harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clinton Blackmore <clinton.blackm...@gmail.com>
Subject Re: Some virus scanners flag javaw.exe as containing a Trojan
Date Thu, 09 Jun 2011 01:46:33 GMT
Yes, I agree, the source for that file is fairly simple.  If I understand it
correctly, it is used for both versions of javaw.exe, so it surprises me
that one gets flags as a virus and the other does not.

I have, in fact, implemented a workaround much like Oliver suggested -- I'm
not including bin/javaw.exe with my project, and it runs and doesn't set off
any virus scanners.

I wish I had some suggestions.  When Sun had a problem like
this<http://www.java.com/en/download/faq/Trojan3.uj.xml>,
it appears that they contacted the antiviral vendors and got them to update
their filters.  This sounds like the proper "fix", as your code is not
broken; I wonder how difficult it would be to do.

Thanks again for looking into this.

Cheers,
Clinton

On Wed, Jun 8, 2011 at 2:37 AM, Tim Ellison <t.p.ellison@gmail.com> wrote:

> Clinton,
>
> Thanks for agreeing to move this conversation onto the developers' list.
>
> I see where the difference has occurred.  I was testing the javaw.exe
> contained in harmony-6.0-jdk-991881\jre\bin, and you were testing the
> javaw.exe in harmony-6.0-jdk-991881\bin.
>
> I now get the same results as you from the on-line virus checkers.  My
> local copy of Symantec considers it safe.
>
> You can see the source for this file [1] is quite simple, though it is
> creating a child process in a reasonably generic way that might be
> suspicious to virus checkers.
>
> It would be helpful if other people could also check that this file is
> safe and post their results here on the dev list.
>
> [1]
>
> http://svn.apache.org/viewvc/harmony/enhanced/java/trunk/jdktools/modules/samsa/src/main/native/samsa/windows/javaw.c?view=markup
>
> Regards,
> Tim
>
>
> On 07/Jun/2011 23:06, Clinton Blackmore wrote:
> > Hi Tim.
> >
> > Thank you for looking into this.  I must admit that I'm very surprised
> > that you get different results when scanning than I do.  It makes me
> > wonder if we are checking different versions.
> >
> > I'm checking the latest stable release of the version 6 JDK, entitled
> > "Apache Harmony 6.0M3 JDK for 32-bit Windows".  I downloaded it most
> > recently through this URL and mirror:
> >
> >
> http://apache.mirror.rafal.ca//harmony/milestones/6.0/M3/apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip
> >
> > When I check, the zip file has the following checksums:
> > md5: c3173509225f982fd9f37534d3746362
> > sha1: b609375c7c6dc0d86931c091c1391cf7c7cdaef6
> >
> > The Harmony download page lists them as:
> >
> > c3173509225f982fd9f37534d3746362
>  apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip
> >
> > b609375c7c6dc0d86931c091c1391cf7c7cdaef6
>  apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip
> >
> > which match.
> >
> >
> >
> > When extracted, a folder called harmony-6.0-jdk-991881 is created.
> >  Within the bin directory is javaw.exe, with the following checksums:
> >
> > md5: 7bb1c7fdf083d511eb4bc4937ab41733
> > sha1: 314ff2031a2da4bae8d188c20bf0f7e39eb3599f
> >
> >
> > I did try to check the most recent snapshot, but, while I see several
> > Harmony builds there, I do not see Harmony 1.6 for Windows, and was thus
> > unable to download and scan it.
> >
> > I have attached pdf files with the test results that I get.  One of the
> > scanners provided a permanent link to the results:
> >
> http://virusscan.jotti.org/en/scanresult/b93c536dc68f1f67bbd14f9b43d9f747b1995459
> >
> > If you could double-check that specific version of Harmony, I would
> > really appreciate it.  I don't understand how we could get different
> > results from the same scanners on the same files -- one expects virus
> > scanners to be deterministic : )
> >
> >
> > You have my permission to make all or parts of my comments in the
> > original note and follow-ups public.  I would be pleased to be able to
> > point people at a mailing list posting on the subject.
> >
> > Thanks again for all your work on this project.  I'm grateful to be able
> > to stand on the shoulders of giants.
> >
> > Cheers,
> > Clinton Blackmore
> >
> > On Tue, Jun 7, 2011 at 3:08 PM, Tim Ellison <t.p.ellison@gmail.com
> > <mailto:t.p.ellison@gmail.com>> wrote:
> >
> >     Clinton,
> >
> >     Thanks again for taking the time to tell us about your experience
> with
> >     an antivirus program flagging a warning with 'javaw.exe'.
> >
> >     A couple of us have double-checked the files in Apache Harmony's
> >     distribution, and we are happy that there are no viruses in the
> >     downloads available from the project.  I agree that it is most likely
> a
> >     false positive by a particular virus checker programme.
> >
> >     Just so you know, we have checked the files with the on-line virus
> >     checkers you mention below, Symantec anti-virus, ClamAV, and
> Microsoft
> >     Security Essentials on Windows XP.  Even the on-line virus checkers
> >     report all clean, unlike your results.
> >
> >     I'm happy to publish these scan results on the public Apache Harmony
> >     mailing list which will give you a link to share with any concerned
> >     users.  You should either post your original concern to
> >     dev@harmony.apache.org <mailto:dev@harmony.apache.org>, or let me
> >     know that you are happy for me to make
> >     parts of your original note public.
> >
> >     It's always great to hear from people who are using Apache Harmony in
> >     new and interesting ways.  Thanks again for getting in touch, and
> good
> >     luck with Enchanting.
> >
> >     Regards,
> >     Tim
> >
> >
> >
> >     On 07/Jun/2011 13:23, Tim Ellison wrote:
> >     > Clinton,
> >     >
> >     > Thank you for your note which has been passed to the Apache Harmony
> >     > private mailing list as a potential security issue.
> >     >
> >     > This is just a quick response to let you know it has been received
> >     > safely and we are taking a look at it.
> >     >
> >     > We'll be in touch shortly with a fuller reply to your observations.
> >     >
> >     > Regards,
> >     > Tim
> >     >
> >     >> -------- Original Message --------
> >     >> Subject: Some virus scanners flag javaw.exe as containing a Trojan
> >     >> Date: Mon, 6 Jun 2011 08:32:09 -0600
> >     >> From: Clinton Blackmore <clinton.blackmore@gmail.com
> >     <mailto:clinton.blackmore@gmail.com>>
> >     >> To: security@apache.org <mailto:security@apache.org>
> >     >>
> >     >> Greetings.
> >     >>
> >     >> I don't think this is a security vulnerability per-se, but I
> >     figured I would
> >     >> err on the side of caution.  If you would like me to contact
> >     another mailing
> >     >> list or person, please refer me to them and I will be happy to do
> >     so.  I did
> >     >> try general net searches and checked the bug database and mailing
> >     lists
> >     >> before contacting you.
> >     >>
> >     >> I am developing an application called Enchanting (
> >     >> http://enchanting.robotclub.ab.ca/ ) to help kids program LEGO
> >     robots, and
> >     >> am bundling Apache Harmony with the Windows version -- and I'm
> >     grateful for
> >     >> the work of the Harmony team which gives me this option!  I
> >     installed it on
> >     >> one of my robotics student's computers, running Windows XP, and
> his
> >     >> antiviral software flagged javaw.exe as containing a trojan.  (I
> >     didn't take
> >     >> down the details).  I did double-check the MD5 and SHA checksums
> >     of the
> >     >> release I am using -- Apache Harmony 6.0M3 JDK for 32-bit Windows
> >     -- and
> >     >> they match (and I also extracted the zip file again and diffed it
> >     against
> >     >> the files I'm releasing, and they match).
> >     >>
> >     >> I believe the error is a false positive, especially after reading
> >     this
> >     >> article from Sun/Oracle:
> >     >> http://www.java.com/en/download/faq/Trojan3.uj.xml.  However, I'm
> >     >> concerned by the remote possibility of a virus, I'd like to
> >     >> be able to assure people that there is not a trojan (perhaps by
> >     pointing
> >     >> them to an authoritative document that says so), and I wanted to
> >     notify you.
> >     >>
> >     >> I just tested the file using free online services that will scan
> >     a file with
> >     >> multiple virus scanners.  (I don't have the scanner that my
> >     student used).
> >     >>
> >     >>    - At http://virusscan.jotti.org/en , most virus scanners give
> >     it a clean
> >     >>    bill of heath, but some identify it as containing:
> >     >>    Gen:Trojan.Heur.JP.amW@aOjomBc,  Gen.Trojan.Heur!IK,
> >     Gen.Trojan.Heur, or
> >     >>    TR/Spy.10240.116 (which I suspect are all different names for
> >     the same
> >     >>    thing).
> >     >>
> >     >>
> >     >>    - At http://www.virustotal.com/ , 3 of 47 virus scanners claim
> >     javaw.exe
> >     >>    contains Gen:Trojan.Heur.JP.amW@aOjomBc.
> >     >>
> >     >>
> >     >> I certainly don't believe there is a virus, but I'd sure feel
> >     better if I
> >     >> could tell people that that is the case.  I appreciate your time
> >     looking
> >     >> into this.
> >     >>
> >     >> Thank you,
> >     >> Clinton Blackmore
> >     >>
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message