Re: [Mingw-users] mingw creates trojans from hello world programs?
Amir Eldor
Short story:
I use netbeans on Windows 7 and I get a trojan alert from my free AVG antivirus after compiling and trying to run the program. The AVG false-positives forums suggested checking the file with online scanners prior to submitting a report. Several of them reported a trojan in the file.
Longer story:
I tried removing the older mingw and installing the latset one through sourceforge which has a big link stating "Looking for the latest version? Download mingw-get-inst-20111118.exe (591.9 kB) ".
I ruled out netbeans as I tried to compile a hello world program through the command-line with mingw and still got the alert.
I updated to the latest free AVG 2012.0.1913, but am not sure if it's a false positive because other scanners also reported the infection (I tried VirusTotal and Jotti Virusscan which use several antivirus scanners).
It's late and I'm not thinking right, so I'm not sure what other details I should give.
Thanks in advance.
Ralph Engels
Hash: SHA1
Many antivirus engines heuristics report false positives on programs
it has no knowladge of. For an example try packing an executable with
something like upx and watch how many av engines scream virus trojan
or worse :). To my knowladge unless someone hacked the mingw.org site
the possibility of the package being infected is very small and is
most definatly a false positive. if in doubt upload the file in
question to the AV devs and in most cases they will fix the wrong
detection in an update.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJPKG8WAAoJEIjGvG7Y4HU8+NoH/2G8IBGkdJ+t1VHx8j8c16Vb
lW0kYc8Xy3Xk69RTh3QA2a7KCFmB/6LitLBrKei25IQlQWVIG6s2L3g1scmFYKHx
3dXTOPq+JDUvF/CtXNsCsj7j6m7aXjvpAbJPrIEqnnrcz+qspRUXccRVTG/vujaN
KlLVQ2HYvkPPcTh2j6YiewM+fhTLmtCNsiyOmcUwjZbKZY8OnKfFaOfy5MSnyC8M
i+ETqQxIdc+ohtz8jsaNR2Z5ZlJcCE1/JYivImyyFKT7zh/GrMsYMKfSzXFyBHqC
+v55VqIcLxkwlCH5kVCjWX18DGYIzf4guFVPOfY+B6NGN2JGZvRwpBm7dBh+dic=
=lp7Y
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
MinGW-users mailing list
MinGW...@lists.sourceforge.net
This list observes the Etiquette found at
http://www.mingw.org/Mailing_Lists.
We ask that you be polite and do the same. Disregard for the list etiquette may cause your account to be moderated.
_______________________________________________
You may change your MinGW Account Options or unsubscribe at:
https://lists.sourceforge.net/lists/listinfo/mingw-users
Also: mailto:mingw-use...@lists.sourceforge.net?subject=unsubscribe
Fredrik Jansson
>
> Many antivirus engines heuristics report false positives on programs
> it has no knowladge of. For an example try packing an executable with
> something like upx and watch how many av engines scream virus trojan
> or worse :). To my knowladge unless someone hacked the mingw.org site
> the possibility of the package being infected is very small and is
> most definatly a false positive. if in doubt upload the file in
> question to the AV devs and in most cases they will fix the wrong
> detection in an update.
I have seen a similar problem, f-secure reported various viruses and
trojans in programs I compiled with a recent mingw gcc. For me, the
problem disappeared again (with an f-secure update?) before I got around
to posting to this mailing list.
I wrote a bit about this here (version numbers etc):
http://itsacleanmachine.blogspot.com/2012/01/antivirus-anger.html
I would also strongly suspect this is a false alert, particularly if
it is just a heuristic detector in the anti-virus software.
Best regards
Fredrik Jansson
LRN
Hash: SHA1
On 01.02.2012 2:27, Amir Eldor wrote:
> Short story: I use netbeans on Windows 7 and I get a trojan alert
> from my free AVG antivirus after compiling and trying to run the
> program. The AVG false-positives forums suggested checking the file
> with online scanners prior to submitting a report. Several of them
> reported a trojan in the file.
>
Never trust antivirus scanners. Run free software, obtained from
secure sources (preferably - with signatures), and don't use antivirus
software at all.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJPKQi7AAoJEOs4Jb6SI2Cwjw0IALLT6c8ImCZPKxUC+iqJEs54
DhFq4+1/U7DIiFq5PAK4XPUZwr0HutwQ2QAW9syETScmmZ3nURaZP7MAdHAYenzc
gGKh1Xwflp8eGSvwMTu3mLiWXpuuiOPOd+SyQIVLpD/8efrEfMUAbzwmMAziq4WS
52KCliz1oBwFQjwSxiUQ/Z/NFPLCAauUycIO6aPGNehEvfK0jaivv83ZOr+wqgIY
U6T10fMRR0S+KXvHpvH9ylg9okWKR7Yzk6hiRxbPAIvy1m31NfFjZn6Fdtve1jG2
598Yn+aRgXkCCRv9WPHgsplLOW55oXSOLhWxvVHZOUTWTbAwKbkCwwYqB1TXiJ0=
=iui8
-----END PGP SIGNATURE-----
Amir Eldor
I'll keep you posted.
Earnie Boyd
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01.02.2012 2:27, Amir Eldor wrote:
>> Short story: I use netbeans on Windows 7 and I get a trojan alert
>> from my free AVG antivirus after compiling and trying to run the
>> program. The AVG false-positives forums suggested checking the file
>> with online scanners prior to submitting a report. Several of them
>> reported a trojan in the file.
>>
> Never trust antivirus scanners. Run free software, obtained from
> secure sources (preferably - with signatures), and don't use antivirus
> software at all.
I'll add, if you do run antivirus software, you need to add the
directory or device where you are building software in the "do not
scan" exception list of the antivirus configuration because these
programs will often open a file that is created by configure and cause
the configure heartache when it tries to remove the file. The
configure script is faster than the virus program which is getting in
the way of the configure script trying to determine what is available.
--
Earnie
-- https://sites.google.com/site/earnieboyd
Amir Eldor
I also noticed that the alert pops up in 'debug' mode and not in 'release' mode as the IDEs I know like to call it.
Can anyone send me a hello world executable so I can check if it's only my copy of mingw doing problems? Please change the ".exe" extension to ".monkey" so my gmail won't complain (or do they do this security check not only by extension?).
Again, thank you.
Earnie Boyd
Is this loud enough?
On Wed, Feb 1, 2012 at 11:20 AM, Amir Eldor <amir....@gmail.com> wrote:
> All the tips are very nice for my development machine, but what happens when
> I distribute the file to end users? Be they running AVG or any other
> antiviruses that marked my file as suspicious, they will get the trojan
> alert, won't they?
That's the reason you send the code and binary to the vendor.
> I also noticed that the alert pops up in 'debug' mode and not in 'release'
> mode as the IDEs I know like to call it.
>
Well, if the same code is giving issue with -g switch enabled versus
not give an issue without -g then it is definitely your antivirus
program that is at fault. You'll need to go to them for support.
> Can anyone send me a hello world executable so I can check if it's only my
> copy of mingw doing problems? Please change the ".exe" extension to
> ".monkey" so my gmail won't complain (or do they do this security check not
> only by extension?).
I could but I won't. Someone else may be kind enough to.
--8<--
TRIM THE FAT.
Amir Eldor
wrote:
>
> DO NOT TOP POST. Is this loud enough?
Whatever suits you. I will also wrap text around 78 characters for you.
>
> On Wed, Feb 1, 2012 at 11:20 AM, Amir Eldor <amir....@gmail.com> wrote:
> > All the tips are very nice for my development machine, but what happens
> > when I distribute the file to end users? Be they running AVG or any other
> > antiviruses that marked my file as suspicious, they will get the trojan
> > alert, won't they?
>
> That's the reason you send the code and binary to the vendor.
I don't have a 'vendor'. I'm just a kid playing around with SFML.
>
> > I also noticed that the alert pops up in 'debug' mode and not in 'release'
> > mode as the IDEs I know like to call it.
> >
>
> Well, if the same code is giving issue with -g switch enabled versus not give
> an issue without -g then it is definitely your antivirus program that is at
> fault. You'll need to go to them for support.
>
I tried both with -g and without and I got the same threat alert. I have no
idea what netbeans does but it doesn't really matter now.
THE AVG DOES NOT COMPLAIN WHEN I do not return anything from my main(), or when
I return a non-zero. Returning zero or EXIT_SUCCESS triggers the trojan alert.
It seems to be something local with my computer because a friend of mine tried
the same and didn't get any alerts (though he has a differnet anti-virus).
To summarize things up:
* This seem to happen only on my machine.
* The anti-virus shows no alert when I do not use printf(), no matter the
return value.
* Once I use printf(), and return a zero value, there's an alert.
* If I don't use return on main, there's no alert, but there's a small catch
here. If I use -Wall I get a warning for an int function that returns no
value.
I don't think anyone should reply unless he/she has an interesting soltion to
try or pin-point why does my machine acts weird, but for the sake of the
mailing-lists crawlers out there, someone who might have an issue like me may
find this useful.
>
> > Can anyone send me a hello world executable so I can check if it's only my
> > copy of mingw doing problems? Please change the ".exe" extension to
> > ".monkey" so my gmail won't complain (or do they do this security check not
> > only by extension?).
>
> I could but I won't. Someone else may be kind enough to.
>
Yelling at me because of a n00b-to-mailing-lists top posting? Not being kind
enough? Oh well. Not everyone has the Ubuntu spirit.
> --8<--
>
> TRIM THE FAT.
>
Yes, that's a good idea.
JonY
>>
>> On Wed, Feb 1, 2012 at 11:20 AM, Amir Eldor wrote:
>>> All the tips are very nice for my development machine, but what happens
>>> when I distribute the file to end users? Be they running AVG or any other
>>> antiviruses that marked my file as suspicious, they will get the trojan
>>> alert, won't they?
>>
>> That's the reason you send the code and binary to the vendor.
>
> I don't have a 'vendor'. I'm just a kid playing around with SFML.
>
Your vendor is AVG.
>>
>>> I also noticed that the alert pops up in 'debug' mode and not in 'release'
>>> mode as the IDEs I know like to call it.
>>>
>>
>> Well, if the same code is giving issue with -g switch enabled versus not give
>> an issue without -g then it is definitely your antivirus program that is at
>> fault. You'll need to go to them for support.
>>
>
> I tried both with -g and without and I got the same threat alert. I have no
> idea what netbeans does but it doesn't really matter now.
>
> THE AVG DOES NOT COMPLAIN WHEN I do not return anything from my main(), or when
> I return a non-zero. Returning zero or EXIT_SUCCESS triggers the trojan alert.
> It seems to be something local with my computer because a friend of mine tried
> the same and didn't get any alerts (though he has a differnet anti-virus).
>
> To summarize things up:
>
> * This seem to happen only on my machine.
> * The anti-virus shows no alert when I do not use printf(), no matter the
> return value.
> * Once I use printf(), and return a zero value, there's an alert.
> * If I don't use return on main, there's no alert, but there's a small catch
> here. If I use -Wall I get a warning for an int function that returns no
> value.
>
> I don't think anyone should reply unless he/she has an interesting soltion to
> try or pin-point why does my machine acts weird, but for the sake of the
> mailing-lists crawlers out there, someone who might have an issue like me may
> find this useful.
>
"movl $0,%eax" can "call _printf" looks so dangerous since it appears
commonly in virus code. /sarcasm
I conclusion, uninstall AVG and use something else. It is obviously not
doing its job by making too many false positive alerts. Use whatever
your friend is using, the other AV doesn't seem retarded. Failing that,
use the free one from MS.
>>
>>> Can anyone send me a hello world executable so I can check if it's only my
>>> copy of mingw doing problems? Please change the ".exe" extension to
>>> ".monkey" so my gmail won't complain (or do they do this security check not
>>> only by extension?).
>>
>> I could but I won't. Someone else may be kind enough to.
>>
>
> Yelling at me because of a n00b-to-mailing-lists top posting? Not being kind
> enough? Oh well. Not everyone has the Ubuntu spirit.
Really, you are not doing yourself a favor.