harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Blewitt <alex.blew...@gmail.com>
Subject Re: Some virus scanners flag javaw.exe as containing a Trojan
Date Thu, 09 Jun 2011 07:03:11 GMT
The scanner may have a whitelist for a particular path which might be the difference between
the two. 

Alex

Sent from my (old) iPhone

On 9 Jun 2011, at 02:46, Clinton Blackmore <clinton.blackmore@gmail.com> wrote:

> Yes, I agree, the source for that file is fairly simple.  If I understand it
> correctly, it is used for both versions of javaw.exe, so it surprises me
> that one gets flags as a virus and the other does not.
> 
> I have, in fact, implemented a workaround much like Oliver suggested -- I'm
> not including bin/javaw.exe with my project, and it runs and doesn't set off
> any virus scanners.
> 
> I wish I had some suggestions.  When Sun had a problem like
> this<http://www.java.com/en/download/faq/Trojan3.uj.xml>,
> it appears that they contacted the antiviral vendors and got them to update
> their filters.  This sounds like the proper "fix", as your code is not
> broken; I wonder how difficult it would be to do.
> 
> Thanks again for looking into this.
> 
> Cheers,
> Clinton
> 
> On Wed, Jun 8, 2011 at 2:37 AM, Tim Ellison <t.p.ellison@gmail.com> wrote:
> 
>> Clinton,
>> 
>> Thanks for agreeing to move this conversation onto the developers' list.
>> 
>> I see where the difference has occurred.  I was testing the javaw.exe
>> contained in harmony-6.0-jdk-991881\jre\bin, and you were testing the
>> javaw.exe in harmony-6.0-jdk-991881\bin.
>> 
>> I now get the same results as you from the on-line virus checkers.  My
>> local copy of Symantec considers it safe.
>> 
>> You can see the source for this file [1] is quite simple, though it is
>> creating a child process in a reasonably generic way that might be
>> suspicious to virus checkers.
>> 
>> It would be helpful if other people could also check that this file is
>> safe and post their results here on the dev list.
>> 
>> [1]
>> 
>> http://svn.apache.org/viewvc/harmony/enhanced/java/trunk/jdktools/modules/samsa/src/main/native/samsa/windows/javaw.c?view=markup
>> 
>> Regards,
>> Tim
>> 
>> 
>> On 07/Jun/2011 23:06, Clinton Blackmore wrote:
>>> Hi Tim.
>>> 
>>> Thank you for looking into this.  I must admit that I'm very surprised
>>> that you get different results when scanning than I do.  It makes me
>>> wonder if we are checking different versions.
>>> 
>>> I'm checking the latest stable release of the version 6 JDK, entitled
>>> "Apache Harmony 6.0M3 JDK for 32-bit Windows".  I downloaded it most
>>> recently through this URL and mirror:
>>> 
>>> 
>> http://apache.mirror.rafal.ca//harmony/milestones/6.0/M3/apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip
>>> 
>>> When I check, the zip file has the following checksums:
>>> md5: c3173509225f982fd9f37534d3746362
>>> sha1: b609375c7c6dc0d86931c091c1391cf7c7cdaef6
>>> 
>>> The Harmony download page lists them as:
>>> 
>>> c3173509225f982fd9f37534d3746362
>> apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip
>>> 
>>> b609375c7c6dc0d86931c091c1391cf7c7cdaef6
>> apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip
>>> 
>>> which match.
>>> 
>>> 
>>> 
>>> When extracted, a folder called harmony-6.0-jdk-991881 is created.
>>> Within the bin directory is javaw.exe, with the following checksums:
>>> 
>>> md5: 7bb1c7fdf083d511eb4bc4937ab41733
>>> sha1: 314ff2031a2da4bae8d188c20bf0f7e39eb3599f
>>> 
>>> 
>>> I did try to check the most recent snapshot, but, while I see several
>>> Harmony builds there, I do not see Harmony 1.6 for Windows, and was thus
>>> unable to download and scan it.
>>> 
>>> I have attached pdf files with the test results that I get.  One of the
>>> scanners provided a permanent link to the results:
>>> 
>> http://virusscan.jotti.org/en/scanresult/b93c536dc68f1f67bbd14f9b43d9f747b1995459
>>> 
>>> If you could double-check that specific version of Harmony, I would
>>> really appreciate it.  I don't understand how we could get different
>>> results from the same scanners on the same files -- one expects virus
>>> scanners to be deterministic : )
>>> 
>>> 
>>> You have my permission to make all or parts of my comments in the
>>> original note and follow-ups public.  I would be pleased to be able to
>>> point people at a mailing list posting on the subject.
>>> 
>>> Thanks again for all your work on this project.  I'm grateful to be able
>>> to stand on the shoulders of giants.
>>> 
>>> Cheers,
>>> Clinton Blackmore
>>> 
>>> On Tue, Jun 7, 2011 at 3:08 PM, Tim Ellison <t.p.ellison@gmail.com
>>> <mailto:t.p.ellison@gmail.com>> wrote:
>>> 
>>>    Clinton,
>>> 
>>>    Thanks again for taking the time to tell us about your experience
>> with
>>>    an antivirus program flagging a warning with 'javaw.exe'.
>>> 
>>>    A couple of us have double-checked the files in Apache Harmony's
>>>    distribution, and we are happy that there are no viruses in the
>>>    downloads available from the project.  I agree that it is most likely
>> a
>>>    false positive by a particular virus checker programme.
>>> 
>>>    Just so you know, we have checked the files with the on-line virus
>>>    checkers you mention below, Symantec anti-virus, ClamAV, and
>> Microsoft
>>>    Security Essentials on Windows XP.  Even the on-line virus checkers
>>>    report all clean, unlike your results.
>>> 
>>>    I'm happy to publish these scan results on the public Apache Harmony
>>>    mailing list which will give you a link to share with any concerned
>>>    users.  You should either post your original concern to
>>>    dev@harmony.apache.org <mailto:dev@harmony.apache.org>, or let me
>>>    know that you are happy for me to make
>>>    parts of your original note public.
>>> 
>>>    It's always great to hear from people who are using Apache Harmony in
>>>    new and interesting ways.  Thanks again for getting in touch, and
>> good
>>>    luck with Enchanting.
>>> 
>>>    Regards,
>>>    Tim
>>> 
>>> 
>>> 
>>>    On 07/Jun/2011 13:23, Tim Ellison wrote:
>>>> Clinton,
>>>> 
>>>> Thank you for your note which has been passed to the Apache Harmony
>>>> private mailing list as a potential security issue.
>>>> 
>>>> This is just a quick response to let you know it has been received
>>>> safely and we are taking a look at it.
>>>> 
>>>> We'll be in touch shortly with a fuller reply to your observations.
>>>> 
>>>> Regards,
>>>> Tim
>>>> 
>>>>> -------- Original Message --------
>>>>> Subject: Some virus scanners flag javaw.exe as containing a Trojan
>>>>> Date: Mon, 6 Jun 2011 08:32:09 -0600
>>>>> From: Clinton Blackmore <clinton.blackmore@gmail.com
>>>    <mailto:clinton.blackmore@gmail.com>>
>>>>> To: security@apache.org <mailto:security@apache.org>
>>>>> 
>>>>> Greetings.
>>>>> 
>>>>> I don't think this is a security vulnerability per-se, but I
>>>    figured I would
>>>>> err on the side of caution.  If you would like me to contact
>>>    another mailing
>>>>> list or person, please refer me to them and I will be happy to do
>>>    so.  I did
>>>>> try general net searches and checked the bug database and mailing
>>>    lists
>>>>> before contacting you.
>>>>> 
>>>>> I am developing an application called Enchanting (
>>>>> http://enchanting.robotclub.ab.ca/ ) to help kids program LEGO
>>>    robots, and
>>>>> am bundling Apache Harmony with the Windows version -- and I'm
>>>    grateful for
>>>>> the work of the Harmony team which gives me this option!  I
>>>    installed it on
>>>>> one of my robotics student's computers, running Windows XP, and
>> his
>>>>> antiviral software flagged javaw.exe as containing a trojan.  (I
>>>    didn't take
>>>>> down the details).  I did double-check the MD5 and SHA checksums
>>>    of the
>>>>> release I am using -- Apache Harmony 6.0M3 JDK for 32-bit Windows
>>>    -- and
>>>>> they match (and I also extracted the zip file again and diffed it
>>>    against
>>>>> the files I'm releasing, and they match).
>>>>> 
>>>>> I believe the error is a false positive, especially after reading
>>>    this
>>>>> article from Sun/Oracle:
>>>>> http://www.java.com/en/download/faq/Trojan3.uj.xml.  However, I'm
>>>>> concerned by the remote possibility of a virus, I'd like to
>>>>> be able to assure people that there is not a trojan (perhaps by
>>>    pointing
>>>>> them to an authoritative document that says so), and I wanted to
>>>    notify you.
>>>>> 
>>>>> I just tested the file using free online services that will scan
>>>    a file with
>>>>> multiple virus scanners.  (I don't have the scanner that my
>>>    student used).
>>>>> 
>>>>>   - At http://virusscan.jotti.org/en , most virus scanners give
>>>    it a clean
>>>>>   bill of heath, but some identify it as containing:
>>>>>   Gen:Trojan.Heur.JP.amW@aOjomBc,  Gen.Trojan.Heur!IK,
>>>    Gen.Trojan.Heur, or
>>>>>   TR/Spy.10240.116 (which I suspect are all different names for
>>>    the same
>>>>>   thing).
>>>>> 
>>>>> 
>>>>>   - At http://www.virustotal.com/ , 3 of 47 virus scanners claim
>>>    javaw.exe
>>>>>   contains Gen:Trojan.Heur.JP.amW@aOjomBc.
>>>>> 
>>>>> 
>>>>> I certainly don't believe there is a virus, but I'd sure feel
>>>    better if I
>>>>> could tell people that that is the case.  I appreciate your time
>>>    looking
>>>>> into this.
>>>>> 
>>>>> Thank you,
>>>>> Clinton Blackmore
>>>>> 
>>> 
>>> 
>> 

Mime
View raw message