harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Ellison <t.p.elli...@gmail.com>
Subject Re: Some virus scanners flag javaw.exe as containing a Trojan
Date Wed, 08 Jun 2011 08:37:12 GMT
Clinton,

Thanks for agreeing to move this conversation onto the developers' list.

I see where the difference has occurred.  I was testing the javaw.exe
contained in harmony-6.0-jdk-991881\jre\bin, and you were testing the
javaw.exe in harmony-6.0-jdk-991881\bin.

I now get the same results as you from the on-line virus checkers.  My
local copy of Symantec considers it safe.

You can see the source for this file [1] is quite simple, though it is
creating a child process in a reasonably generic way that might be
suspicious to virus checkers.

It would be helpful if other people could also check that this file is
safe and post their results here on the dev list.

[1]
http://svn.apache.org/viewvc/harmony/enhanced/java/trunk/jdktools/modules/samsa/src/main/native/samsa/windows/javaw.c?view=markup

Regards,
Tim


On 07/Jun/2011 23:06, Clinton Blackmore wrote:
> Hi Tim.
> 
> Thank you for looking into this.  I must admit that I'm very surprised
> that you get different results when scanning than I do.  It makes me
> wonder if we are checking different versions.
> 
> I'm checking the latest stable release of the version 6 JDK, entitled
> "Apache Harmony 6.0M3 JDK for 32-bit Windows".  I downloaded it most
> recently through this URL and mirror:
> 
> http://apache.mirror.rafal.ca//harmony/milestones/6.0/M3/apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip
> 
> When I check, the zip file has the following checksums:
> md5: c3173509225f982fd9f37534d3746362
> sha1: b609375c7c6dc0d86931c091c1391cf7c7cdaef6
> 
> The Harmony download page lists them as:
> 
> c3173509225f982fd9f37534d3746362  apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip
> 
> b609375c7c6dc0d86931c091c1391cf7c7cdaef6  apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip
> 
> which match.
> 
> 
> 
> When extracted, a folder called harmony-6.0-jdk-991881 is created.
>  Within the bin directory is javaw.exe, with the following checksums:
> 
> md5: 7bb1c7fdf083d511eb4bc4937ab41733
> sha1: 314ff2031a2da4bae8d188c20bf0f7e39eb3599f
> 
> 
> I did try to check the most recent snapshot, but, while I see several
> Harmony builds there, I do not see Harmony 1.6 for Windows, and was thus
> unable to download and scan it.
> 
> I have attached pdf files with the test results that I get.  One of the
> scanners provided a permanent link to the results:
> http://virusscan.jotti.org/en/scanresult/b93c536dc68f1f67bbd14f9b43d9f747b1995459
> 
> If you could double-check that specific version of Harmony, I would
> really appreciate it.  I don't understand how we could get different
> results from the same scanners on the same files -- one expects virus
> scanners to be deterministic : )
> 
> 
> You have my permission to make all or parts of my comments in the
> original note and follow-ups public.  I would be pleased to be able to
> point people at a mailing list posting on the subject.
> 
> Thanks again for all your work on this project.  I'm grateful to be able
> to stand on the shoulders of giants.
> 
> Cheers,
> Clinton Blackmore
> 
> On Tue, Jun 7, 2011 at 3:08 PM, Tim Ellison <t.p.ellison@gmail.com
> <mailto:t.p.ellison@gmail.com>> wrote:
> 
>     Clinton,
> 
>     Thanks again for taking the time to tell us about your experience with
>     an antivirus program flagging a warning with 'javaw.exe'.
> 
>     A couple of us have double-checked the files in Apache Harmony's
>     distribution, and we are happy that there are no viruses in the
>     downloads available from the project.  I agree that it is most likely a
>     false positive by a particular virus checker programme.
> 
>     Just so you know, we have checked the files with the on-line virus
>     checkers you mention below, Symantec anti-virus, ClamAV, and Microsoft
>     Security Essentials on Windows XP.  Even the on-line virus checkers
>     report all clean, unlike your results.
> 
>     I'm happy to publish these scan results on the public Apache Harmony
>     mailing list which will give you a link to share with any concerned
>     users.  You should either post your original concern to
>     dev@harmony.apache.org <mailto:dev@harmony.apache.org>, or let me
>     know that you are happy for me to make
>     parts of your original note public.
> 
>     It's always great to hear from people who are using Apache Harmony in
>     new and interesting ways.  Thanks again for getting in touch, and good
>     luck with Enchanting.
> 
>     Regards,
>     Tim
> 
> 
> 
>     On 07/Jun/2011 13:23, Tim Ellison wrote:
>     > Clinton,
>     >
>     > Thank you for your note which has been passed to the Apache Harmony
>     > private mailing list as a potential security issue.
>     >
>     > This is just a quick response to let you know it has been received
>     > safely and we are taking a look at it.
>     >
>     > We'll be in touch shortly with a fuller reply to your observations.
>     >
>     > Regards,
>     > Tim
>     >
>     >> -------- Original Message --------
>     >> Subject: Some virus scanners flag javaw.exe as containing a Trojan
>     >> Date: Mon, 6 Jun 2011 08:32:09 -0600
>     >> From: Clinton Blackmore <clinton.blackmore@gmail.com
>     <mailto:clinton.blackmore@gmail.com>>
>     >> To: security@apache.org <mailto:security@apache.org>
>     >>
>     >> Greetings.
>     >>
>     >> I don't think this is a security vulnerability per-se, but I
>     figured I would
>     >> err on the side of caution.  If you would like me to contact
>     another mailing
>     >> list or person, please refer me to them and I will be happy to do
>     so.  I did
>     >> try general net searches and checked the bug database and mailing
>     lists
>     >> before contacting you.
>     >>
>     >> I am developing an application called Enchanting (
>     >> http://enchanting.robotclub.ab.ca/ ) to help kids program LEGO
>     robots, and
>     >> am bundling Apache Harmony with the Windows version -- and I'm
>     grateful for
>     >> the work of the Harmony team which gives me this option!  I
>     installed it on
>     >> one of my robotics student's computers, running Windows XP, and his
>     >> antiviral software flagged javaw.exe as containing a trojan.  (I
>     didn't take
>     >> down the details).  I did double-check the MD5 and SHA checksums
>     of the
>     >> release I am using -- Apache Harmony 6.0M3 JDK for 32-bit Windows
>     -- and
>     >> they match (and I also extracted the zip file again and diffed it
>     against
>     >> the files I'm releasing, and they match).
>     >>
>     >> I believe the error is a false positive, especially after reading
>     this
>     >> article from Sun/Oracle:
>     >> http://www.java.com/en/download/faq/Trojan3.uj.xml.  However, I'm
>     >> concerned by the remote possibility of a virus, I'd like to
>     >> be able to assure people that there is not a trojan (perhaps by
>     pointing
>     >> them to an authoritative document that says so), and I wanted to
>     notify you.
>     >>
>     >> I just tested the file using free online services that will scan
>     a file with
>     >> multiple virus scanners.  (I don't have the scanner that my
>     student used).
>     >>
>     >>    - At http://virusscan.jotti.org/en , most virus scanners give
>     it a clean
>     >>    bill of heath, but some identify it as containing:
>     >>    Gen:Trojan.Heur.JP.amW@aOjomBc,  Gen.Trojan.Heur!IK,
>     Gen.Trojan.Heur, or
>     >>    TR/Spy.10240.116 (which I suspect are all different names for
>     the same
>     >>    thing).
>     >>
>     >>
>     >>    - At http://www.virustotal.com/ , 3 of 47 virus scanners claim
>     javaw.exe
>     >>    contains Gen:Trojan.Heur.JP.amW@aOjomBc.
>     >>
>     >>
>     >> I certainly don't believe there is a virus, but I'd sure feel
>     better if I
>     >> could tell people that that is the case.  I appreciate your time
>     looking
>     >> into this.
>     >>
>     >> Thank you,
>     >> Clinton Blackmore
>     >>
> 
> 

Mime
View raw message