors?  If so, then the files on the server were
probably not hacked.

I don't know why virus detection software is reporting a problem with
the sqlite DLL.  I built the binary installers and zip files using
mxe-octave.  You can do the same if you want to verify.  The sqlite
package was built from sources.  Logs of the builds (one for each of the
w32, w64, and w64-64 Windows binary versions of Octave) are included in
the attached file.

If somehow there is a real problem with that DLL, then please help us
fix it.  Otherwise, I hope we can get the virus detection software to
stop reporting this file as a problem.

jwe







sig-and-log-files.zip (26K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Re: trojan warning!

nrjank


On Thu, Feb 20, 2020 at 11:02 AM John W. Eaton <[hidden email]> wrote:

If somehow there is a real problem with that DLL, then please help us
fix it.  Otherwise, I hope we can get the virus detection software to
stop reporting this file as a problem.

jwe


I'll second that motion, as the virus defs on my managed windows machine just updated and mcafee flagged and deleted the file fro the same reason.  no gui for me...

hooray mcafee