Closed
Bug 508012
Opened 15 years ago
Closed 15 years ago
virus warning 3.5.2 and 3.0.13 windows installers
Categories
(Release Engineering :: General, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kotemaru27, Assigned: cbook)
References
Details
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; ja; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1 Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; ja; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1 I download firefox instller and virus check. ftp://ftp.mozilla.org/pub/firefox/releases/3.5.2/win32/ja/Firefox Setup 3.5.2.exe 7874 KB 2009/07/30 23:43:00 > clamscan 'Firefox Setup 3.5.2.exe' Firefox Setup 3.5.2.exe: Trojan.Downloader-73889 FOUND > gpg --verify 'Firefox Setup 3.5.2.exe.asc' 'Firefox Setup 3.5.2.exe' Warning: using insecure memory! gpg: Signature made Fri Jul 31 09:29:18 2009 JST using DSA key ID 17785FE8 gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>" gpg: Note: This key has expired! Primary key fingerprint: 8D6F 1BA4 A340 4DDB 3F2F D080 7447 4499 8123 47DD Subkey fingerprint: 3338 E6BA FF10 3B3D A6A9 E424 B57B 5484 1778 5FE8 No problem ? Reproducible: Always
|
||
Comment 1•15 years ago
|
||
For the gpg key you need to refresh the key you have imported, see ftp://ftp.mozilla.org/pub/firefox/releases/3.5.2/KEY or pgp.mit.edu/pgpkeys.mit.edu. Investigating the ClamAV finding.
|
Reporter | |
Comment 2•15 years ago
|
||
I verified it with a new key. > gpg --verify 'Firefox Setup 3.5.2.exe.asc' 'Firefox Setup 3.5.2.exe' Warning: using insecure memory! gpg: Signature made Fri Jul 31 09:29:18 2009 JST using DSA key ID 17785FE8 gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8D6F 1BA4 A340 4DDB 3F2F D080 7447 4499 8123 47DD Subkey fingerprint: 3338 E6BA FF10 3B3D A6A9 E424 B57B 5484 1778 5FE8
|
|
||
Comment 3•15 years ago
|
||
VirusTotal gives 5 out of 41 scanners reporting a problem: Antivirus Version Last Update Result Authentium 5.1.2.4 2009.08.02 W32/Downldr2.GAZE ClamAV 0.94.1 2009.08.03 Trojan.Downloader-73889 eSafe 7.0.17.0 2009.07.30 Suspicious File F-Prot 4.4.4.56 2009.08.02 W32/Downldr2.GAZE VirusBuster 4.6.5.0 2009.08.02 Trojan.DL.Banload.ASKT ClamAV reports all the 3.5.2 and 3.0.13 installers have Trojan.Downloader-73889. None of these AV outfits have any information on their websites to describe what they've found. Yet another false positive ?
Status: UNCONFIRMED → NEW
Component: General → Release Engineering
Ever confirmed: true
Product: Firefox → mozilla.org
QA Contact: general → release
Summary: virus warning 'Firefox Setup 3.5.2.exe' → virus warning 3.5.2 and 3.0.13 windows installers
Version: unspecified → other
|
Assignee | |
Comment 4•15 years ago
|
||
working on informing the AV Vendors about that false positive results
|
|
||
Comment 5•15 years ago
|
||
The installer is made up of a 7zip self extractor (sfx) followed by a 7zip archive. The sfx lives at http://hg.mozilla.org/releases/mozilla-1.9.1/file/a6308d41af58/other-licenses/7zstub/firefox/7zSD.sfx and hasn't changed in ages. What has changed is that we're using a new machine for signing, and UPX compression on the sfx. Using ClamWin, * memory and upx utility scans clean * uncompressed 7zSD.sfx is clean and matches hash of repository version * compressed with 'upx --best' is "infected" with Trojan.Downloader-73889 * compressed with upx defaults is clean * compressed with upx --best and then decompressed is clean (but not identical to what it started with) Can you guess what settings we used ? Yep, upx --best. Conclusion: AV false positive.
|
|
Assignee | |
Comment 6•15 years ago
|
||
(In reply to comment #5) > > Using ClamWin, > * memory and upx utility scans clean > * uncompressed 7zSD.sfx is clean and matches hash of repository version > * compressed with 'upx --best' is "infected" with Trojan.Downloader-73889 would it be possible to get this compressed file here as attachment so we would have a testcase for this case for the AV Vendors ?
|
||
Comment 7•15 years ago
|
||
We have run into that problem a number of times with SeaMonkey installers, the 7z pieces are repeatedly mistaken for a Trojan by one or the other AV tool. It would be nice if we'd find a permanent solution to this...
|
|
Assignee | |
Comment 8•15 years ago
|
||
note: all the mentioned AV Companies have been informed around 8- 8:30am PST by me. (In reply to comment #3) > VirusTotal gives 5 out of 41 scanners reporting a problem: > > Antivirus Version Last Update Result > Authentium 5.1.2.4 2009.08.02 W32/Downldr2.GAZE > ClamAV 0.94.1 2009.08.03 Trojan.Downloader-73889 > eSafe 7.0.17.0 2009.07.30 Suspicious File > F-Prot 4.4.4.56 2009.08.02 W32/Downldr2.GAZE > VirusBuster 4.6.5.0 2009.08.02 Trojan.DL.Banload.ASKT > > ClamAV reports all the 3.5.2 and 3.0.13 installers have > Trojan.Downloader-73889. None of these AV outfits have any information on their > websites to describe what they've found. Yet another false positive ?
|
|
Assignee | |
Comment 9•15 years ago
|
||
feedback from authentium: Dear Carsten: Your reference number is: 090803-000004 We received the virus sample and our virus lab has determined this to be a false positive. An update will be included in the next virus definition file update. Once this definition file is applied, the file will no longer be detected as a virus. Authentium Technical Support Team and from virusbuster: Hi, this is a confirmed false positive. Our detection will be removed with the next signature release, scheduled tomorrow.
|
|
Assignee | |
Comment 10•15 years ago
|
||
and additional response from virusbuster: "we have released an out-of-band signature release, with the detection removed."
|
||
Comment 11•15 years ago
|
||
We won't block the Firefox 3.5.2 or 3.0.13 releases because of this issue. Tomcat: Thanks for emailing the vendors. :)
|
|
||
Comment 12•15 years ago
|
||
At this point, TotalVirus has: Antivirus Version Last Update Result ClamAV 0.94.1 2009.08.03 Trojan.Downloader-73889 eSafe 7.0.17.0 2009.08.03 Suspicious File The other 38 are clean.
|
|
Assignee | |
Comment 14•15 years ago
|
||
(In reply to comment #12) > At this point, TotalVirus has: > > Antivirus Version Last Update Result > ClamAV 0.94.1 2009.08.03 Trojan.Downloader-73889 > eSafe 7.0.17.0 2009.08.03 Suspicious File > > The other 38 are clean. Currently only esafe is left on this list, all other 39 are clean and esafe is working on this.
Assignee: nobody → cbook
|
|
Assignee | |
Comment 15•15 years ago
|
||
note: seems that mcafee virusscanner had also false positive reports for a while today and also saw a report for avira in hendrix. Informed avira about this issue.
|
||
Comment 16•15 years ago
|
||
(In reply to comment #7) > We have run into that problem a number of times with SeaMonkey installers, the > 7z pieces are repeatedly mistaken for a Trojan by one or the other AV tool. It > would be nice if we'd find a permanent solution to this... Same for Sunbird. Thumbs up, if you can come up with a permanent solution.
|
|
Assignee | |
Comment 17•15 years ago
|
||
marking this bug as fixed now. The Virus Scan result for esafe on virustotal.com is not a version is that is shipped to end user.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
Product: mozilla.org → Release Engineering
You need to log in
before you can comment on or make changes to this bug.
Description
•