Closed
Bug 757568
Opened 12 years ago
Closed 12 years ago
Avast! 7.0.1426 120522-0 detected Win32:Zlob-BKB[Tr] updater.exe in hourly build since c20d415ef1b5
Categories
(Toolkit :: Application Update, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: alice0775, Unassigned)
References
Details
(Keywords: relnote)
Avast! 7.0.1426 120522-0 detected Win32:Xlob-BKB[Tr] updater.exe when download from Tinderbox build. avast! blocked following tinderbox hourly http://hg.mozilla.org/mozilla-central/rev/c20d415ef1b5 http://hg.mozilla.org/integration/mozilla-inbound/rev/c54039aa8dcc http://hg.mozilla.org/integration/mozilla-inbound/rev/00460dbefffa http://hg.mozilla.org/integration/mozilla-inbound/rev/7a6feee6c13c but not from Nightly nightly build http://hg.mozilla.org/mozilla-central/c20d415ef1b5
Reporter | ||
Updated•12 years ago
|
Summary: in hourly build since c20d415ef1b5 → Avast! 7.0.1426 120522-0 detected Win32:Xlob-BKB[Tr] updater.exe in hourly build since c20d415ef1b5
Reporter | ||
Updated•12 years ago
|
Summary: Avast! 7.0.1426 120522-0 detected Win32:Xlob-BKB[Tr] updater.exe in hourly build since c20d415ef1b5 → Avast! 7.0.1426 120522-0 detected Win32:Zlob-BKB[Tr] updater.exe in hourly build since c20d415ef1b5
Comment 1•12 years ago
|
||
This is probably a false positive. Kev, do you know what we do in these cases?
Comment 2•12 years ago
|
||
We should probably open up a support ticket with Avast for now
Comment 3•12 years ago
|
||
We should relnote this kind of thing and outline the need to add nightlies (or any other unsigned binary) to an exclusion list manually, because we'll continue to see this as we update the executables. A lot of AV companies look for the presence of a valid cert if they see an unknown binary that exhibits suspicious behaviour (lots of file and network I/O, etc.), which Firefox hits quite a bit. We can file a ticket with Avast, but because it's a binary that changes on a very regular basis, adding a signature isn't something that'll help a whole lot. THe best way to address it is for the user to add a manual exclusion, or for us to sign the bins with a valid authenticode cert. The former is probably the simplest.
Comment 4•12 years ago
|
||
The Nightly builds should already be signed with a valid authenticode cert so I guess we'll see if it's gone tonight. It does differ from the cert used for release/beta though, but it is still valid.
Comment 5•12 years ago
|
||
If we hit this with signed binaries, let me know, and I'll ping the folks at Avast directly to see if there's anything we need to do. Are the hourlies signed, too? If not, that's probably what we're hitting (but we can hit it on signature, too, sometimes)
Comment 7•12 years ago
|
||
(In reply to Ehsan Akhgari [:ehsan] from comment #6) > Do we sign hourly builds too? We do! They're signed with invalid (self-signed) certs though.
Comment 8•12 years ago
|
||
Avast probably verifies cert trust to make sure the binary is signed by something from a trusted authority. The Nightly builds are signed by a cert that is issued by Thawte so it should be fine.
Comment 9•12 years ago
|
||
OK, can someone please test with the build in http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012-05-22-08-02-20-mozilla-central/? This is a Nightly from mozilla-central.
Comment 10•12 years ago
|
||
Kev: ping?
Reporter | ||
Comment 11•12 years ago
|
||
(In reply to Ehsan Akhgari [:ehsan] from comment #9) > OK, can someone please test with the build in > http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012-05-22-08-02-20- > mozilla-central/? This is a Nightly from mozilla-central. Nightly build : not detected http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-win32/1339063075/firefox-16.0a1.en-US.win32.zip Hourly build : detected http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-win32/1339062679/firefox-16.0a1.en-US.win32.zip
Comment 12•12 years ago
|
||
(In reply to Kev [:kev] Needham from comment #5) > If we hit this with signed binaries, let me know, and I'll ping the folks at > Avast directly to see if there's anything we need to do. Are the hourlies > signed, too? If not, that's probably what we're hitting (but we can hit it > on signature, too, sometimes) Kev, ping. Can you please reach out to Avast directly.
Comment 13•12 years ago
|
||
I get the same virus warning for a tryserver build using GData Internet Security 2013. http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-b51f34a5b5c1/try-win32/
Comment 14•12 years ago
|
||
It sounds like they are just using the check "Is this signed by a trusted authority". The Nightly builds are signed by a trusted authority, the tinderbox builds are signed by an untrusted authority.
Comment 15•12 years ago
|
||
I ran the win32.zip through the virustotal.com scanning site. That site says "virus" using Avast and GData. All the other virus scanning tools don't find any virus.
Comment 16•12 years ago
|
||
(In reply to Brian R. Bondy [:bbondy] from comment #14) > It sounds like they are just using the check "Is this signed by a trusted > authority". The Nightly builds are signed by a trusted authority, the > tinderbox builds are signed by an untrusted authority. But that doesn't explain why this started to happen since bug 307181... Kai, can you please try an older try build and see if the same thing happens?
Comment 17•12 years ago
|
||
I have a backup of a try build from May 21 at http://kuix.de/mozilla/tryserver-roots-20120521/firefox-15.0a1.en-US.win32.zip (Original url was http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-0aea1af6cb90/ which has already been deleted.) For that older file, all tools at virustotal.com report: No Virus
Reporter | ||
Comment 18•12 years ago
|
||
I cannot reproduce any more in hourly builds. I tested with Avast!7.0.1426+120619-0. Fixed range(m-c) Detected: http://hg.mozilla.org/mozilla-central/rev/6a2100ce978f Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/16.0 Firefox/16.0a1 ID:20120609135833 Not detected: http://hg.mozilla.org/mozilla-central/rev/dc410944aabc Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/16.0 Firefox/16.0a1 ID:20120609190533 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6a2100ce978f&tochange=dc410944aabc Fixed range(m-i) Detected: http://hg.mozilla.org/integration/mozilla-inbound/rev/5b1e6a274426 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/16.0 Firefox/16.0a1 ID:20120608093153 Not detected: http://hg.mozilla.org/integration/mozilla-inbound/rev/6536514d4baf Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/16.0 Firefox/16.0a1 ID:20120608103255 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5b1e6a274426&tochange=6536514d4baf It seems to be fixed by Bug 762071
You need to log in
before you can comment on or make changes to this bug.
Description
•