Last Comment Bug 504947 - Some Virus Scans report Trojan horse in 485217.xsl
: Some Virus Scans report Trojan horse in 485217.xsl
Product: Core
Classification: Components
Component: XSLT (show other bugs)
: Trunk
: All All
: -- normal (vote)
: ---
Assigned To: Justin Wood (:Callek)
: Andrew Overholt [:overholt]
Depends on:
Blocks: CVE-2009-1169
  Show dependency treegraph
Reported: 2009-07-17 15:44 PDT by Alex Vincent [:WeirdAl]
Modified: 2010-06-23 16:39 PDT (History)
8 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Patch as pushed (654 bytes, patch)
2010-05-06 16:20 PDT, Justin Wood (:Callek)
dveditz: approval1.9.2.7+
dveditz: approval1.9.1.11+
Details | Diff | Splinter Review

Description Alex Vincent [:WeirdAl] 2009-07-17 15:44:19 PDT
I've had a lot of trouble with hg clone in trying to get mozilla-1.9.1, mozilla-central code checked out.  Norton and Symantec antivirus products claim 485217.xsl is a Trojan horse.

I don't necessarily agree with that assessment, nor do I agree this is Mozilla's bug.  I'm filing it anyway, as UNCO, for tracking.  Please feel free to reassign, investigate, fix or mark INVALID as you see fit.
Comment 1 Tyler Downer [:Tyler] 2009-07-18 15:37:29 PDT
Um, yeah, probably invalid. Did you contact them about a false positive? They will usually update their definitions pretty quickly if they get some confirmed false positive reports.
Comment 2 Alex Vincent [:WeirdAl] 2009-07-18 15:51:14 PDT
I tried to via their Help & Support chat system, but I don't think that was the right route to go.  I'd appreciate any pointers on where to go.
Comment 3 Tyler Downer [:Tyler] 2009-07-18 15:57:22 PDT
Well may help, but did the chat yield anything? I am trying to track some stuff down now.
Comment 4 Tyler Downer [:Tyler] 2009-07-18 15:57:50 PDT
Sorry for the spam,
Comment 5 Alex Vincent [:WeirdAl] 2009-07-18 16:08:04 PDT
Thanks for the false positive link:

False Positive Submission

Your submission has been sent Sat Jul 18 16:03:32 2009

To make another submission, click on False Positive Form

Symantec Security Response
Comment 6 Tyler Downer [:Tyler] 2009-07-18 16:14:15 PDT
well, for now, INVALID.
Comment 7 Tomas 2009-08-16 06:04:06 PDT
Time to close this bug?
Comment 8 Justin Wood (:Callek) 2010-05-06 16:18:10 PDT
I was also frequently getting this error with TrendMicro.

After consulting with mrbkap on IRC was able to come up with a fix for my use.

Axel if you still have the antivirus you used to report this can you please re-test with m-c and let us know if this fixes it?

Pushed As:
Comment 9 Justin Wood (:Callek) 2010-05-06 16:20:45 PDT
Created attachment 443987 [details] [diff] [review]
Patch as pushed

Requesting approval for 1.9.2 and 1.9.1; This is very very low risk and ensures that developer's virus scans don't mess up the Hg Repo unannounced.
Comment 10 Bill Gianopoulos [:WG9s] 2010-05-06 17:19:42 PDT
Ah so Symantec is basing there anti-virus detection on the name you use for a function?  Really?  QWe need to out them.  They need to do a better job of real detection than this.
Comment 11 Justin Wood (:Callek) 2010-05-06 18:38:06 PDT
(In reply to comment #10)
> Ah so Symantec is basing there anti-virus detection on the name you use for a
> function?  Really?  QWe need to out them.  They need to do a better job of real
> detection than this.

For the record I only tested with TrendMicro, but I suspect this is the same issue.  It is also why I asked Alex to verify if this fixes with the other scanners.
Comment 12 Alex Vincent [:WeirdAl] 2010-05-06 19:00:44 PDT
Oh, oops.  I saw "Axel" in comment 8 and thought you meant someone else, a la Pike.  :)

No, I've since upgraded software, so I can't really retest this.
Comment 13 Daniel Veditz [:dveditz] 2010-05-19 11:13:17 PDT
Comment on attachment 443987 [details] [diff] [review]
Patch as pushed

Approved for and, a=dveditz
Comment 14 Marco Bonardo [::mak] 2010-06-21 15:52:38 PDT
Comment 15 Justin Wood (:Callek) 2010-06-21 21:07:27 PDT

Note You need to log in before you can comment on or make changes to this bug.