Closed Bug 1039221 Opened 10 years ago Closed 10 years ago

Antivirus failures - Win.Worm.Chir-552 found in NSIS executables

Categories

(Release Engineering :: Release Requests, defect)

Product:
Release Engineering
Component:
Release Requests
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: nthomas, Unassigned)

References

Details

Eg Thunderbird 31.0b3 - all locales, complete mar and installer exe

/tmp/tmpDd1ZSj/pub/mozilla.org/thunderbird/candidates/31.0b3-candidates/build1/win32/nn-NO/Thunderbird Setup 31.0b3.exe/setup.exe: Win.Worm.Chir-552 FOUND
/tmp/tmpDd1ZSj/pub/mozilla.org/thunderbird/candidates/31.0b3-candidates/build1/win32/nn-NO/Thunderbird Setup 31.0b3.exe/core/maintenanceservice_installer.exe: Win.Worm.Chir-552 FOUND
/tmp/tmpDd1ZSj/pub/mozilla.org/thunderbird/candidates/31.0b3-candidates/build1/win32/nn-NO/Thunderbird Setup 31.0b3.exe/core/uninstall/helper.exe: Win.Worm.Chir-552 FOUND

Also Firefox 31.0esr - all locales, there's one extra file there. Firefox 31.0 build1 passed, but ran a little earlier. If I rerun (on an unpacked exe), then I it also fails:
 $ clamscan -o -r .
 ./setup.exe: Win.Worm.Chir-552 FOUND
 ./core/maintenanceservice_installer.exe: Win.Worm.Chir-552 FOUND
 ./core/uninstall/helper.exe: Win.Worm.Chir-552 FOUND
 ./core/webapp-uninstaller.exe: Win.Worm.Chir-552 FOUND

They're all NSIS installers; other exe like crashreporter.exe don't get flagged.
Adding the --scan-pe=no argument to clamscan results in no match. From the man page:
>       --scan-pe[=yes(*)/no]
>              PE  stands for Portable Executable - it’s an executable file format used in all 32-bit versions of Win-
>              dows operating systems. By default ClamAV performs deeper analysis of executable files and attempts  to
>              decompress  popular  executable  packers such as UPX, Petite, and FSG. If you turn off this option, the
>              original files will still be scanned but without additional processing.

They're also clean on virus-total, eg
 https://www.virustotal.com/en/file/57ba1439c925f04097ffcd045e4411e63421e6c3cce91e156d04af9b44119e1b/analysis/1405499819/
 https://www.virustotal.com/en/file/a6e6e590e282227b1fdce9ffa054a27f7c96df87f82e21591b915c6c8dbf162d/analysis/1405456055/

MS have published this about Win32/Chir.D
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=%0A%09%09%09%09Worm:Win32/Chir.D@mm%0A%09%09%09%09#tab=2
I checked a build slave and there was no match for c:\windows\system*\runouce.exe.

Convinced this is a false positive, and will submit to clamav.net as such.
Looks like clamav doesn't extact our executables by default, so it passes the installers on virustotal.com. We do extract the installers and mar files when we run our antivirus job in the release automation, so it flags the 4 files.

If I give virustotal the setup.exe from inside http://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/31.0-candidates/build1/win32/en-US/Firefox Setup 31.0.exe then we get 
 https://www.virustotal.com/en/file/050fa5168d9a77ae8e909c0fa6a9adf42368bcc8c9562e26cad88d87db726498/analysis/1405505060/
ie clamav finds something, but nothing else does.
Submitted to clamav.net at the 2nd attempt.
Looks like the matches have disappeared in a later virus definition, we'll rescan the affected files.
I just ran the following on stage:

extract_and_run_command.py -j2 clamdscan -m --no-summary -- /pub/mozilla.org/thunderbird/candidates/31.0b3-candidates/build1/update/win32/

extract_and_run_command.py -j2 clamdscan -m --no-summary -- /pub/mozilla.org/thunderbird/candidates/31.0b3-candidates/build1/win32

Both passed.
Redid the 31.0esr checks:
$ ionice -c3 nice extract_and_run_command.py -j2 clamdscan -m --no-summary -- /pub/mozilla.org/firefox/candidates/31.0esr-candidates/build1/{,update}/win32 2>&1 | tee ~/31.0esr-rescan.log

Nothing was detected.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.