Windows build 12-22 weekly virus check

148 views
Skip to first unread message

Joseph Poirier

unread,
Dec 25, 2011, 1:26:57 PM12/25/11
to golang-nuts
I just received a report from someone that the NOD32 virus scanner
came up positive for the Archbomb Trojan on the latest amd64 weekly
windows build located here
http://gomingw.googlecode.com/files/gowinamd64_weekly.2011-12-22.zip,
my check using MS Security Essentials showed nothing.

Unfortunately the zip file is too large to send to virustotal.com so
if someone has a few minutes to check it against another Anti-Virus
program and confirm it's a false positive it would be greatly
appreciated.

Cheers,
Joe

Avalon

unread,
Dec 25, 2011, 4:55:41 PM12/25/11
to golang-nuts
Hi Joseph, I tested it out with Iolo System Shield 10.5, no infection
found.

Cheers,

Ivo Balbaert

On 25 dec, 19:26, Joseph Poirier <jdpoir...@gmail.com> wrote:
> I just received a report from someone that the NOD32 virus scanner
> came up positive for the Archbomb Trojan on the latest amd64 weekly
> windows build located herehttp://gomingw.googlecode.com/files/gowinamd64_weekly.2011-12-22.zip,

Alexey Borzenkov

unread,
Dec 26, 2011, 2:43:32 PM12/26/11
to Joseph Poirier, golang-nuts
On Sun, Dec 25, 2011 at 10:26 PM, Joseph Poirier <jdpo...@gmail.com> wrote:
> I just received a report from someone that the NOD32 virus scanner
> came up positive for the Archbomb Trojan on the latest amd64 weekly
> windows build located here
> http://gomingw.googlecode.com/files/gowinamd64_weekly.2011-12-22.zip,
> my check using MS Security Essentials showed nothing.

Archbomb is not a trojan, Archbomb is a term used for archives that
have an unusually high compression ratio, for example a few kilobytes
archive expanding to hundred gigabytes of "data". Archbombs are
usually used to DOS automated systems that unpack archives
automatically.

I looked at the archive, and perhaps it is reacting to an unusually
high compression ratios of executables (go executables have a lot of
debug/runtime information, so they are huge and compress very well,
almost 80%). Anyway, it is not an Archbomb and probably false
positive, please send it to ESET and tell them about your experience.

Thanks,
Alexey.

Alexey Borzenkov

unread,
Dec 26, 2011, 2:51:19 PM12/26/11
to Joseph Poirier, golang-nuts

Oh, actually I looked closer and found that go package archive/zip has
an archbomb in testdata, it's called r.zip, which when uncompressed
produces an identical r.zip (so recursive unpacking will go on
indefinitely). ;) While it is unusual for a language to have an
archbomb in their test suite, it's harmless for users (automated
systems without recursion limits are another matter).

Russ Cox

unread,
Jan 8, 2012, 3:23:42 PM1/8/12
to Alexey Borzenkov, Joseph Poirier, golang-nuts
On Mon, Dec 26, 2011 at 14:51, Alexey Borzenkov <sna...@gmail.com> wrote:
> Oh, actually I looked closer and found that go package archive/zip has
> an archbomb in testdata, it's called r.zip, which when uncompressed
> produces an identical r.zip (so recursive unpacking will go on
> indefinitely). ;) While it is unusual for a language to have an
> archbomb in their test suite, it's harmless for users (automated
> systems without recursion limits are another matter).

That's fantastic. Thanks for tracking that down.

Russ

Reply all
Reply to author
Forward
0 new messages