[tex-live] Virus alerts from TL2009 (again)
Peter Denisevich
pdenis2 at comcast.net
Fri Apr 9 04:15:32 CEST 2010
On March 3, 2010 Norbert Preining wrote:
> On Mi, 03 Mär 2010, Linda C M Gross wrote:
> >/ C:\texlive\2009\bin\win32\dviout.exe
> />/ C:\texlive\2009\bin\win32\psv.exe
> />/ C:\texlive\2009\bin\win32\texworks.exe
> /
> If the files have the following md5sums:
> d132caed244851b1a944221921611235 dviout.exe
> 4ea3886315f590856e6d921c54aca0f2 psv.exe
> e9c1687a5375f6ad5b5e76172c46bf37 texworks.exe
> and sizes
> dviout.exe* 3584
> psv.exe* 13824
> texworks.exe* 178688
>
> then they don't have a virus, but your anti virus program is just reporting
> a fals positive.
>
> I am quite sure that it is that way, meaning that this is a false
> positive. Detecting a virus is heuristics, and it seems it failed here.
>
> but you never know ;-)
>
> Best wishes
>
> Norbert
I, too, get alerts from Sophos and so I copied the Windows .exe's and .dlls to my Linux box and scanned them with 3 other AVs.
F-Prot found nothing, but ClamAV and AVG both reported the same files as Sophos: dviout.exe, psv.exe, and texworks.exe
It is somewhat disconcerting that 3 out of 4 antivirus scanners tested pick out the same 3 files. Are the scanners all using the same (false) signatures. [I would
expect that would lead to patent/copyright problems...]
Details on my scans:
SophosAV: (on Win XP)
[General]
Endpoint security and control = 9
Current user rights = Sophos Administrator
[Anti-virus and HIPS]
-[ Software]
Sophos Anti-Virus 9.0.5
Release status Full
On-access status Enabled
Detection engine 3.6.0
Detection data 4.52G
Virus data date 4/5/2010
Items detected 1544100
Detection identities 171
HIPS rules version 3.2.0
HIPS configuration version 1.0.4
Last updated 4/8/2010 4:25:09 PM
Finds Malware/Virus
dviout.exe: Mal/Dorf-I
psv.exe: Mal/Dorf-I
texworks.exe: Mal/Dorf-I
------------------------------------------------------------------
(On Gentoo Linux):
ClamAV ClamAV 0.95.3/10716/Wed Apr 7 19:01:36 2010
dualxeon:~/tmp/tlwin$clamscan *|grep -v OK
./dviout.exe: Trojan.Dropper-3840 FOUND
./psv.exe: Trojan.Dropper-3840 FOUND
./texworks.exe: Trojan.Dropper-3840 FOUND
-----------------------------------------------------------
F-PROT Antivirus version 6.2.1.4252 (built: 2008-04-28T16-44-10)
FRISK Software International (C) Copyright 1989-2007
Engine version: 4.4.4.56
Virus signatures: 2010040817367d38c25834848a2c65806ae6271f603c
dualxeon:~/tmp/tlwin$fpscan *
[finds nothing]
-------------------------------------------------------------------
AVG command line Anti-Virus scanner
Copyright (c) 2009 AVG Technologies CZ
Virus database version: 270.14.133/2612
Virus database release date: Sun, 10 Jan 2010 11:35:00 -08:00
dualxeon:~/tmp/tlwin$avgscan *
tlwin/dviout.exe Virus identified I-Worm/Nuwar.L
tlwin/psv.exe Virus identified I-Worm/Nuwar.L
tlwin/texworks.exe Virus identified I-Worm/Nuwar.L
---------------------------------------------------------------------
Maybe this is worth another look.
Thanks,
-Peter Denisevich
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tug.org/pipermail/tex-live/attachments/20100408/5fe9c9e5/attachment-0001.html>
More information about the tex-live
mailing list