Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avira trojan warning #77

Open
Simn opened this issue Sep 25, 2014 · 22 comments
Open

Avira trojan warning #77

Simn opened this issue Sep 25, 2014 · 22 comments

Comments

@Simn
Copy link
Member

Simn commented Sep 25, 2014

Email I received:

Hey folks of Haxe,
i just downloaded the latest haxe windows installer but suddenly avira told me, there would be a virus in it. Crypt.Xpack.81397 to be correct.
I then went to the irc and asked some beings there and they gave me a link to older builds to check them and on every installer i picked avira said the same virus would be on.

But the binaries seems to be fine for antvir.
Probably its an antivir issue, but neverthenless people may turn off if they encounter the same issue.

bye
chris
@andyli
Copy link
Member

andyli commented Sep 25, 2014

I've just submitted the 3.1.3 Windows installer to https://analysis.avira.com/en/submit

I wonder if we could sign the installer in some way as this antivirus issue comes up from time to time...

@waneck
Copy link
Member

waneck commented Sep 25, 2014

Last time I've contacted avira about these problems, they asked me to provide a screenshot from the user when it happened. It's pretty annoying.

@autonomnom
Copy link

here you go

havira1
havira2

@Simn
Copy link
Member Author

Simn commented Dec 11, 2014

Any news on this?

@andyli
Copy link
Member

andyli commented Dec 11, 2014

I haven't got any follow up from Avira.

According to VirusTotal, the haxe windows installer is not flagged as virus by Avira. But there are 3 other antivirus softwares do.

@ncannasse
Copy link
Member

I think one possible cause for this is the way we build haxelib.exe, since we append the neko bytecode at the end of the executable it creates a binary that while perfectly correct might have its PE header not conformant to its actual size.

We could maybe try for the next release to ship a haxelib binary built with hxcpp

@Simn Simn added this to the Long term milestone Feb 23, 2015
@Simn
Copy link
Member Author

Simn commented Feb 23, 2015

I don't feel brave enough to try that for 3.2, but we should look into this problem afterwards if it still exists.

@waneck
Copy link
Member

waneck commented Feb 23, 2015

I think there's a problem with haxelib selfupdate and running haxelib through haxe --run - that's why it's using the neko interface atm.

@ncannasse
Copy link
Member

If you wish me to get a certificate so we can sign our installer, tell me.

@Simn
Copy link
Member Author

Simn commented Feb 26, 2015

I'm too stingy to suggest spending money on that. Let's just get big enough to the point where they can no longer ignore us. :)

@ncannasse
Copy link
Member

@Simn sadly I don't think it will work

@ncannasse
Copy link
Member

Even the bigger companies happen to be reported as false positive, hence the code signing (and it's not very expensive)

@bubblebenj
Copy link
Contributor

It could also be that an included dll is seen as a treat.
Maybe sending the unziped installer to TotalVirus for instance could give some more clue on the actual issue.

@bubblebenj
Copy link
Contributor

Throwing every file at VirusTotal, it found that haxesetup.exe is the treat (for 1 virus on 56 antivirus tested).
I also thrown every haxesetup files to it and none of them ring a bell. So I suppose the issue is in the way its packaged.

@ex
Copy link

ex commented Oct 24, 2016

Norton is flagging the latest haxelib with this virus: Heur.AdvML.B, pretty annoying

@andyli
Copy link
Member

andyli commented Oct 25, 2016

Was it the one bundled in haxe 3.3rc?
Would you help submit it to norton as false positive?

On Oct 24, 2016 11:18 PM, "Laurens Rodriguez" [email protected]
wrote:

Norton is flagging the latest haxelib with this virus: Heur.AdvML.B,
pretty annoying


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#77 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAGWKQ1N9gLXg-w9najVrqCGAU3210Izks5q3MwwgaJpZM4Cm4j3
.

@ex
Copy link

ex commented Oct 25, 2016

@andyli it was the latest build from github.
Yes I can submit it to Norton as a false positive, not sure if they would give me their attention, is there a procedure for this? Never reported something as false positive.

@andyli
Copy link
Member

andyli commented Oct 26, 2016

Just google "norton submit false positive" ;)

@ex
Copy link

ex commented Oct 27, 2016

I did this and they added the file to their whitelist, however I guess this needs to be done every time the file changes, Does haxelib.exe change so much?:

In relation to submission 7157.

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

    File name: haxelib.exe
    MD5: feb000b3acc10089d14aa492e859b045
    SHA256: 495096afe96911fc577c4e1795c3a8eba390abefa3c406be5c003bdc68c0f376
    Note: Whitelisting is available by downloading a RAPID RELEASE indicated in the Further Information section below or via the next Live Update

Further Information:
Required RAPID RELEASE sequence >= 181376

The latest Rapid Release definition available here: ftp://ftp.symantec.com/AVDEFS/norton_antivirus/rapidrelease
To check the current sequence number of the Rapid Release definition: http://www.symantec.com/security_response/definitions/rapidrelease
More information on Rapid Release definitions can be found: https://support.symantec.com/en_US/article.TECH103326.html

If detection persists, please contact support:
* Norton: https://support.norton.com/sp/en/us/home/current/info
* SEP: https://support.symantec.com/en_US/endpoint-protection.54619.html

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

If you are a software vendor and would like to upload your software for proactive whitelisting, please complete one of the following forms:
* If you are BCS customer: https://submit.symantec.com/whitelist/bcs
* Otherwise: https://submit.symantec.com/whitelist

For more information on best practices to reduce false positives:
http://www.symantec.com/content/en/us/enterprise/white_papers/b-to_increase_downloads-instill_trust_first_WP.en-us.pdf

@ibilon
Copy link
Member

ibilon commented Oct 27, 2016

The haxelib.exe is different in each haxe release, so no not often ;)

@ibilon
Copy link
Member

ibilon commented Dec 11, 2016

So what actions should we take?

Voting for the code signing,
it also makes it more professional looking when windows report that the exe wants administrator rights.

Would be nice to have this resolved for the stable release of 3.4.

@ibilon ibilon removed this from the Long term milestone Dec 11, 2016
@andyli andyli pinned this issue Jun 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants