updatecenter2
  1. updatecenter2
  2. UPDATECENTER2-1341

false report of trojan in pythonw.exe using avira antivirus

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Cannot Reproduce
    • Affects Version/s: 2.0
    • Fix Version/s: not determined
    • Component/s: dependencies
    • Labels:
      None
    • Environment:

      Operating System: Windows Vista
      Platform: All

    • Issuezilla Id:
      1,341

      Description

        Activity

        Hide
        Snjezana Sevo-Zenzerovic added a comment -

        Adjusting UC version - this was reported with GF v3 Prelude, so UC 2.0.

        Show
        Snjezana Sevo-Zenzerovic added a comment - Adjusting UC version - this was reported with GF v3 Prelude, so UC 2.0.
        Hide
        Joe Di Pol added a comment -

        I've done scans of a GlassFish Prelude install as well as the
        latest UC nightly. I used both Symantec AntiVirus and
        Avira AntiVir Personal. Both came up clean.

        FYI the virus reported in the original report was TR/Crypt.XPACK.Gen
        Some folks have reported getting false positives with Avira for
        this virus.

        Avira supports reports submitting suspect files here:

        http://analysis.avira.com/samples/index.php

        and they can confirm if it's a false positive or not.

        I'm not sure there is much we can do about this. I'll
        update the GlassFish bug with this information.

        Show
        Joe Di Pol added a comment - I've done scans of a GlassFish Prelude install as well as the latest UC nightly. I used both Symantec AntiVirus and Avira AntiVir Personal. Both came up clean. FYI the virus reported in the original report was TR/Crypt.XPACK.Gen Some folks have reported getting false positives with Avira for this virus. Avira supports reports submitting suspect files here: http://analysis.avira.com/samples/index.php and they can confirm if it's a false positive or not. I'm not sure there is much we can do about this. I'll update the GlassFish bug with this information.
        Hide
        Joe Di Pol added a comment -

        All our virus scans have come up clean on our windows binaries.
        We will continue to run scans on builds before pushing them
        extneral.

        This looks to be a fals positive from Avira.

        Show
        Joe Di Pol added a comment - All our virus scans have come up clean on our windows binaries. We will continue to run scans on builds before pushing them extneral. This looks to be a fals positive from Avira.
        Hide
        ckamps added a comment -

        From Jeff Bounds of Sun:

        <SNIP>
        IHAC that is planning on rolling out McAfee VirusScan 8.7 w/ Artemis. Artemis
        does real-time scanning based on behavior instead of signatures. Currently
        WebSpace on Glassfish seems to causes issues with Artemis. When Artemis is
        used, it flags the update tool as a potential threat.

        Note: In our testing, Artemis deleted a file that is downloaded from and
        used by the Update Tool and potentially other tools. The specific
        threat was "Artemis!7C926249DCEB (Trojan)". The file seems to be
        "C:\app\Portal\webspace-for-gfv2\bin\..\.org.opensolaris,pkg\download\89
        6\6c53950475146bc09541a115815c4c1d3a74c808" and/or
        "\webspace-for-gfv2\pkg\python2.4-minimal\pythonw.exe"

        Currently they are looking at excluding \the webspace-for-gfv2 directory as part
        of real-time scans. So this leads to a few questions.
        1) Has anyone else run into this, and how did they get around it?
        2) Would just restricting the exclusion to the update tool work?
        3) Are there any other folders that we would suggest NOT to scan?

        >From the customer:

        My suggestion is the following:

        1. Exclude all files associated with both Glassfish and WebSpace
        from On-Access scanning. This would be all files under the folder where
        Glassfish is installed, i.e. "glassfish/" as well as all files under the
        folder where WebSpace is installed, i.e. "webspace-for-gfv2/". The
        rational is that these files are accessed many, many times during the
        execution of the WebSpace product, and constant On-Access scanning has a
        negative affect on performance.

        2. The directory pointed to by the property
        "dl.hook.file.system.root.dir" should not be excluded, i.e. scan this
        folder structure. This property represents the "FileSystemHook. This is
        the location where all the documents will be stored." As these are user
        uploaded files, they should be checked.

        3. The directory pointed to by the property "lucene.dir" should be
        excluded. This property represents "the directory where Lucene indexes
        are stored."
        </SNIP>

        Show
        ckamps added a comment - From Jeff Bounds of Sun: <SNIP> IHAC that is planning on rolling out McAfee VirusScan 8.7 w/ Artemis. Artemis does real-time scanning based on behavior instead of signatures. Currently WebSpace on Glassfish seems to causes issues with Artemis. When Artemis is used, it flags the update tool as a potential threat. Note: In our testing, Artemis deleted a file that is downloaded from and used by the Update Tool and potentially other tools. The specific threat was "Artemis!7C926249DCEB (Trojan)". The file seems to be "C:\app\Portal\webspace-for-gfv2\bin\..\.org.opensolaris,pkg\download\89 6\6c53950475146bc09541a115815c4c1d3a74c808" and/or "\webspace-for-gfv2\pkg\python2.4-minimal\pythonw.exe" Currently they are looking at excluding \the webspace-for-gfv2 directory as part of real-time scans. So this leads to a few questions. 1) Has anyone else run into this, and how did they get around it? 2) Would just restricting the exclusion to the update tool work? 3) Are there any other folders that we would suggest NOT to scan? >From the customer: My suggestion is the following: 1. Exclude all files associated with both Glassfish and WebSpace from On-Access scanning. This would be all files under the folder where Glassfish is installed, i.e. "glassfish/" as well as all files under the folder where WebSpace is installed, i.e. "webspace-for-gfv2/". The rational is that these files are accessed many, many times during the execution of the WebSpace product, and constant On-Access scanning has a negative affect on performance. 2. The directory pointed to by the property "dl.hook.file.system.root.dir" should not be excluded, i.e. scan this folder structure. This property represents the "FileSystemHook. This is the location where all the documents will be stored." As these are user uploaded files, they should be checked. 3. The directory pointed to by the property "lucene.dir" should be excluded. This property represents "the directory where Lucene indexes are stored." </SNIP>
        Hide
        ckamps added a comment -

        It seems as though the UC2 dev project should submit an apparent false positive
        report to McAfee.

        Show
        ckamps added a comment - It seems as though the UC2 dev project should submit an apparent false positive report to McAfee.
        Hide
        ckamps added a comment -

        Closing this issue again and opening new issue for the separate context in which
        a similar issue has recently been reported:

        https://updatecenter2.dev.java.net/issues/show_bug.cgi?id=1713

        Show
        ckamps added a comment - Closing this issue again and opening new issue for the separate context in which a similar issue has recently been reported: https://updatecenter2.dev.java.net/issues/show_bug.cgi?id=1713

          People

          • Assignee:
            Joe Di Pol
            Reporter:
            Snjezana Sevo-Zenzerovic
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: