False malware report for metamath.exe executable?
70 views
Skip to first unread message
Norman Megill
Apr 3, 2021, 12:43:28 AM4/3/21
to Metamath
The company hosting us.metamath.org flagged metamath.exe as malware
and has suspended the site. I have temporarily redirected
us.metamath.org to a mirror server. As a precaution, I have also removed copies of
metamath.exe from all servers until this is resolved. (It may take a day
or two for the removal to propagate completely.)
The hosting company ran an apparently older version of ClamAV, which detected metamath.exe as malware:
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
/home2/nmegill/public_html/metamath/metamath.exe: Atomicorp.honeypot.hex.Trojan.IRCBot-568.UNOFFICIAL FOUND
I ran the latest version of ClamAV, which did not detect metamath.exe as malware:
Engine version: 0.103.1
C:\Users\Norm\Downloads\clamav-0.103.1-win-x64-portable\metamath.exe: OK
As an additional indication that their malware report is false, devel-clamav-0.99-beta1-632-g8a582c7 also reported that 2 web server ASCII log files were malware, which seems absurd. Version 0.103.1 did not report these.
Here are the statistics for the metamath.exe that was flagged. It matches exactly the metamath.exe copies on my local computers.
$ ls -l metamath.exe
-rwxrwx---+ 1 Norm None 661008 Jan 2 00:55 metamath.exe
$ sha256sum metamath.exe
98d292206a3e23ef2d2476aa600ad1ddf7118343c01595ca42be78d2d8de0c2d *metamath.exe
In theory, I suppose the compiler itself could compile a trojan into target programs. metamath.exe was compiled with the LCC-Win32 version of 5-Feb-2013 (apparently LCC-Win32 doesn't have version numbers that I could find).
If anyone wants to analyze the file with a different AV program (I would appreciate that), it can temporarily be obtained from:
http://us2.metamath.org/metamath/metamath.exe.bad
Obviously, download this at your own risk.
My guess is that their ClamAV version is buggy and that this is a false alarm. Sorry for the inconvenience.
Norm
The hosting company ran an apparently older version of ClamAV, which detected metamath.exe as malware:
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
/home2/nmegill/public_html/metamath/metamath.exe: Atomicorp.honeypot.hex.Trojan.IRCBot-568.UNOFFICIAL FOUND
I ran the latest version of ClamAV, which did not detect metamath.exe as malware:
Engine version: 0.103.1
C:\Users\Norm\Downloads\clamav-0.103.1-win-x64-portable\metamath.exe: OK
As an additional indication that their malware report is false, devel-clamav-0.99-beta1-632-g8a582c7 also reported that 2 web server ASCII log files were malware, which seems absurd. Version 0.103.1 did not report these.
Here are the statistics for the metamath.exe that was flagged. It matches exactly the metamath.exe copies on my local computers.
$ ls -l metamath.exe
-rwxrwx---+ 1 Norm None 661008 Jan 2 00:55 metamath.exe
$ sha256sum metamath.exe
98d292206a3e23ef2d2476aa600ad1ddf7118343c01595ca42be78d2d8de0c2d *metamath.exe
In theory, I suppose the compiler itself could compile a trojan into target programs. metamath.exe was compiled with the LCC-Win32 version of 5-Feb-2013 (apparently LCC-Win32 doesn't have version numbers that I could find).
If anyone wants to analyze the file with a different AV program (I would appreciate that), it can temporarily be obtained from:
http://us2.metamath.org/metamath/metamath.exe.bad
Obviously, download this at your own risk.
My guess is that their ClamAV version is buggy and that this is a false alarm. Sorry for the inconvenience.
Norm
vvs
Apr 3, 2021, 8:09:17 AM4/3/21
to Metamath
Apparently someone already submitted it to virustotal. Here is the result (3/69, false positive, IMHO):
Norman Megill
Apr 5, 2021, 3:52:11 PM4/5/21
to Metamath
I received a response from
Malwarebytes concerning the VirusTotal detection:
(begin quote)
Our engine format and configuration in VirusTotal is different than our products' default configuration. In VirusTotal we use a command-line engine with more aggressive detection techniques and heuristics which might detect more than the commercial product. This is the norm with most if not all other antivirus vendors in VirusTotal.
I scanned the file and it is not detected. Thanks for reporting.
cli
Research Engineer
Malwarebytes Staff
(end quote)
Still waiting for a response from Acronis.
Norm
Reply all
Reply to author
Forward
0 new messages