harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Deakin <oliver.dea...@googlemail.com>
Subject Re: Some virus scanners flag javaw.exe as containing a Trojan
Date Thu, 09 Jun 2011 08:26:18 GMT
Hi Clinton

On 09/06/2011 02:46, Clinton Blackmore wrote:
> Yes, I agree, the source for that file is fairly simple.  If I understand it
> correctly, it is used for both versions of javaw.exe, so it surprises me
> that one gets flags as a virus and the other does not.

That's because they are actually not built from the same source :) If 
you look at the file sizes you'll see that the javaw.exe in jre/bin is 
quite different to sdk/bin. This is because the javaw.exe in sdk/bin 
just redirects to the javaw in jre/bin (you can see this in [1]). The 
actual code for jre/bin/javaw.exe is under [2]. We believe it's the 
redirection (the CreateProcess() call) from the sdk/bin version of 
javaw.exe that is causing the virus scanners to be triggered.

Regards,
Oliver

[1] 
http://svn.apache.org/viewvc/harmony/enhanced/java/trunk/jdktools/modules/samsa/src/main/native/samsa/windows/javaw.c?view=markup
[2] 
http://svn.apache.org/viewvc/harmony/enhanced/java/trunk/classlib/modules/luni/src/main/native/launcher/

> I have, in fact, implemented a workaround much like Oliver suggested -- I'm
> not including bin/javaw.exe with my project, and it runs and doesn't set off
> any virus scanners.
>
> I wish I had some suggestions.  When Sun had a problem like
> this<http://www.java.com/en/download/faq/Trojan3.uj.xml>,
> it appears that they contacted the antiviral vendors and got them to update
> their filters.  This sounds like the proper "fix", as your code is not
> broken; I wonder how difficult it would be to do.
>
> Thanks again for looking into this.
>
> Cheers,
> Clinton
>
> On Wed, Jun 8, 2011 at 2:37 AM, Tim Ellison<t.p.ellison@gmail.com>  wrote:
>
>> Clinton,
>>
>> Thanks for agreeing to move this conversation onto the developers' list.
>>
>> I see where the difference has occurred.  I was testing the javaw.exe
>> contained in harmony-6.0-jdk-991881\jre\bin, and you were testing the
>> javaw.exe in harmony-6.0-jdk-991881\bin.
>>
>> I now get the same results as you from the on-line virus checkers.  My
>> local copy of Symantec considers it safe.
>>
>> You can see the source for this file [1] is quite simple, though it is
>> creating a child process in a reasonably generic way that might be
>> suspicious to virus checkers.
>>
>> It would be helpful if other people could also check that this file is
>> safe and post their results here on the dev list.
>>
>> [1]
>>
>> http://svn.apache.org/viewvc/harmony/enhanced/java/trunk/jdktools/modules/samsa/src/main/native/samsa/windows/javaw.c?view=markup
>>
>> Regards,
>> Tim
>>
>>
>> On 07/Jun/2011 23:06, Clinton Blackmore wrote:
>>> Hi Tim.
>>>
>>> Thank you for looking into this.  I must admit that I'm very surprised
>>> that you get different results when scanning than I do.  It makes me
>>> wonder if we are checking different versions.
>>>
>>> I'm checking the latest stable release of the version 6 JDK, entitled
>>> "Apache Harmony 6.0M3 JDK for 32-bit Windows".  I downloaded it most
>>> recently through this URL and mirror:
>>>
>>>
>> http://apache.mirror.rafal.ca//harmony/milestones/6.0/M3/apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip
>>> When I check, the zip file has the following checksums:
>>> md5: c3173509225f982fd9f37534d3746362
>>> sha1: b609375c7c6dc0d86931c091c1391cf7c7cdaef6
>>>
>>> The Harmony download page lists them as:
>>>
>>> c3173509225f982fd9f37534d3746362
>>   apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip
>>> b609375c7c6dc0d86931c091c1391cf7c7cdaef6
>>   apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip
>>> which match.
>>>
>>>
>>>
>>> When extracted, a folder called harmony-6.0-jdk-991881 is created.
>>>   Within the bin directory is javaw.exe, with the following checksums:
>>>
>>> md5: 7bb1c7fdf083d511eb4bc4937ab41733
>>> sha1: 314ff2031a2da4bae8d188c20bf0f7e39eb3599f
>>>
>>>
>>> I did try to check the most recent snapshot, but, while I see several
>>> Harmony builds there, I do not see Harmony 1.6 for Windows, and was thus
>>> unable to download and scan it.
>>>
>>> I have attached pdf files with the test results that I get.  One of the
>>> scanners provided a permanent link to the results:
>>>
>> http://virusscan.jotti.org/en/scanresult/b93c536dc68f1f67bbd14f9b43d9f747b1995459
>>> If you could double-check that specific version of Harmony, I would
>>> really appreciate it.  I don't understand how we could get different
>>> results from the same scanners on the same files -- one expects virus
>>> scanners to be deterministic : )
>>>
>>>
>>> You have my permission to make all or parts of my comments in the
>>> original note and follow-ups public.  I would be pleased to be able to
>>> point people at a mailing list posting on the subject.
>>>
>>> Thanks again for all your work on this project.  I'm grateful to be able
>>> to stand on the shoulders of giants.
>>>
>>> Cheers,
>>> Clinton Blackmore
>>>
>>> On Tue, Jun 7, 2011 at 3:08 PM, Tim Ellison<t.p.ellison@gmail.com
>>> <mailto:t.p.ellison@gmail.com>>  wrote:
>>>
>>>      Clinton,
>>>
>>>      Thanks again for taking the time to tell us about your experience
>> with
>>>      an antivirus program flagging a warning with 'javaw.exe'.
>>>
>>>      A couple of us have double-checked the files in Apache Harmony's
>>>      distribution, and we are happy that there are no viruses in the
>>>      downloads available from the project.  I agree that it is most likely
>> a
>>>      false positive by a particular virus checker programme.
>>>
>>>      Just so you know, we have checked the files with the on-line virus
>>>      checkers you mention below, Symantec anti-virus, ClamAV, and
>> Microsoft
>>>      Security Essentials on Windows XP.  Even the on-line virus checkers
>>>      report all clean, unlike your results.
>>>
>>>      I'm happy to publish these scan results on the public Apache Harmony
>>>      mailing list which will give you a link to share with any concerned
>>>      users.  You should either post your original concern to
>>>      dev@harmony.apache.org<mailto:dev@harmony.apache.org>, or let me
>>>      know that you are happy for me to make
>>>      parts of your original note public.
>>>
>>>      It's always great to hear from people who are using Apache Harmony in
>>>      new and interesting ways.  Thanks again for getting in touch, and
>> good
>>>      luck with Enchanting.
>>>
>>>      Regards,
>>>      Tim
>>>
>>>
>>>
>>>      On 07/Jun/2011 13:23, Tim Ellison wrote:
>>>      >  Clinton,
>>>      >
>>>      >  Thank you for your note which has been passed to the Apache Harmony
>>>      >  private mailing list as a potential security issue.
>>>      >
>>>      >  This is just a quick response to let you know it has been received
>>>      >  safely and we are taking a look at it.
>>>      >
>>>      >  We'll be in touch shortly with a fuller reply to your observations.
>>>      >
>>>      >  Regards,
>>>      >  Tim
>>>      >
>>>      >>  -------- Original Message --------
>>>      >>  Subject: Some virus scanners flag javaw.exe as containing a Trojan
>>>      >>  Date: Mon, 6 Jun 2011 08:32:09 -0600
>>>      >>  From: Clinton Blackmore<clinton.blackmore@gmail.com
>>>      <mailto:clinton.blackmore@gmail.com>>
>>>      >>  To: security@apache.org<mailto:security@apache.org>
>>>      >>
>>>      >>  Greetings.
>>>      >>
>>>      >>  I don't think this is a security vulnerability per-se, but I
>>>      figured I would
>>>      >>  err on the side of caution.  If you would like me to contact
>>>      another mailing
>>>      >>  list or person, please refer me to them and I will be happy to
do
>>>      so.  I did
>>>      >>  try general net searches and checked the bug database and mailing
>>>      lists
>>>      >>  before contacting you.
>>>      >>
>>>      >>  I am developing an application called Enchanting (
>>>      >>  http://enchanting.robotclub.ab.ca/ ) to help kids program LEGO
>>>      robots, and
>>>      >>  am bundling Apache Harmony with the Windows version -- and I'm
>>>      grateful for
>>>      >>  the work of the Harmony team which gives me this option!  I
>>>      installed it on
>>>      >>  one of my robotics student's computers, running Windows XP, and
>> his
>>>      >>  antiviral software flagged javaw.exe as containing a trojan. 
(I
>>>      didn't take
>>>      >>  down the details).  I did double-check the MD5 and SHA checksums
>>>      of the
>>>      >>  release I am using -- Apache Harmony 6.0M3 JDK for 32-bit Windows
>>>      -- and
>>>      >>  they match (and I also extracted the zip file again and diffed
it
>>>      against
>>>      >>  the files I'm releasing, and they match).
>>>      >>
>>>      >>  I believe the error is a false positive, especially after reading
>>>      this
>>>      >>  article from Sun/Oracle:
>>>      >>  http://www.java.com/en/download/faq/Trojan3.uj.xml.  However,
I'm
>>>      >>  concerned by the remote possibility of a virus, I'd like to
>>>      >>  be able to assure people that there is not a trojan (perhaps by
>>>      pointing
>>>      >>  them to an authoritative document that says so), and I wanted
to
>>>      notify you.
>>>      >>
>>>      >>  I just tested the file using free online services that will scan
>>>      a file with
>>>      >>  multiple virus scanners.  (I don't have the scanner that my
>>>      student used).
>>>      >>
>>>      >>     - At http://virusscan.jotti.org/en , most virus scanners give
>>>      it a clean
>>>      >>     bill of heath, but some identify it as containing:
>>>      >>     Gen:Trojan.Heur.JP.amW@aOjomBc,  Gen.Trojan.Heur!IK,
>>>      Gen.Trojan.Heur, or
>>>      >>     TR/Spy.10240.116 (which I suspect are all different names for
>>>      the same
>>>      >>     thing).
>>>      >>
>>>      >>
>>>      >>     - At http://www.virustotal.com/ , 3 of 47 virus scanners claim
>>>      javaw.exe
>>>      >>     contains Gen:Trojan.Heur.JP.amW@aOjomBc.
>>>      >>
>>>      >>
>>>      >>  I certainly don't believe there is a virus, but I'd sure feel
>>>      better if I
>>>      >>  could tell people that that is the case.  I appreciate your time
>>>      looking
>>>      >>  into this.
>>>      >>
>>>      >>  Thank you,
>>>      >>  Clinton Blackmore
>>>      >>
>>>
>>>

-- 
Oliver Deakin
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU


Mime
View raw message