Closed
Bug 1039221
Opened 10 years ago
Closed 10 years ago
Antivirus failures - Win.Worm.Chir-552 found in NSIS executables
Categories
(Release Engineering :: Release Requests, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: nthomas, Unassigned)
References
Details
Eg Thunderbird 31.0b3 - all locales, complete mar and installer exe /tmp/tmpDd1ZSj/pub/mozilla.org/thunderbird/candidates/31.0b3-candidates/build1/win32/nn-NO/Thunderbird Setup 31.0b3.exe/setup.exe: Win.Worm.Chir-552 FOUND /tmp/tmpDd1ZSj/pub/mozilla.org/thunderbird/candidates/31.0b3-candidates/build1/win32/nn-NO/Thunderbird Setup 31.0b3.exe/core/maintenanceservice_installer.exe: Win.Worm.Chir-552 FOUND /tmp/tmpDd1ZSj/pub/mozilla.org/thunderbird/candidates/31.0b3-candidates/build1/win32/nn-NO/Thunderbird Setup 31.0b3.exe/core/uninstall/helper.exe: Win.Worm.Chir-552 FOUND Also Firefox 31.0esr - all locales, there's one extra file there. Firefox 31.0 build1 passed, but ran a little earlier. If I rerun (on an unpacked exe), then I it also fails: $ clamscan -o -r . ./setup.exe: Win.Worm.Chir-552 FOUND ./core/maintenanceservice_installer.exe: Win.Worm.Chir-552 FOUND ./core/uninstall/helper.exe: Win.Worm.Chir-552 FOUND ./core/webapp-uninstaller.exe: Win.Worm.Chir-552 FOUND They're all NSIS installers; other exe like crashreporter.exe don't get flagged.
Reporter | ||
Comment 1•10 years ago
|
||
Adding the --scan-pe=no argument to clamscan results in no match. From the man page: > --scan-pe[=yes(*)/no] > PE stands for Portable Executable - it’s an executable file format used in all 32-bit versions of Win- > dows operating systems. By default ClamAV performs deeper analysis of executable files and attempts to > decompress popular executable packers such as UPX, Petite, and FSG. If you turn off this option, the > original files will still be scanned but without additional processing. They're also clean on virus-total, eg https://www.virustotal.com/en/file/57ba1439c925f04097ffcd045e4411e63421e6c3cce91e156d04af9b44119e1b/analysis/1405499819/ https://www.virustotal.com/en/file/a6e6e590e282227b1fdce9ffa054a27f7c96df87f82e21591b915c6c8dbf162d/analysis/1405456055/ MS have published this about Win32/Chir.D http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=%0A%09%09%09%09Worm:Win32/Chir.D@mm%0A%09%09%09%09#tab=2 I checked a build slave and there was no match for c:\windows\system*\runouce.exe. Convinced this is a false positive, and will submit to clamav.net as such.
Reporter | ||
Comment 2•10 years ago
|
||
Looks like clamav doesn't extact our executables by default, so it passes the installers on virustotal.com. We do extract the installers and mar files when we run our antivirus job in the release automation, so it flags the 4 files. If I give virustotal the setup.exe from inside http://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/31.0-candidates/build1/win32/en-US/Firefox Setup 31.0.exe then we get https://www.virustotal.com/en/file/050fa5168d9a77ae8e909c0fa6a9adf42368bcc8c9562e26cad88d87db726498/analysis/1405505060/ ie clamav finds something, but nothing else does.
Reporter | ||
Comment 3•10 years ago
|
||
Submitted to clamav.net at the 2nd attempt.
Reporter | ||
Comment 4•10 years ago
|
||
Looks like the matches have disappeared in a later virus definition, we'll rescan the affected files.
Comment 5•10 years ago
|
||
I just ran the following on stage: extract_and_run_command.py -j2 clamdscan -m --no-summary -- /pub/mozilla.org/thunderbird/candidates/31.0b3-candidates/build1/update/win32/ extract_and_run_command.py -j2 clamdscan -m --no-summary -- /pub/mozilla.org/thunderbird/candidates/31.0b3-candidates/build1/win32 Both passed.
Reporter | ||
Comment 6•10 years ago
|
||
Redid the 31.0esr checks: $ ionice -c3 nice extract_and_run_command.py -j2 clamdscan -m --no-summary -- /pub/mozilla.org/firefox/candidates/31.0esr-candidates/build1/{,update}/win32 2>&1 | tee ~/31.0esr-rescan.log Nothing was detected.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•