Closed Bug 757568 Opened 12 years ago Closed 12 years ago

Avast! 7.0.1426 120522-0 detected Win32:Zlob-BKB[Tr] updater.exe in hourly build since c20d415ef1b5

Categories

(Toolkit :: Application Update, defect)

Product:
Toolkit
Component:
Application Update
Version:
15 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: alice0775, Unassigned)

References

Details

(Keywords: relnote)

Summary: in hourly build since c20d415ef1b5 → Avast! 7.0.1426 120522-0 detected Win32:Xlob-BKB[Tr] updater.exe in hourly build since c20d415ef1b5
Summary: Avast! 7.0.1426 120522-0 detected Win32:Xlob-BKB[Tr] updater.exe in hourly build since c20d415ef1b5 → Avast! 7.0.1426 120522-0 detected Win32:Zlob-BKB[Tr] updater.exe in hourly build since c20d415ef1b5
This is probably a false positive.  Kev, do you know what we do in these cases?
We should probably open up a support ticket with Avast for now
We should relnote this kind of thing and outline the need to add nightlies (or any other unsigned binary) to an exclusion list manually, because we'll continue to see this as we update the executables. A lot of AV companies look for the presence of a valid cert if they see an unknown binary that exhibits suspicious behaviour (lots of file and network I/O, etc.), which Firefox hits quite a bit. We can file a ticket with Avast, but because it's a binary that changes on a very regular basis, adding a signature isn't something that'll help a whole lot.

THe best way to address it is for the user to add a manual exclusion, or for us to sign the bins with a valid authenticode cert. The former is probably the simplest.
The Nightly builds should already be signed with a valid authenticode cert so I guess we'll see if it's gone tonight.  It does differ from the cert used for release/beta though, but it is still valid.
If we hit this with signed binaries, let me know, and I'll ping the folks at Avast directly to see if there's anything we need to do. Are the hourlies signed, too? If not, that's probably what we're hitting (but we can hit it on signature, too, sometimes)
Do we sign hourly builds too?
Keywords: relnote
(In reply to Ehsan Akhgari [:ehsan] from comment #6)
> Do we sign hourly builds too?

We do! They're signed with invalid (self-signed) certs though.
Avast probably verifies cert trust to make sure the binary is signed by something from a trusted authority. The Nightly builds are signed by a cert that is issued by Thawte so it should be fine.
OK, can someone please test with the build in http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012-05-22-08-02-20-mozilla-central/?  This is a Nightly from mozilla-central.
Kev: ping?
(In reply to Kev [:kev] Needham from comment #5)
> If we hit this with signed binaries, let me know, and I'll ping the folks at
> Avast directly to see if there's anything we need to do. Are the hourlies
> signed, too? If not, that's probably what we're hitting (but we can hit it
> on signature, too, sometimes)

Kev, ping. Can you please reach out to Avast directly.
I get the same virus warning for a tryserver build using GData Internet Security 2013.

http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-b51f34a5b5c1/try-win32/
It sounds like they are just using the check "Is this signed by a trusted authority".  The Nightly builds are signed by a trusted authority, the tinderbox builds are signed by an untrusted authority.
I ran the win32.zip through the virustotal.com scanning site. 

That site says "virus" using Avast and GData.

All the other virus scanning tools don't find any virus.
(In reply to Brian R. Bondy [:bbondy] from comment #14)
> It sounds like they are just using the check "Is this signed by a trusted
> authority".  The Nightly builds are signed by a trusted authority, the
> tinderbox builds are signed by an untrusted authority.

But that doesn't explain why this started to happen since bug 307181...

Kai, can you please try an older try build and see if the same thing happens?
I have a backup of a try build from May 21 at
http://kuix.de/mozilla/tryserver-roots-20120521/firefox-15.0a1.en-US.win32.zip

(Original url was http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-0aea1af6cb90/ which has already been deleted.)

For that older file, all tools at virustotal.com report: No Virus
I cannot reproduce any more in hourly builds.

I tested with Avast!7.0.1426+120619-0.

Fixed range(m-c)
Detected:
http://hg.mozilla.org/mozilla-central/rev/6a2100ce978f
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/16.0 Firefox/16.0a1 ID:20120609135833
Not detected:
http://hg.mozilla.org/mozilla-central/rev/dc410944aabc
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/16.0 Firefox/16.0a1 ID:20120609190533
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6a2100ce978f&tochange=dc410944aabc


Fixed range(m-i)
Detected:
http://hg.mozilla.org/integration/mozilla-inbound/rev/5b1e6a274426
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/16.0 Firefox/16.0a1 ID:20120608093153
Not detected:
http://hg.mozilla.org/integration/mozilla-inbound/rev/6536514d4baf
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/16.0 Firefox/16.0a1 ID:20120608103255
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5b1e6a274426&tochange=6536514d4baf

It seems to be fixed by Bug 762071
Status: NEW → RESOLVED
Closed: 12 years ago
Depends on: 762071
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.