Re: [boost] [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?

On Thu, May 24, 2018 at 3:14 AM, Mateusz Loskot via Boost < boost@lists.boost.org> wrote:

Hi,

One user reported via #boost at cpplang.slack.com that Windows Defender reported trojan in the latest Windows binaries. I checked myself and I can confirm the latest up-to-date Windows Defender is detecting Vigorf.A in the installer archive.

Is this false report?

Best regards, -- Mateusz Loskot, http://mateusz.loskot.net

Can you check the SHA-256 of the exe matches the one published and signed? I believe it should be: 402d07022fe9671e401efc4e90a1ff25e1bc9e1c23b3d8b1c65e4a2e6799abfc boost_1_67_0-msvc-14.1-64.exe But the real way to check, is to download SHA256SUMS.asc [1], verify the signature (it is signed by myself, "Thomas Kent "), then use the verified SHA-256 checksum to ensure that the file hasn't been modified on the server. I had a pretty good chain of control from when the hash was computed until it was signed, but it is possible some malicious hacker had infected my system and modified the binaries in the few minutes before I ran the has on them....though I find that to be an *extremely* remote possibility. None the less, I think I'll update my build process to generate the hashes on the machine (a clean VM created each time a build is run) that does the build. I just need to get the sha tools onto windows. Tom