[boost] TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1
422 views
Skip to first unread message
Zipper Fish via Boost
Jul 26, 2018, 6:08:49 PM7/26/18
to bo...@lists.boost.org, Zipper Fish
Dear boost developers and/or release managers:
Today I downloaded boost_1_67_0-msvc-14.1-64.exe from the Windows binaries
downloads page:
https://dl.bintray.com/boostorg/release/1.67.0/binaries/
The file contains a Trojan, according to Windows Defender.
Screenshot:
https://usercontent.irccloud-cdn.com/file/Uy6o19AC/2018-07-26%2016_29_52-Windows%20Defender%20Security%20Center.jpg
Someone should verify this & check the other pre-built binaries ASAP to
reduce exposure.
Thank you & best regards
_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Today I downloaded boost_1_67_0-msvc-14.1-64.exe from the Windows binaries
downloads page:
https://dl.bintray.com/boostorg/release/1.67.0/binaries/
The file contains a Trojan, according to Windows Defender.
Screenshot:
https://usercontent.irccloud-cdn.com/file/Uy6o19AC/2018-07-26%2016_29_52-Windows%20Defender%20Security%20Center.jpg
Someone should verify this & check the other pre-built binaries ASAP to
reduce exposure.
Thank you & best regards
_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Mateusz Loskot via Boost
Jul 26, 2018, 6:42:19 PM7/26/18
to bo...@lists.boost.org, Mateusz Loskot
Read this thread
https://lists.boost.org/Archives/boost/2018/05/242200.php
It's always a good idea to search through the list archives first.
Mateusz Loskot, mat...@loskot.net
(Sent from mobile)
On Fri, 27 Jul 2018, 00:08 Zipper Fish via Boost, <bo...@lists.boost.org>
wrote:
https://lists.boost.org/Archives/boost/2018/05/242200.php
It's always a good idea to search through the list archives first.
Mateusz Loskot, mat...@loskot.net
(Sent from mobile)
On Fri, 27 Jul 2018, 00:08 Zipper Fish via Boost, <bo...@lists.boost.org>
wrote:
Zipper Fish via Boost
Jul 26, 2018, 10:46:59 PM7/26/18
to bo...@lists.boost.org, Zipper Fish
Thank you
Ok, I'll whitelist the file "boost_1_67_0-msvc-14.1-64.exe" with some
trepidation and try installing.
I normally do search archives and Google extensively for code issues, but
for a positive hit from the a virus detector, it wasn't the first idea that
popped into my head.
Just curious, why would a boost installer trigger virus detectors? Is the
virus executable linked to a boost library?
Ok, I'll whitelist the file "boost_1_67_0-msvc-14.1-64.exe" with some
trepidation and try installing.
I normally do search archives and Google extensively for code issues, but
for a positive hit from the a virus detector, it wasn't the first idea that
popped into my head.
Just curious, why would a boost installer trigger virus detectors? Is the
virus executable linked to a boost library?
Paul A. Bristow via Boost
Jul 27, 2018, 4:19:18 AM7/27/18
to bo...@lists.boost.org, Paul A. Bristow
https://www.boost.org/users/download/
My experience is that several virus checkers intermittently but persistently find false positives in Boost libraries that I
re-build; I have been reduced to placing then in a separate partition which is not virus checked.
(Since Microsoft use Boost internally, I am puzzled why this issue hasn't caused some liaison between the C++ users and the Defender
team).
Don't panic!
Paul
---
Paul A. Bristow
Prizet Farmhouse
Kendal UK LA8 8AB
+44 (0) 1539 561830
degski via Boost
Jul 27, 2018, 8:07:12 AM7/27/18
to boost, degski
On 27 July 2018 at 11:19, Paul A. Bristow via Boost <bo...@lists.boost.org>
wrote:
> (Since Microsoft use Boost internally, I am puzzled why this issue hasn't
> caused some liaison between the C++ users and the Defender
> team).
>
Possibly becoz they, (the MS people) exclude their build directories (on
some build server) from scanning by Defender in the settings of that server
(if not turned off altogether), no need to create a partition.
degski
--
*"If something cannot go on forever, it will stop" - Herbert Stein*
wrote:
> (Since Microsoft use Boost internally, I am puzzled why this issue hasn't
> caused some liaison between the C++ users and the Defender
> team).
>
some build server) from scanning by Defender in the settings of that server
(if not turned off altogether), no need to create a partition.
degski
--
*"If something cannot go on forever, it will stop" - Herbert Stein*
Zipper Fish via Boost
Jul 27, 2018, 10:01:03 AM7/27/18
to bo...@lists.boost.org, Zipper Fish
Paul, I already feel good and am not panicking, but thank you for your
concern :-)
I am interested in the Windows 3rd party binaries because I try to avoid
building boost manually on Windows if at all possible. As you know, the
Windows Zip file does not contain binaries for the non-header-only parts of
boost.
I already gathered your strategy about using a separate partition to beat
the virus checkers from the archive link that Mateusz shared.
As I wrote in my response to Mateusz, I am simply curious why a virus
checker would flag a false positive in compiled boost libraries. Is it
because viruses use boost libraries? I've used quite a number of libraries
over the years and none that I can recall had this issue. (If this is off
topic, my apologies.)
Best regards
concern :-)
I am interested in the Windows 3rd party binaries because I try to avoid
building boost manually on Windows if at all possible. As you know, the
Windows Zip file does not contain binaries for the non-header-only parts of
boost.
I already gathered your strategy about using a separate partition to beat
the virus checkers from the archive link that Mateusz shared.
As I wrote in my response to Mateusz, I am simply curious why a virus
checker would flag a false positive in compiled boost libraries. Is it
because viruses use boost libraries? I've used quite a number of libraries
over the years and none that I can recall had this issue. (If this is off
topic, my apologies.)
Best regards
Mateusz Loskot via Boost
Jul 27, 2018, 10:26:04 AM7/27/18
to bo...@lists.boost.org, Mateusz Loskot
On 27 July 2018 at 03:55, Zipper Fish via Boost <bo...@lists.boost.org> wrote:
>
> Just curious, why would a boost installer trigger virus detectors? Is the
> virus executable linked to a boost library?
No idea, sorry.
>
> Just curious, why would a boost installer trigger virus detectors? Is the
> virus executable linked to a boost library?
Best regards,
--
Mateusz Loskot, http://mateusz.loskot.net
Paul A. Bristow via Boost
Jul 27, 2018, 11:35:51 AM7/27/18
to bo...@lists.boost.org, Paul A. Bristow
> -----Original Message-----
> From: Boost [mailto:boost-...@lists.boost.org] On Behalf Of Mateusz Loskot via Boost
> Sent: 27 July 2018 15:25
> To: bo...@lists.boost.org
> Cc: Mateusz Loskot
> Subject: Re: [boost] TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1
>
> From: Boost [mailto:boost-...@lists.boost.org] On Behalf Of Mateusz Loskot via Boost
> Sent: 27 July 2018 15:25
> To: bo...@lists.boost.org
> Cc: Mateusz Loskot
> Subject: Re: [boost] TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1
>
> On 27 July 2018 at 03:55, Zipper Fish via Boost <bo...@lists.boost.org> wrote:
> >
> > Just curious, why would a boost installer trigger virus detectors? Is the
> > virus executable linked to a boost library?
>
> No idea, sorry.
Nor me neither - virus checkers work in mysterious ways - and have always suffered from false positives.
> >
> > Just curious, why would a boost installer trigger virus detectors? Is the
> > virus executable linked to a boost library?
>
> No idea, sorry.
Paul
Robert Ramey via Boost
Jul 27, 2018, 1:44:09 PM7/27/18
to Zipper Fish via Boost, Robert Ramey
code product.
Robert Ramey
degski via Boost
Jul 27, 2018, 11:09:43 PM7/27/18
to boost, degski
On 27 July 2018 at 16:14, Zipper Fish via Boost <bo...@lists.boost.org>
wrote:
> Paul, I already feel good and am not panicking, but thank you for your
> concern :-)
>
As you could have seen in the archive, quite a lot of people have looked at
it, and found it to be not a problem.
I am interested in the Windows 3rd party binaries because I try to avoid
> building boost manually on Windows if at all possible. As you know, the
> Windows Zip file does not contain binaries for the non-header-only parts of
> boost.
>
You could use vcpkg and build boost (and many other libraries) without any
fuss.
I already gathered your strategy about using a separate partition to beat
> the virus checkers from the archive link that Mateusz shared.
>
You can add excluded paths to Defender (and other AV's), add the build
directories as well, it will speed up you build.
As I wrote in my response to Mateusz, I am simply curious why a virus
> checker would flag a false positive in compiled boost libraries.
It's an unsigned executable, the self extractor (tagged on at the end of
the file) is possibly itself compressed. If that is done with upx, it will
be flagged as a virus. There's an optimising exe compressor doing both 32-
and 64-bit exe/dll's called mpress
<https://autohotkey.com/mpress/mpress_web.htm>, this one will not get
flagged (by my experience) ever.
Is it because viruses use boost libraries? I've used quite a number of
> libraries
> over the years and none that I can recall had this issue. (If this is off
> topic, my apologies.)
>
Before doing anything, check the suspicious file with malwarebytes
<https://www.malwarebytes.com/premium/> (just use the free version), if it
is a problem, mb is very likely to find it. If you dare (and are allowed,
i.e. you don't work for the potus), use kaspersky
<https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool>, it
*will* find it (and remove).
degski
--
*"If something cannot go on forever, it will stop" - Herbert Stein*
wrote:
> Paul, I already feel good and am not panicking, but thank you for your
> concern :-)
>
it, and found it to be not a problem.
I am interested in the Windows 3rd party binaries because I try to avoid
> building boost manually on Windows if at all possible. As you know, the
> Windows Zip file does not contain binaries for the non-header-only parts of
> boost.
>
fuss.
I already gathered your strategy about using a separate partition to beat
> the virus checkers from the archive link that Mateusz shared.
>
directories as well, it will speed up you build.
As I wrote in my response to Mateusz, I am simply curious why a virus
> checker would flag a false positive in compiled boost libraries.
the file) is possibly itself compressed. If that is done with upx, it will
be flagged as a virus. There's an optimising exe compressor doing both 32-
and 64-bit exe/dll's called mpress
<https://autohotkey.com/mpress/mpress_web.htm>, this one will not get
flagged (by my experience) ever.
Is it because viruses use boost libraries? I've used quite a number of
> libraries
> over the years and none that I can recall had this issue. (If this is off
> topic, my apologies.)
>
<https://www.malwarebytes.com/premium/> (just use the free version), if it
is a problem, mb is very likely to find it. If you dare (and are allowed,
i.e. you don't work for the potus), use kaspersky
<https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool>, it
*will* find it (and remove).
degski
--
*"If something cannot go on forever, it will stop" - Herbert Stein*
Zipper Fish via Boost
Jul 28, 2018, 2:20:15 AM7/28/18
to bo...@lists.boost.org, Zipper Fish
Thanks Robert
Have a great day
Have a great day
Bjorn Reese via Boost
Jul 28, 2018, 7:13:34 AM7/28/18
to Paul A. Bristow via Boost, Bjorn Reese
On 07/27/18 17:35, Paul A. Bristow via Boost wrote:
> Nor me neither - virus checkers work in mysterious ways - and have always suffered from false positives.
Back in the 90s when I was working on virus checkers, they were scanning
> Nor me neither - virus checkers work in mysterious ways - and have always suffered from false positives.
the executable for certain revealing code patterns. Back then, those
patterns were found by human analysts.
My guess is that these days the patterns are found automatically, and
if a virus is written using Boost libraries then the virus checkers
will likely detect patterns of Boost code as suspicious.
Reply all
Reply to author
Forward
0 new messages