Explot-ByteVerify,Trojan detected by McAfee Total Protection 4.5.5.0
23 views
Skip to first unread message
Ric Emery
Nov 26, 2018, 11:24:37 PM11/26/18
to equalsverifier
Hello,
Running a virus scan against equalsverifier-3.0.3.jar, equalsverifier-3.0.2.jar or equalsverifier-3.0.jar is returning a Explot-ByteVerify,Trojan error for EqualsVerifierBugException.class. I am running MacAfee Total Protection 4.5.5.0 on MacOs.
To determine if this was a McAfee issue, I had a coworker run a virus scan using VirusBarrier. VirusBarrier reported a different issue - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Java/CVE-2012-1723!generic on TypeWriter$Default$ClassDump.class.
Is this a known issue that virus scans are reporting problems with the 3.x equalsverifier jars?
Thanks
Jan Ouwens
Nov 27, 2018, 3:16:56 AM11/27/18
to equalsv...@googlegroups.com
Hi,
I wasn't aware of this, no.
In a way, I'm not so surprised: EqualsVerifier has 3 dependencies which it bundles within its jar file: ASM, Byte-Buddy and Objenesis. They all deal with bytecode manipulation in one way or another, and they could each be very useful in the toolkit of someone who wants to write malware. The TypeWriter$Default$ClassDump.class in your second example comes directly from Byte-Buddy, for example. Can you check if the virus scanner also flags the jar files of these libraries? (You may have to download them manually, since they're not transitive dependencies of EqualsVerifier but are bundled in the jar file itself.) By the way, according to Microsoft's website only JDK's and JRE's of version 7 and below are affected; EqualsVerifier 3.0 and up require Java 8 or higher, so in this case you should be safe.
I'm surprised that the McAfee scan flags EqualsVerifierBugException.class though. It's a very boring class. Can you give me more information about what this Exploit-ByteVerify,Trojan error means? If there's some change I can make that fixes this warning, I'm certainly willing to do so, but I don't know what the issue is :).
Regards,
Jan
--
You received this message because you are subscribed to the Google Groups "equalsverifier" group.
To unsubscribe from this group and stop receiving emails from it, send an email to equalsverifie...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Ric Emery
Nov 27, 2018, 8:51:35 AM11/27/18
to equalsverifier
Hello,
Thanks for the response Jan.
I think that the Exploite-ByteVerify,Trojan is https://www.symantec.com/security-center/writeup/2003-090514-4048-99 . And, is noted only effects the Microsoft Java Virtual Machine. Since this virus is noted on the Microsoft VM, the virus doesn't seem all that applicable. I am mainly concerned since two virus scanners both show different issues.
I will have my coworker scan ByteBuddy with VirusBarrier. I don't have VirusBarrier installed. I will get back to you on that. McAfee shows ByteBuddy as clean.
Note that I am going to be offline for a few days. I will not be able to post to this thread after mid morning US West Coast time today. I will be back online on Friday.
Thanks again.
Ric Emery
Nov 27, 2018, 12:05:12 PM11/27/18
to equalsverifier
Hello Jan,
Scanning just byte-buddy-1.9.4.jar with VirusBarrier also shows the Java/CVE-2012-1723 issue. Which is not surprising.
I searched the byte-buddy mailing list and stack overflow to see if anyone has commented. I was unable to find any discussion.
Though I agree that it is not unexpected that a byte code manipulation library would be flagged to contain vulnerabilities.
Jan Ouwens
Nov 27, 2018, 2:17:05 PM11/27/18
to Ric Emery, equalsv...@googlegroups.com
Hi Ric,
I've looked at the Exploit-ByteVerify,Trojan link you provided, but it doesn't give me much of a clue what's going on and how I can fix EqualsVerifier. And since it's only relevant on an old, defunct platform that EqualsVerifier doesn't even run on, I feel like this is out of my control. I don't think there is much that I can do for you here. If you can think of something though, please let me know.
As for the VirusBarrier issue, you could report that with Byte Buddy. I keep up with their releases, so if they fix it it will be in EqualsVerifier soon enough. Although I suspect you'll get a similar response from them as you did from me.
Regards,
Jan
Jan Ouwens
Nov 28, 2018, 7:27:00 AM11/28/18
to Ric Emery, equalsv...@googlegroups.com
I just got a heads-up from Sonatype about the Exploit-ByteVerify,Trojan issue. A security check on their end also brought it up.
They say their security experts think it's a false positive, but nevertheless I've asked them if there is something I can do to fix it. Maybe something will turn up.
Jan
Ric Emery
Nov 29, 2018, 9:55:49 AM11/29/18
to equalsverifier
Cool. Thanks!
Jan Ouwens
Dec 29, 2018, 7:56:33 AM12/29/18
to equalsv...@googlegroups.com
Hi Ric,
Just to let you know, I just released version 3.1.3 which should fix this issue.
Jan
Ric Emery
Dec 31, 2018, 1:39:08 PM12/31/18
to equalsv...@googlegroups.com
Thanks. I will double check as soon as I get a chance.
Ric Emery
Jan 2, 2019, 4:14:53 PM1/2/19
to equalsv...@googlegroups.com
Hello Jan,
We tested with the 3.1.4 version of Equals Verifier. McAfee no longer reports the jar as containing a trojan.
VirusBarrier still complains.
On Sat, Dec 29, 2018 at 5:56 AM Jan Ouwens <jan.o...@gmail.com> wrote:
Reply all
Reply to author
Forward
0 new messages