Virus in rubyw in rubyinstaller-1.9.1-p378?

[Dave Sanders]

I'm running the install for 1.9.1 this morning and getting this
exception from Avira regarding "TR/Dropper.Gen Trojan" in rubyw.exe.

Can someone confirm?

[Luis Lavena]

I've Microsoft Essentials installed, used to use NOD32 before
migrating to Windows 7.

There is no virus on ruby.exe?

In the past, InnoSetup installers, with high compression levels has
been identified as virus or trojans:

http://groups.google.com/group/rubyinstaller/browse_thread/thread/f79ec3b81e8d6102

So far noone else reported problems.

My system is pretty clean and I threat security very seriously.

Downloading avira right now to confirm, but if anyone having NOD32 or
something really good as AV software not getting anything, please let
me know.

Thank you.
--
Luis Lavena
AREA 17
-
Perfection in design is achieved not when there is nothing more to add,
but rather when there is nothing more to take away.
Antoine de Saint-Exupéry

[David Sanders]

Ruby.exe was clean, rubyw.exe was what showed the virus for me.

I'm assuming its an false positive too - but wanted to put it out there just in case...

thx

D

--
You received this message because you are subscribed to the Google Groups "RubyInstaller" group.
To post to this group, send email to rubyin...@googlegroups.com.
To unsubscribe from this group, send email to rubyinstalle...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyinstaller?hl=en.

[Luis Lavena]

I was not able to confirm this since RailsConf took me the entire week. Can you report them (AntiVirus authors) to check? Strange only rubyw was infected by a rare low report Trojan.

Thank you.

Sent from mobile.

On Jun 11, 2010 9:54 AM, "David Sanders" <dsan...@opensoftco.com> wrote:

Ruby.exe was clean, rubyw.exe was what showed the virus for me.

I'm assuming its an false positive too - but wanted to put it out there just in case...

thx

D

On Thu, Jun 10, 2010 at 10:16 AM, Luis Lavena <luisl...@gmail.com> wrote:

> > On Thu, Jun 10, 2010 at 10:09 AM, Dave Sanders <vul...@gmail.com> wrote: > > I'm running the in...

--

> You received this message because you are subscribed to the Google Groups "RubyInstaller" group. ...

For more options, visit this group at http://groups.google.com/group/rubyinstaller?hl=en.

-- You received this message because you are subscribed to the Google Groups "RubyInstaller" group....

[Alexey Borzenkov]

Hi Luis,

I checked and it doesn't seem to be infected. Maybe Avira's heuristics
are tipped off by combination of factors, like a gui application that
is compiled with gcc and is using Tls callbacks, but I can't know for
sure.

On a side note the executables are really messy: 400k of all that
debug info for an executable that just calls a couple functions in a
dll? Luis, you should probably strip them, or better link with -s.

> To post to this group, send email to rubyin...@googlegroups.com.
> To unsubscribe from this group, send email to
> rubyinstalle...@googlegroups.com.

[Luis Lavena]

On Fri, Jun 11, 2010 at 3:18 PM, Alexey Borzenkov <sna...@gmail.com> wrote:
> Hi Luis,
>
> I checked and it doesn't seem to be infected. Maybe Avira's heuristics
> are tipped off by combination of factors, like a gui application that
> is compiled with gcc and is using Tls callbacks, but I can't know for
> sure.
>
> On a side note the executables are really messy: 400k of all that
> debug info for an executable that just calls a couple functions in a
> dll? Luis, you should probably strip them, or better link with -s.
>

I used Ruby's own default. We had too many things to do that messing
with that between rc2 and final was not advised.

I'm starting to put together a roadmap for newer versions, specially
upgrade of GCC to 4.5.0 and the viability of x64_86 binaries:

C:\Users\Luis\Projects\oss\oci\rubyinstaller>sandbox\ruby19_build\miniruby.exe
-v ..\sudoku-solver.rb
ruby 1.9.2dev (2010-05-31 revision 28117) [x86_64-mingw32]
time elapsed: 2.486142 sec.

[Luis Lavena]

On Fri, Jun 11, 2010 at 3:18 PM, Alexey Borzenkov <sna...@gmail.com> wrote:

> Hi Luis,
>
> I checked and it doesn't seem to be infected. Maybe Avira's heuristics
> are tipped off by combination of factors, like a gui application that
> is compiled with gcc and is using Tls callbacks, but I can't know for
> sure.
>

For the record:

http://sourceforge.net/mailarchive/forum.php?thread_name=2AE133325861D243B8E2EB86E4E73E850DFC0B%40italy.ats.atsincorp.com&forum_name=mingw-users

[David Sanders]

I will email it off to avira to see what they have to say.

D

[David Sanders]

I received the official word from Avira this morning: False Positive, and they'll fix it in the next update.  Their email is pasted below.

Cheers

D

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.
Tracking number: INC00534119.

A listing of files alongside their results can be found below:

File ID	Filename	Size (Byte)	Result
25752535	rubyw.exe	433.46 KB	FALSE POSITIVE

Please find a detailed report concerning each individual sample below:

Filename

Result

rubyw.exe

FALSE POSITIVE

The file 'rubyw.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm.Detection will be removed from our virus definition file (VDF) with one of the next updates. 

Alternatively you can see the analysis result here:
http://analysis.avira.com/samples/details.php?uniqueid=kAJA6wp2h4czAtkrzPLQWmBq4mh6Wgdr&incidentid=534119

An overview of all your submissions can be found here:
http://analysis.avira.com/samples/details.php?uniqueid=kAJA6wp2h4czAtkrzPLQWmBq4mh6Wgdr

Please note: If you have specific questions please address them to sup...@avira.com

Kind regards
Avira Virus Lab

--

[Luis Lavena]

On Mon, Jun 14, 2010 at 8:14 AM, David Sanders <dsan...@opensoftco.com> wrote:

I received the official word from Avira this morning: False Positive, and they'll fix it in the next update.  Their email is pasted below.

Nice to hear that, luckily we will not get more false positives anymore.