[windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?

Boost - Dev mailing list
Hi,

One user reported via #boost at cpplang.slack.com that
Windows Defender reported trojan in the latest Windows binaries.
I checked myself and I can confirm the latest up-to-date
Windows Defender is detecting Vigorf.A in the installer archive.

Is this false report?

Best regards,
--
Mateusz Loskot, http://mateusz.loskot.net


_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost

boost-binaries-windows-defender-report.png (18K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?

Boost - Dev mailing list
Mateusz Loskot wrote:
> Hi,
>
> One user reported via #boost at cpplang.slack.com that Windows Defender
> reported trojan in the latest Windows binaries.
> I checked myself and I can confirm the latest up-to-date Windows Defender
> is detecting Vigorf.A in the installer archive.
>
> Is this false report?

VirusTotal says clean:
https://www.virustotal.com/#/url/b9ac08dd74b171f589b64bd91ba192986f7fe861fa4cf8abd3fad2fe499a2a00/detection 


_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?

Boost - Dev mailing list
Hello,

The VT Link checked the *URL* not the binary itself. As the executable
is above 20MB there's no way (AFAIK) to let it be checked by VT.

Vigorf.A is a "generic" detection[1] which basically means that it
classifies the program as malicious based on behaviour or other
heuristics --- thus there often is no definitive single thing that
causes the detection, it's a combination of many small factors. After
taking a quick look at the executable possible flags are:
* the data to be installed is appended to the executable (often called
overlay or EOF data). This is a technique often used by so called
"binders" which pack a legitimate and an malicious executable together
and execute both - so the user sees a legitimate programm running and
thinks that the whole executable was legitimate.
* the file itself has very high entropy (7.96), which indicates
encrypted or packed data. AV flag executables with an entropy higher 6
(thresholds may vary) because, well, encrypted or packed data (from the
POV of the AV) means that data is hidden and thus cannot be analyzed.

I'm not sure how to handle that situation, those are (basically)
necassary for the installer to function. Storing the data unpacked would
bloat the binary way beyond anything sensible, storing it any other way
(as a resource or in .data) won't help either. Not to mention that this
would require mucking around with InnoSetup.

Maybe MicroSoft is willing to create an exception but then this problem
would just resurface every new release. Another might be codesigning,
but that requires money, infrastructure and time.

[1]
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win32/Vigorf.A

Am 24.05.2018 um 10:24 schrieb Peter Dimov via Boost:

> Mateusz Loskot wrote:
>> Hi,
>>
>> One user reported via #boost at cpplang.slack.com that Windows
>> Defender reported trojan in the latest Windows binaries.
>> I checked myself and I can confirm the latest up-to-date Windows
>> Defender is detecting Vigorf.A in the installer archive.
>>
>> Is this false report?
>
> VirusTotal says clean:
> https://www.virustotal.com/#/url/b9ac08dd74b171f589b64bd91ba192986f7fe861fa4cf8abd3fad2fe499a2a00/detection
>
>
> _______________________________________________
> Unsubscribe & other changes:
> http://lists.boost.org/mailman/listinfo.cgi/boost
>



_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost

signature.asc (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?

Boost - Dev mailing list
In reply to this post by Boost - Dev mailing list
> -----Original Message-----
> From: Boost [mailto:[hidden email]] On Behalf Of Mateusz Loskot via Boost
> Sent: 24 May 2018 09:14
> To: [hidden email]
> Cc: Mateusz Loskot
> Subject: [boost] [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?
>
> Hi,
>
> One user reported via #boost at cpplang.slack.com that
> Windows Defender reported trojan in the latest Windows binaries.
> I checked myself and I can confirm the latest up-to-date
> Windows Defender is detecting Vigorf.A in the installer archive.
>
> Is this false report?

I suspect so - Norton regularly accuses my generated binaries of various infections so that I have had to stop it scanning the partition containing Boost  (a good reason why a separate partition is a good idea - rather than stuffing it all in C:/boost/... ).

We should get it whitelisted, but I doubt if that is practicable.

Paul

---
Paul A. Bristow
Prizet Farmhouse
Kendal UK LA8 8AB
+44 (0) 1539 561830






_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?

Boost - Dev mailing list
On 24 May 2018 at 16:59, Paul A. Bristow via Boost
<[hidden email]> wrote:

>> -----Original Message-----
>> From: Boost [mailto:[hidden email]] On Behalf Of Mateusz Loskot via Boost
>> Sent: 24 May 2018 09:14
>> To: [hidden email]
>> Cc: Mateusz Loskot
>> Subject: [boost] [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?
>>
>> Hi,
>>
>> One user reported via #boost at cpplang.slack.com that
>> Windows Defender reported trojan in the latest Windows binaries.
>> I checked myself and I can confirm the latest up-to-date
>> Windows Defender is detecting Vigorf.A in the installer archive.
>>
>> Is this false report?
>
> I suspect so

OK

> - Norton regularly accuses my generated binaries of various infections so that I have had to
> stop it scanning the partition containing Boost
> (a good reason why a separate partition is a good idea - rather than stuffing it all in C:/boost/... ).

I apply similar approach, having this special place expluded
C:\Users\mateuszl\Downloads\_NoDefenderScansHere_

That's why I missed the issue until someone pointed out on #boost channel,
and I checked it myself from different location.


Best regards,
--
Mateusz Loskot, http://mateusz.loskot.net

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?

Boost - Dev mailing list
In reply to this post by Boost - Dev mailing list
On Thu, May 24, 2018 at 3:14 AM, Mateusz Loskot via Boost <
[hidden email]> wrote:

> Hi,
>
> One user reported via #boost at cpplang.slack.com that
> Windows Defender reported trojan in the latest Windows binaries.
> I checked myself and I can confirm the latest up-to-date
> Windows Defender is detecting Vigorf.A in the installer archive.
>
> Is this false report?
>
> Best regards,
> --
> Mateusz Loskot, http://mateusz.loskot.net


Can you check the SHA-256 of the exe matches the one published and signed?

I believe it should be:
402d07022fe9671e401efc4e90a1ff25e1bc9e1c23b3d8b1c65e4a2e6799abfc
 boost_1_67_0-msvc-14.1-64.exe


But the real way to check, is to download SHA256SUMS.asc [1], verify the
signature (it is signed by myself, "Thomas Kent <[hidden email]>"), then
use the verified SHA-256 checksum to ensure that the file hasn't been
modified on the server.

I had a pretty good chain of control from when the hash was computed until
it was signed, but it is possible some malicious hacker had infected my
system and modified the binaries in the few minutes before I ran the has on
them....though I find that to be an *extremely* remote possibility. None
the less, I think I'll update my build process to generate the hashes on
the machine (a clean VM created each time a build is run) that does the
build. I just need to get the sha tools onto windows.

Tom

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?

Boost - Dev mailing list
On 25 May 2018 at 13:32, Tom Kent via Boost <[hidden email]> wrote:

> On Thu, May 24, 2018 at 3:14 AM, Mateusz Loskot via Boost <[hidden email]> wrote:
>>
>> One user reported via #boost at cpplang.slack.com that
>> Windows Defender reported trojan in the latest Windows binaries.
>> I checked myself and I can confirm the latest up-to-date
>> Windows Defender is detecting Vigorf.A in the installer archive.
>>
>> Is this false report?
>
> Can you check the SHA-256 of the exe matches the one published and signed?
>
> I believe it should be:
> 402d07022fe9671e401efc4e90a1ff25e1bc9e1c23b3d8b1c65e4a2e6799abfc
>  boost_1_67_0-msvc-14.1-64.exe

A quick checksum check suggests the file is fine

"C:\Program Files\Git\usr\bin\sha256sum.exe" boost_1_67_0-msvc-14.1-64.exe
402d07022fe9671e401efc4e90a1ff25e1bc9e1c23b3d8b1c65e4a2e6799abfc
*boost_1_67_0-msvc-14.1-64.exe

Best regards,
--
Mateusz Loskot, http://mateusz.loskot.net

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?

Boost - Dev mailing list
In reply to this post by Boost - Dev mailing list
Geert Martin Ijewski wrote:

> The VT Link checked the *URL* not the binary itself. As the executable is
> above 20MB there's no way (AFAIK) to let it be checked by VT.

We checked the file too:

https://www.virustotal.com/#/file/402d07022fe9671e401efc4e90a1ff25e1bc9e1c23b3d8b1c65e4a2e6799abfc/detection


_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost