Hi,
On Thu, 17 Jul 2014, Thomas Braun wrote:
> > I tried the 1.9.4 preview 20140611 installer and got the same Trojan
> > warning from F-Prot. Scanning the net shows that this TclPip85.dll has had
> > several (30+) hits from a variety of scanners, not just semantic. In the
> > past I have not seen this (I have 1.8.1 installed). Are you certain that
> > there is nothing fishy about TclPip85.dll ? One scan site says it is just
> > adware.
Ah, yes. Antivirus programs randomly giving false alarms, costing us
joyful time.
Not the first time. So far, our track record is 4:0. Four times false
alarm. In terms of time spent to work with the antivirus companies to
resolve *their* problem, we have an even more damning result (hint: there
is also a 0 on their side in that respect).
> The file tclpip85.dll is in the repository msysgit/msysgit as
> /mingw/bin/tclpip85.dll, and has been there since two years unchanged.
>
> I have prepared the latest release. My avira scanner did not complain
> about anything "problematic".
>
> If you want to investigate further, please rebuild tcl in the msysgit
> repository and we can compare the resulting tclpip85.dll.
That would be one way, rebuilding Tcl/Tk but please note that the
resulting .dll has to be expected to be different, in particular if you
use a different compiler. But even if you don't, expect differences
because the .dll file format includes time date stamps (and not only one)
and a checksum that is different because of the different time date
stamps.
In the case of tclpip85.dll as it is in msysGit, you must expect
differences at the following offsets:
global time date stamp
0x00000088+4
global checksum
0x000000d8+4
import table time date stamp
0x00001604+4
Oh, and the report failed to provide a hash of the file in question. At
least on my side, I do not want such a slip to happen, so:
$ md5sum /mingw/bin/tclpip85.dll
ad3495c3e0a307af0eb159ab48d3bc9b */ming/bin/tclpip85.dll
Now, the version we have was compiled by a trusted developer on a trusted
machine using the same setup as previous versions of Tcl/Tk.
On the other hand, there is a software company with a striking track
record of not even responding to our requests for assistance, let alone
fixing their buggy software. It is too bad that they managed to get their
engine included in so many "different" products.
Therefore it looks once again like I invested infinitely more time than
Semantic to diagnose a false alarm of theirs.
This is starting to not be funny anymore. Oh wait, it is already not funny
anymore.
So here is the deal: future "bug" reports about trojans, worms, viruses
etc must be accompanied by *proof* of an infection. That can be a
desinfected version of the file or a detailed analysis by the antivirus
company itself (which customers of said company are in a *much stronger*
position to ask for).
My time is *valuable* and I am no longer willing to have antivirus
companies waste it so nonchalantly.
Ciao,
Johannes