virus warning 3.5.2 and 3.0.13 windows installers

RESOLVED FIXED

Status

RESOLVED FIXED
10 years ago
5 years ago

People

(Reporter: kotemaru27, Assigned: cbook)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (X11; U; FreeBSD i386; ja; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1
Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; ja; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1

I download firefox instller and virus check.

ftp://ftp.mozilla.org/pub/firefox/releases/3.5.2/win32/ja/Firefox Setup 3.5.2.exe
 	7874 KB 	2009/07/30 23:43:00

> clamscan 'Firefox Setup 3.5.2.exe'
Firefox Setup 3.5.2.exe: Trojan.Downloader-73889 FOUND

> gpg --verify 'Firefox Setup 3.5.2.exe.asc' 'Firefox Setup 3.5.2.exe'
Warning: using insecure memory!
gpg: Signature made Fri Jul 31 09:29:18 2009 JST using DSA key ID 17785FE8
gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>"
gpg: Note: This key has expired!
Primary key fingerprint: 8D6F 1BA4 A340 4DDB 3F2F  D080 7447 4499 8123 47DD
     Subkey fingerprint: 3338 E6BA FF10 3B3D A6A9  E424 B57B 5484 1778 5FE8


No problem ?


Reproducible: Always
For the gpg key you need to refresh the key you have imported, see
 ftp://ftp.mozilla.org/pub/firefox/releases/3.5.2/KEY
or pgp.mit.edu/pgpkeys.mit.edu.

Investigating the ClamAV finding.
(Reporter)

Comment 2

10 years ago
I verified it with a new key.

> gpg --verify 'Firefox Setup 3.5.2.exe.asc' 'Firefox Setup 3.5.2.exe'
Warning: using insecure memory!
gpg: Signature made Fri Jul 31 09:29:18 2009 JST using DSA key ID 17785FE8
gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8D6F 1BA4 A340 4DDB 3F2F  D080 7447 4499 8123 47DD
     Subkey fingerprint: 3338 E6BA FF10 3B3D A6A9  E424 B57B 5484 1778 5FE8
VirusTotal gives 5 out of 41 scanners reporting a problem:

Antivirus	Version	Last Update	Result
Authentium	5.1.2.4	2009.08.02	W32/Downldr2.GAZE
ClamAV	0.94.1	2009.08.03	Trojan.Downloader-73889
eSafe	7.0.17.0	2009.07.30	Suspicious File
F-Prot	4.4.4.56	2009.08.02	W32/Downldr2.GAZE
VirusBuster	4.6.5.0	2009.08.02	Trojan.DL.Banload.ASKT

ClamAV reports all the 3.5.2 and 3.0.13 installers have Trojan.Downloader-73889. None of these AV outfits have any information on their websites to describe what they've found. Yet another false positive ?
Status: UNCONFIRMED → NEW
Component: General → Release Engineering
Ever confirmed: true
Product: Firefox → mozilla.org
QA Contact: general → release
Summary: virus warning 'Firefox Setup 3.5.2.exe' → virus warning 3.5.2 and 3.0.13 windows installers
Version: unspecified → other
(Assignee)

Comment 4

10 years ago
working on informing the AV Vendors about that false positive results
The installer is made up of a 7zip self extractor (sfx) followed by a 7zip archive. The sfx lives at 
 http://hg.mozilla.org/releases/mozilla-1.9.1/file/a6308d41af58/other-licenses/7zstub/firefox/7zSD.sfx
and hasn't changed in ages.

What has changed is that we're using a new machine for signing, and UPX compression on the sfx. 

Using ClamWin, 
* memory and upx utility scans clean
* uncompressed 7zSD.sfx is clean and matches hash of repository version
* compressed with 'upx --best' is "infected" with Trojan.Downloader-73889
* compressed with upx defaults is clean
* compressed with upx --best and then decompressed is clean (but not identical to what it started with)

Can you guess what settings we used ? Yep, upx --best. Conclusion: AV false positive.
(Assignee)

Comment 6

10 years ago
(In reply to comment #5)
> 
> Using ClamWin, 
> * memory and upx utility scans clean
> * uncompressed 7zSD.sfx is clean and matches hash of repository version
> * compressed with 'upx --best' is "infected" with Trojan.Downloader-73889

would it be possible to get this compressed file here as attachment so we would have a testcase for this case for the AV Vendors ?

Comment 7

10 years ago
We have run into that problem a number of times with SeaMonkey installers, the 7z pieces are repeatedly mistaken for a Trojan by one or the other AV tool. It would be nice if we'd find a permanent solution to this...
(Assignee)

Comment 8

10 years ago
note: all the mentioned AV Companies have been informed around 8- 8:30am PST by me.

(In reply to comment #3)
> VirusTotal gives 5 out of 41 scanners reporting a problem:
> 
> Antivirus    Version    Last Update    Result
> Authentium    5.1.2.4    2009.08.02    W32/Downldr2.GAZE
> ClamAV    0.94.1    2009.08.03    Trojan.Downloader-73889
> eSafe    7.0.17.0    2009.07.30    Suspicious File
> F-Prot    4.4.4.56    2009.08.02    W32/Downldr2.GAZE
> VirusBuster    4.6.5.0    2009.08.02    Trojan.DL.Banload.ASKT
> 
> ClamAV reports all the 3.5.2 and 3.0.13 installers have
> Trojan.Downloader-73889. None of these AV outfits have any information on their
> websites to describe what they've found. Yet another false positive ?
(Assignee)

Comment 9

10 years ago
feedback from

authentium:
Dear Carsten:
Your reference number is: 090803-000004

We received the virus sample and our virus lab has determined this to be a false positive. An update will be included in the next virus definition file update. Once this definition file is applied, the file will no longer be detected as a virus.

Authentium Technical Support Team

and from virusbuster:

Hi,

this is a confirmed false positive. Our detection will be removed with the next signature release, scheduled tomorrow.
(Assignee)

Comment 10

10 years ago
and additional response from virusbuster:

"we have released an out-of-band signature release, with the detection removed."
We won't block the Firefox 3.5.2 or 3.0.13 releases because of this issue.

Tomcat: Thanks for emailing the vendors. :)
At this point, TotalVirus has:

Antivirus	Version	Last Update	Result
ClamAV	0.94.1	2009.08.03	Trojan.Downloader-73889
eSafe	7.0.17.0	2009.08.03	Suspicious File

The other 38 are clean.
(Assignee)

Updated

10 years ago
Duplicate of this bug: 508519
(Assignee)

Comment 14

10 years ago
(In reply to comment #12)
> At this point, TotalVirus has:
> 
> Antivirus    Version    Last Update    Result
> ClamAV    0.94.1    2009.08.03    Trojan.Downloader-73889
> eSafe    7.0.17.0    2009.08.03    Suspicious File
> 
> The other 38 are clean.

Currently only esafe is left on this list, all other 39 are clean and esafe is working on this.
Assignee: nobody → cbook
(Assignee)

Comment 15

10 years ago
note: seems that mcafee virusscanner had also false positive reports for a while today and also saw a report for avira in hendrix. Informed avira about this issue.
(In reply to comment #7)
> We have run into that problem a number of times with SeaMonkey installers, the
> 7z pieces are repeatedly mistaken for a Trojan by one or the other AV tool. It
> would be nice if we'd find a permanent solution to this...

Same for Sunbird. Thumbs up, if you can come up with a permanent solution.
(Assignee)

Comment 17

9 years ago
marking this bug as fixed now. The Virus Scan result for esafe on virustotal.com is not a version is that is shipped to end user.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.