Closed Bug 469988 Opened 17 years ago Closed 17 years ago

Avast detects Win32:Trojan-gen(Other) in 2008-12-17 nightly

Categories

(Release Engineering :: General, defect)

Product:
Release Engineering
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: lupatrian, Unassigned)

Details

Attachments

(1 file)

Screen shot of Avast alert message
192.45 KB, image/jpeg
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20081216 Minefield/3.2a1pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20081216 Minefield/3.2a1pre On today's Minefield build installer (Win), Avast AV stopped the download, saying that a virus was detected (and not "MIGHT be a virus", but "IS a virus"). The download was 75-80% complete when it tripped. I let it abort/didn't install. Any reason that the new build would trip Anti-Vi? Reproducible: Always Steps to Reproduce: 1. 2. 3.
Version: unspecified → Trunk
Not a build config bug. I would suspect with high certainty that it's a false positive.
Component: Build Config → Release Engineering
Product: Firefox → mozilla.org
QA Contact: build.config → release
Version: Trunk → other
We should probably run a scan across whatever machine we use to produce the windows nightlies. I, too, suspect false positive, but one can never be too certain. Nothing suspicious looking in the pushlog ...
http://www.virustotal.com/analisis/9f0797cd4a413bd72da0dd3d6c817aa0 VirusTotal confirms that Avast and GData (and only those two) see W32:Trojan-gen in it. That could be because they use the same signatures (eSafe just says "suspicious") or because they're particularly ahead of the curve, but no other scanners corroborate it.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Can we get details from Avast about what pattern it matched?
Summary: Avast aborted installation → Avast detects Win32:Trojan-gen(Other) in 2008-12-17 nightly
BTW: I downloaded the ZIP file, and that worked fine. http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-central/ NB: I just reported this in mozilla.dev.apps.firefox
I've seen virus scanners think NSIS code was a trojan.
We did take a new NSIS patch recently ...
Avast has in the past reported false positives on NSIS. Previously this has been due to some antivirus vendors trying to catch a program that uses one of the NSIS plugins which we share with other applications that use NSIS and not due to any changes to our installer code. We also added additional file info of the installer for antivirus to more easily identify that our installer shouldn't be flagged in bug 445276.
I looked around for reports of NSIS along with Win32:Trojan-gen and haven't seen anything recent. It may be that Avast is detecting something else like the 7-Zip self extracting archive... when launching the exe does it display the extracting dialog?
For me, it never got as far as installation; Avast tripped during the download itself (installer package, not zip). Not sure if that was a Q: for me.
(In reply to comment #11) > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; > rv:1.9.2a1pre) Gecko/20081216 Minefield/3.2a1pre > Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; > rv:1.9.2a1pre) Gecko/20081216 Minefield/3.2a1pre The same executable downloaded to my WinXP machine at home, and passed cleanly a scan by a fully updated Norton Internet Security v15.5.0.23. Also, I believe that we also have automated scans of ftp.m.o, before builds are visible, but let me verify that. Not sure where this bug should live, but it doesnt feel like a RelEng issue at this time.
(In reply to comment #9) > when launching the exe does it display the > extracting dialog? IIRC: No. The error message comes right after double-clicking the exe.
(In reply to comment #11) > Also, I believe > that we also have automated scans of ftp.m.o, before builds are visible, but > let me verify that. > We don't. bug 394069 was put on hold due to issues with unionfs.
beltzner suggested running a virus scan on the machine that produced this build - I think this is a good idea, though I agree it's probably a false positive. Anyone have a bit of time to do this?
Today's build: Avast tripped as soon as I hit SAVE for the download; Win/installer. I aborted. I did a vi-scan yesterday: nothing. Norton misses things.
Update: I did a "thorough" (vs Quick) vi-scan, incl archives, and did get a hit. After vi-file was deleted, I retried downloading the Minefield installer and had no problems. So, anyone who got a virus message while attempting to download the trunk should suspect a PC infection and do a full virus scan. Thanks.
Same thing occurs with Seamonkey 2.0 Alpha 2: http://download.mozilla.org/?product=seamonkey-2.0a2&os=win&lang=en-US (all mirrors) Details: Win32:Trojan-gen {Other} Virus/Ver VPS Version: 081221-0, 21/12/2008
From talking with justdave, all files on ftp.m.o are scanned by ClamAV soon after being posted. The ClamAV installation has signatures refreshed hourly. Each of the files described in this bug have scanned cleanly on ftp.m.o, and so also has everything else on ftp.m.o. This might be a problem with Avast, or, based on comment#17, it sounds like a user's machine was infected. Doesnt seem to be anything here for RelEng to do, so closing. If I've misunderstood, please reopen with details.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
I just did a (involuntary) new install of my WinXP machine. I just downloaded and installed the nightly EXE build successfully with no virus warnings. ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-central/ --> WFM too.
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: