Trojans detected in nanopb-0.4.3-windows-x86.zip
112 views
Skip to first unread message
Kristian Saenz
Oct 12, 2020, 7:23:00 PM10/12/20
to nanopb
Hello Petteri,
I just wanted to let you know that a couple of files in nanopb-0.4.3-windows-x86.zip are being detected as trojans. The files are:
generator-bin\nanopb_generator.exe
generator-bin\protoc-gen-nanopb.exe
generator-bin\nanopb_generator.exe
generator-bin\protoc-gen-nanopb.exe
The threat detected is Trojan:Win32/Zpevdo.B
Petteri Aimonen
Oct 13, 2020, 6:07:51 AM10/13/20
to nan...@googlegroups.com
Hi,
It's very likely a false positive, it seems like some anti-virus
programs do not like pyinstaller packages. Below is the sha256sum of the
package:
ae4b0bb91c13284160bb1d3be2b2e3d8b59134a48f5335ff764e43643dc59230
nanopb-0.4.3-windows-x86.zip
I've checked that the package that is available from the download server
matches the package that is on my build system.
VirusTotal reports that only a few of the less common programs report
a detection, and they all disagree on what it is:
https://www.virustotal.com/gui/file/ae4b0bb91c13284160bb1d3be2b2e3d8b59134a48f5335ff764e43643dc59230/detection
I think the issue is just that pyinstaller embeds some of its own code
into every generate .exe. If someone makes a trojan using pyinstaller,
poorly made anti-virus definitions flag every pyinstaller package as a
trojan.
Unfortunately most anti-virus programs do not publish enough information
to investigate their claims, so best course of action is for you to
contact their support or report it as a false positive.
Having code signing for the packages would help avoid false detections,
but unfortunately I cannot currently afford to spend the ~100 USD/year
on a certificate.
--
Petteri
> --
> You received this message because you are subscribed to the Google Groups "nanopb" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to nanopb+un...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/nanopb/46a53936-e682-4ed0-b497-add8c860ea41n%40googlegroups.com.
It's very likely a false positive, it seems like some anti-virus
programs do not like pyinstaller packages. Below is the sha256sum of the
package:
ae4b0bb91c13284160bb1d3be2b2e3d8b59134a48f5335ff764e43643dc59230
nanopb-0.4.3-windows-x86.zip
I've checked that the package that is available from the download server
matches the package that is on my build system.
VirusTotal reports that only a few of the less common programs report
a detection, and they all disagree on what it is:
https://www.virustotal.com/gui/file/ae4b0bb91c13284160bb1d3be2b2e3d8b59134a48f5335ff764e43643dc59230/detection
I think the issue is just that pyinstaller embeds some of its own code
into every generate .exe. If someone makes a trojan using pyinstaller,
poorly made anti-virus definitions flag every pyinstaller package as a
trojan.
Unfortunately most anti-virus programs do not publish enough information
to investigate their claims, so best course of action is for you to
contact their support or report it as a false positive.
Having code signing for the packages would help avoid false detections,
but unfortunately I cannot currently afford to spend the ~100 USD/year
on a certificate.
--
Petteri
> You received this message because you are subscribed to the Google Groups "nanopb" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to nanopb+un...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/nanopb/46a53936-e682-4ed0-b497-add8c860ea41n%40googlegroups.com.
Kristian Saenz
Oct 13, 2020, 8:44:07 AM10/13/20
to nanopb
I was hoping that it was a false positive but I would not have not known why.
I also checked the sha256 checksum and it matches.
Thank you for checking and responding here.
Regards,
Kristian Saenz
Joseph Tilley
Oct 14, 2020, 9:31:11 AM10/14/20
to nanopb
Hi Petteri,
The problem is that this is being detected as "Trojan:Win32/Zpevdo.B" by the default Windows 10 security. It is not an obscure virus scanner that is detecting this. I understand that this could still be a false positive, but since this is happening with default Windows 10 security, I imagine many other users will encounter this issue.
Versions of the "nanopb_generator.exe" and "protoc-gen-nanopb.exe" files prior to 0.4.3 did not get flagged by Windows security, so something must have changed. Is a different version of pyinstaller being used to generate the packages?
On Tuesday, October 13, 2020 at 5:07:51 AM UTC-5 Petteri Aimonen wrote:
Petteri Aimonen
Oct 15, 2020, 1:21:42 AM10/15/20
to nan...@googlegroups.com
Hi Joseph,
Thanks for the extra information! Weird that virustotal doesn't show any
result for "Microsoft" scanner.
It's worth investigating. Some resources online suggest that a custom
compilation of pyinstaller could help.
I'm now not entirely sure if this commit might have affected Windows
packaging also somehow:
https://github.com/nanopb/nanopb/commit/57b5b38aa13517271ae698a73c95ddc6f183b54f
It did change "python" to "py -3" to make sure that Python 3 gets used
on all systems, but IIRC I only have Python 3 installed on the build
machine anyway.
I'm travelling this week, but if someone wants to investigate and/or add
to the issue tracker, that would be great help.
--
Petteri
> To view this discussion on the web visit https://groups.google.com/d/msgid/nanopb/78cad515-f146-4172-b12f-1380eb88b383n%40googlegroups.com.
Thanks for the extra information! Weird that virustotal doesn't show any
result for "Microsoft" scanner.
It's worth investigating. Some resources online suggest that a custom
compilation of pyinstaller could help.
I'm now not entirely sure if this commit might have affected Windows
packaging also somehow:
https://github.com/nanopb/nanopb/commit/57b5b38aa13517271ae698a73c95ddc6f183b54f
It did change "python" to "py -3" to make sure that Python 3 gets used
on all systems, but IIRC I only have Python 3 installed on the build
machine anyway.
I'm travelling this week, but if someone wants to investigate and/or add
to the issue tracker, that would be great help.
--
Petteri
Petteri Aimonen
Oct 19, 2020, 3:59:00 AM10/19/20
to nan...@googlegroups.com
Hi,
I spent a few hours investigating this issue, here is what I was able to
deduce:
1) Windows Defender is up to date on the build machine and does not
identify threats there.
2) The PyInstaller version used in 0.4.2 and 0.4.3 packages is the same.
3) By binary compare, the executable x86 code in the .exe files is the
same between versions. Only embedded Python code changes.
4) Build #98 causes trojan detection even though #99 does not:
https://jpa.kapsi.fi/jenkins/job/nanopb/job/nanopb%20windows/98/
https://jpa.kapsi.fi/jenkins/job/nanopb/job/nanopb%20windows/99/
Those were built on same machine 27 minutes apart, and the only
difference is the version number in the Python code.
Because the string "0.4.4-dev" is longer than "0.4.3", this changes
alignment for the rest of the binary, which somehow affects the
detection.
However, that's as far as I could get. It is very annoying that Windows
Defender does not tell any details about what it has detected.
I have now updated PyInstaller to 4.0 and rebuilt it locally. Currently
Windows Defender seems happy with it, though some other programs still
consider it suspicious. That's probably due to the way PyInstaller
embeds Python code inside the .exe.
There is an updated nanopb-0.4.3-p1-windows-x86.zip available for
download, sha256 hash is
caab511820b621d844042f7e0857a3dde230798f76d628861ebcfb3f3a7ecca8
--
Petteri
I spent a few hours investigating this issue, here is what I was able to
deduce:
1) Windows Defender is up to date on the build machine and does not
identify threats there.
2) The PyInstaller version used in 0.4.2 and 0.4.3 packages is the same.
3) By binary compare, the executable x86 code in the .exe files is the
same between versions. Only embedded Python code changes.
4) Build #98 causes trojan detection even though #99 does not:
https://jpa.kapsi.fi/jenkins/job/nanopb/job/nanopb%20windows/98/
https://jpa.kapsi.fi/jenkins/job/nanopb/job/nanopb%20windows/99/
Those were built on same machine 27 minutes apart, and the only
difference is the version number in the Python code.
Because the string "0.4.4-dev" is longer than "0.4.3", this changes
alignment for the rest of the binary, which somehow affects the
detection.
However, that's as far as I could get. It is very annoying that Windows
Defender does not tell any details about what it has detected.
I have now updated PyInstaller to 4.0 and rebuilt it locally. Currently
Windows Defender seems happy with it, though some other programs still
consider it suspicious. That's probably due to the way PyInstaller
embeds Python code inside the .exe.
There is an updated nanopb-0.4.3-p1-windows-x86.zip available for
download, sha256 hash is
caab511820b621d844042f7e0857a3dde230798f76d628861ebcfb3f3a7ecca8
--
Petteri
Reply all
Reply to author
Forward
0 new messages