Re: Trojan
206 views
Skip to first unread message
Thomas Ferris Nicolaisen
Jun 13, 2013, 4:35:12 AM6/13/13
to git-...@googlegroups.com, msy...@googlegroups.com
On Thursday, June 13, 2013 2:14:50 AM UTC+2, Andrew Gray wrote:
Hi All,
I just tried downloading the latest version from git-scm.com and at the download Semantic scanned it and rejected it due to the presence of a Trojan malware.
Just letting the community know. Someone might want to take a look into it.
I'm guessing this is a false positive from Semantic's side, but I'll add the msysgit group on cc in case they're interested. I'm assuming that you're on Windows.
Similar issue in the past: https://code.google.com/p/msysgit/issues/detail?id=126
Pat Thoyts
Jun 13, 2013, 5:27:53 AM6/13/13
to Thomas Ferris Nicolaisen, git-...@googlegroups.com, msysGit
scanners think of the file. In this case:
https://www.virustotal.com/en/file/ddd2e02aec58c48ae6812a7df0287b03c6c26063fe5ac36bf757efd60fd7d2e4/analysis/
shows that only 1 of 46 scanners thinks it is suspicious. The sha1sum
of the downloaded file (c1f95ba90bd914bcfe1fcfad3886f553789cce10)
matches that of the file I originally created.
Johannes Schindelin
Jun 13, 2013, 11:27:32 AM6/13/13
to Thomas Ferris Nicolaisen, git-...@googlegroups.com, msy...@googlegroups.com
Hi,
Yes, this is a false positive on Semantic's side. Unfortunately, despite
my substantial efforts -- for several weeks -- to work with *anybody* on
their side to help resolve this problem, nothing was resolved. A number of
quite disheartening mails were sent my way, though.
At this point I can only conclude that Semantic is not interested in
fixing their software (the bug is on their side, not ours).
Therefore I cannot do anything else than to discourage strongly the use of
any of Semantic's products.
Sorry for the bad news,
Johannes
my substantial efforts -- for several weeks -- to work with *anybody* on
their side to help resolve this problem, nothing was resolved. A number of
quite disheartening mails were sent my way, though.
At this point I can only conclude that Semantic is not interested in
fixing their software (the bug is on their side, not ours).
Therefore I cannot do anything else than to discourage strongly the use of
any of Semantic's products.
Sorry for the bad news,
Johannes
and...@totallyevil.com
Jul 16, 2014, 1:42:44 PM7/16/14
to msy...@googlegroups.com, git-...@googlegroups.com
I tried the 1.9.4 preview 20140611 installer and got the same Trojan warning from F-Prot. Scanning the net shows that this TclPip85.dll has had several (30+) hits from a variety of scanners, not just semantic. In the past I have not seen this (I have 1.8.1 installed). Are you certain that there is nothing fishy about TclPip85.dll ? One scan site says it is just adware.
This is the official log from F-Prot:
Found file, C:\Program Files (x86)\Git\bin\tclpip85.dll, infected with W32/GenTroj.V.gen!Eldorado
-- Jake
Thomas Braun
Jul 17, 2014, 1:22:41 AM7/17/14
to and...@totallyevil.com, msy...@googlegroups.com, git-...@googlegroups.com
> I tried the 1.9.4 preview 20140611 installer and got the same Trojan
> warning from F-Prot. Scanning the net shows that this TclPip85.dll has had
> several (30+) hits from a variety of scanners, not just semantic. In the
> past I have not seen this (I have 1.8.1 installed). Are you certain that
> there is nothing fishy about TclPip85.dll ? One scan site says it is just
> adware.
>
> This is the official log from F-Prot:
>
>
> Found file, C:\Program Files (x86)\Git\bin\tclpip85.dll, infected with
> W32/GenTroj.V.gen!Eldorado
/mingw/bin/tclpip85.dll, and has been there since two years unchanged.
I have prepared the latest release. My avira scanner did not complain
about anything "problematic".
If you want to investigate further, please rebuild tcl in the msysgit
repository and we can compare the resulting tclpip85.dll.
Thomas
Johannes Schindelin
Jul 17, 2014, 10:17:29 AM7/17/14
to Thomas Braun, and...@totallyevil.com, msy...@googlegroups.com, git-...@googlegroups.com
Hi,
On Thu, 17 Jul 2014, Thomas Braun wrote:
> > I tried the 1.9.4 preview 20140611 installer and got the same Trojan
> > warning from F-Prot. Scanning the net shows that this TclPip85.dll has had
> > several (30+) hits from a variety of scanners, not just semantic. In the
> > past I have not seen this (I have 1.8.1 installed). Are you certain that
> > there is nothing fishy about TclPip85.dll ? One scan site says it is just
> > adware.
Ah, yes. Antivirus programs randomly giving false alarms, costing us
joyful time.
Not the first time. So far, our track record is 4:0. Four times false
alarm. In terms of time spent to work with the antivirus companies to
resolve *their* problem, we have an even more damning result (hint: there
is also a 0 on their side in that respect).
> The file tclpip85.dll is in the repository msysgit/msysgit as
> /mingw/bin/tclpip85.dll, and has been there since two years unchanged.
>
> I have prepared the latest release. My avira scanner did not complain
> about anything "problematic".
>
> If you want to investigate further, please rebuild tcl in the msysgit
> repository and we can compare the resulting tclpip85.dll.
That would be one way, rebuilding Tcl/Tk but please note that the
resulting .dll has to be expected to be different, in particular if you
use a different compiler. But even if you don't, expect differences
because the .dll file format includes time date stamps (and not only one)
and a checksum that is different because of the different time date
stamps.
In the case of tclpip85.dll as it is in msysGit, you must expect
differences at the following offsets:
global time date stamp
0x00000088+4
global checksum
0x000000d8+4
import table time date stamp
0x00001604+4
Oh, and the report failed to provide a hash of the file in question. At
least on my side, I do not want such a slip to happen, so:
$ md5sum /mingw/bin/tclpip85.dll
ad3495c3e0a307af0eb159ab48d3bc9b */ming/bin/tclpip85.dll
Now, the version we have was compiled by a trusted developer on a trusted
machine using the same setup as previous versions of Tcl/Tk.
On the other hand, there is a software company with a striking track
record of not even responding to our requests for assistance, let alone
fixing their buggy software. It is too bad that they managed to get their
engine included in so many "different" products.
Therefore it looks once again like I invested infinitely more time than
Semantic to diagnose a false alarm of theirs.
This is starting to not be funny anymore. Oh wait, it is already not funny
anymore.
So here is the deal: future "bug" reports about trojans, worms, viruses
etc must be accompanied by *proof* of an infection. That can be a
desinfected version of the file or a detailed analysis by the antivirus
company itself (which customers of said company are in a *much stronger*
position to ask for).
My time is *valuable* and I am no longer willing to have antivirus
companies waste it so nonchalantly.
Ciao,
Johannes
On Thu, 17 Jul 2014, Thomas Braun wrote:
> > I tried the 1.9.4 preview 20140611 installer and got the same Trojan
> > warning from F-Prot. Scanning the net shows that this TclPip85.dll has had
> > several (30+) hits from a variety of scanners, not just semantic. In the
> > past I have not seen this (I have 1.8.1 installed). Are you certain that
> > there is nothing fishy about TclPip85.dll ? One scan site says it is just
> > adware.
joyful time.
Not the first time. So far, our track record is 4:0. Four times false
alarm. In terms of time spent to work with the antivirus companies to
resolve *their* problem, we have an even more damning result (hint: there
is also a 0 on their side in that respect).
> The file tclpip85.dll is in the repository msysgit/msysgit as
> /mingw/bin/tclpip85.dll, and has been there since two years unchanged.
>
> I have prepared the latest release. My avira scanner did not complain
> about anything "problematic".
>
> If you want to investigate further, please rebuild tcl in the msysgit
> repository and we can compare the resulting tclpip85.dll.
resulting .dll has to be expected to be different, in particular if you
use a different compiler. But even if you don't, expect differences
because the .dll file format includes time date stamps (and not only one)
and a checksum that is different because of the different time date
stamps.
In the case of tclpip85.dll as it is in msysGit, you must expect
differences at the following offsets:
global time date stamp
0x00000088+4
global checksum
0x000000d8+4
import table time date stamp
0x00001604+4
Oh, and the report failed to provide a hash of the file in question. At
least on my side, I do not want such a slip to happen, so:
$ md5sum /mingw/bin/tclpip85.dll
ad3495c3e0a307af0eb159ab48d3bc9b */ming/bin/tclpip85.dll
Now, the version we have was compiled by a trusted developer on a trusted
machine using the same setup as previous versions of Tcl/Tk.
On the other hand, there is a software company with a striking track
record of not even responding to our requests for assistance, let alone
fixing their buggy software. It is too bad that they managed to get their
engine included in so many "different" products.
Therefore it looks once again like I invested infinitely more time than
Semantic to diagnose a false alarm of theirs.
This is starting to not be funny anymore. Oh wait, it is already not funny
anymore.
So here is the deal: future "bug" reports about trojans, worms, viruses
etc must be accompanied by *proof* of an infection. That can be a
desinfected version of the file or a detailed analysis by the antivirus
company itself (which customers of said company are in a *much stronger*
position to ask for).
My time is *valuable* and I am no longer willing to have antivirus
companies waste it so nonchalantly.
Ciao,
Johannes
Pat Thoyts
Jul 17, 2014, 2:19:17 PM7/17/14
to Johannes Schindelin, Thomas Braun, and...@totallyevil.com, msysGit, git-...@googlegroups.com
for connecting subprocess pipes in a pre-Windows NT environment. As we
don't support that with Git for Windows the dll could likely be
dropped without problem. A quick test deleting the file from a Tcl 8.5
tree and checking that a command pipe works ok was successful on
Windows Server 2008. Should be fine for everything newer that Windows
2000 I think.
Also, more relevantly, I removed this dll from my local Git
installation and ran gitk for a bit. That was also fine. Note that
this tclpip*.dll is no longer shipped with Tcl 8.6. (As pre NT support
was dropped for the 8.6 release). The rcommit comment related to this:
commit 9bc0d489df79aafac017be614cb33ff31c455983
Author: hobbs <hobbs>
Date: Wed Aug 4 21:37:18 2010 +0000
* win/Makefile.in, win/makefile.bc, win/makefile.vc, win/tcl.dsp:
* win/tclWinPipe.c (TclpCreateProcess):
* win/stub16.c (removed): removed Win9x tclpip8x.dll build and
16-bit application loader stub support. Win9x is no longer
supported.
Pat Thoyts.
Reply all
Reply to author
Forward
0 new messages