TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

Zipper Fish

26 Jul 2018 26 Jul '18

9:02 p.m.

Dear boost developers and/or release managers: Today I downloaded boost_1_67_0-msvc-14.1-64.exe from the Windows binaries downloads page: https://dl.bintray.com/boostorg/release/1.67.0/binaries/ The file contains a Trojan, according to Windows Defender. Screenshot: https://usercontent.irccloud-cdn.com/file/Uy6o19AC/2018-07-26%2016_29_52-Win... Someone should verify this & check the other pre-built binaries ASAP to reduce exposure. Thank you & best regards

Show replies by date

Mateusz Loskot

26 Jul 26 Jul

10:41 p.m.

Read this thread https://lists.boost.org/Archives/boost/2018/05/242200.php It's always a good idea to search through the list archives first. Mateusz Loskot, mateusz@loskot.net (Sent from mobile) On Fri, 27 Jul 2018, 00:08 Zipper Fish via Boost, wrote:

...

Dear boost developers and/or release managers:

Today I downloaded boost_1_67_0-msvc-14.1-64.exe from the Windows binaries downloads page: https://dl.bintray.com/boostorg/release/1.67.0/binaries/

The file contains a Trojan, according to Windows Defender.

Screenshot:

https://usercontent.irccloud-cdn.com/file/Uy6o19AC/2018-07-26%2016_29_52-Win...

Someone should verify this & check the other pre-built binaries ASAP to reduce exposure.

Thank you & best regards

_______________________________________________ Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost

Zipper Fish

27 Jul 27 Jul

1:55 a.m.

Thank you Ok, I'll whitelist the file "boost_1_67_0-msvc-14.1-64.exe" with some trepidation and try installing. I normally do search archives and Google extensively for code issues, but for a positive hit from the a virus detector, it wasn't the first idea that popped into my head. Just curious, why would a boost installer trigger virus detectors? Is the virus executable linked to a boost library? On Thu, Jul 26, 2018 at 6:41 PM, Mateusz Loskot via Boost < boost@lists.boost.org> wrote:

...

Read this thread https://lists.boost.org/Archives/boost/2018/05/242200.php

It's always a good idea to search through the list archives first.

Mateusz Loskot, mateusz@loskot.net (Sent from mobile)

On Fri, 27 Jul 2018, 00:08 Zipper Fish via Boost, wrote:

...
Dear boost developers and/or release managers:

Today I downloaded boost_1_67_0-msvc-14.1-64.exe from the Windows binaries downloads page: https://dl.bintray.com/boostorg/release/1.67.0/binaries/

The file contains a Trojan, according to Windows Defender.

Screenshot:

https://usercontent.irccloud-cdn.com/file/Uy6o19AC/2018-07- 26%2016_29_52-Windows%20Defender%20Security%20Center.jpg

Someone should verify this & check the other pre-built binaries ASAP to reduce exposure.

Thank you & best regards

_______________________________________________ Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost

_______________________________________________ Unsubscribe & other changes: http://lists.boost.org/ mailman/listinfo.cgi/boost

Paul A. Bristow

8:19 a.m.

...

-----Original Message----- From: Boost [mailto:boost-bounces@lists.boost.org] On Behalf Of Zipper Fish via Boost Sent: 27 July 2018 02:55 To: boost@lists.boost.org Cc: Zipper Fish Subject: Re: [boost] TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

Thank you

Ok, I'll whitelist the file "boost_1_67_0-msvc-14.1-64.exe" with some trepidation and try installing.

I normally do search archives and Google extensively for code issues, but for a positive hit from the a virus detector, it wasn't the first idea that popped into my head.

Just curious, why would a boost installer trigger virus detectors? Is the virus executable linked to a boost library?

On Thu, Jul 26, 2018 at 6:41 PM, Mateusz Loskot via Boost < boost@lists.boost.org> wrote:

...
Read this thread https://lists.boost.org/Archives/boost/2018/05/242200.php

It's always a good idea to search through the list archives first.

Mateusz Loskot, mateusz@loskot.net (Sent from mobile)

On Fri, 27 Jul 2018, 00:08 Zipper Fish via Boost, wrote:

...
Dear boost developers and/or release managers:

Today I downloaded boost_1_67_0-msvc-14.1-64.exe from the Windows binaries downloads page: https://dl.bintray.com/boostorg/release/1.67.0/binaries/

The file contains a Trojan, according to Windows Defender.

Screenshot:

https://usercontent.irccloud-cdn.com/file/Uy6o19AC/2018-07- 26%2016_29_52-Windows%20Defender%20Security%20Center.jpg

You could download and unzip the zipped version instead if that makes you feel better? https://www.boost.org/users/download/ My experience is that several virus checkers intermittently but persistently find false positives in Boost libraries that I re-build; I have been reduced to placing then in a separate partition which is not virus checked. (Since Microsoft use Boost internally, I am puzzled why this issue hasn't caused some liaison between the C++ users and the Defender team). Don't panic! Paul --- Paul A. Bristow Prizet Farmhouse Kendal UK LA8 8AB +44 (0) 1539 561830

degski

12:06 p.m.

On 27 July 2018 at 11:19, Paul A. Bristow via Boost wrote:

...

(Since Microsoft use Boost internally, I am puzzled why this issue hasn't caused some liaison between the C++ users and the Defender team).

Possibly becoz they, (the MS people) exclude their build directories (on some build server) from scanning by Defender in the settings of that server (if not turned off altogether), no need to create a partition. degski -- *"If something cannot go on forever, it will stop" - Herbert Stein*

Zipper Fish

1:14 p.m.

Paul, I already feel good and am not panicking, but thank you for your concern :-) I am interested in the Windows 3rd party binaries because I try to avoid building boost manually on Windows if at all possible. As you know, the Windows Zip file does not contain binaries for the non-header-only parts of boost. I already gathered your strategy about using a separate partition to beat the virus checkers from the archive link that Mateusz shared. As I wrote in my response to Mateusz, I am simply curious why a virus checker would flag a false positive in compiled boost libraries. Is it because viruses use boost libraries? I've used quite a number of libraries over the years and none that I can recall had this issue. (If this is off topic, my apologies.) Best regards On Fri, Jul 27, 2018 at 4:19 AM, Paul A. Bristow via Boost < boost@lists.boost.org> wrote:

...

...
-----Original Message----- From: Boost [mailto:boost-bounces@lists.boost.org] On Behalf Of Zipper Fish via Boost Sent: 27 July 2018 02:55 To: boost@lists.boost.org Cc: Zipper Fish Subject: Re: [boost] TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

Thank you

Ok, I'll whitelist the file "boost_1_67_0-msvc-14.1-64.exe" with some trepidation and try installing.

I normally do search archives and Google extensively for code issues, but for a positive hit from the a virus detector, it wasn't the first idea that popped into my head.

Just curious, why would a boost installer trigger virus detectors? Is the virus executable linked to a boost library?

On Thu, Jul 26, 2018 at 6:41 PM, Mateusz Loskot via Boost < boost@lists.boost.org> wrote:

...
Read this thread https://lists.boost.org/Archives/boost/2018/05/242200.php

It's always a good idea to search through the list archives first.

Mateusz Loskot, mateusz@loskot.net (Sent from mobile)

On Fri, 27 Jul 2018, 00:08 Zipper Fish via Boost, < boost@lists.boost.org> wrote:

...
Dear boost developers and/or release managers:

Today I downloaded boost_1_67_0-msvc-14.1-64.exe from the Windows binaries downloads page: https://dl.bintray.com/boostorg/release/1.67.0/binaries/

The file contains a Trojan, according to Windows Defender.

Screenshot:

https://usercontent.irccloud-cdn.com/file/Uy6o19AC/2018-07- 26%2016_29_52-Windows%20Defender%20Security%20Center.jpg

You could download and unzip the zipped version instead if that makes you feel better?

https://www.boost.org/users/download/

My experience is that several virus checkers intermittently but persistently find false positives in Boost libraries that I re-build; I have been reduced to placing then in a separate partition which is not virus checked.

(Since Microsoft use Boost internally, I am puzzled why this issue hasn't caused some liaison between the C++ users and the Defender team).

Don't panic!

Paul

--- Paul A. Bristow Prizet Farmhouse Kendal UK LA8 8AB +44 (0) 1539 561830

_______________________________________________ Unsubscribe & other changes: http://lists.boost.org/ mailman/listinfo.cgi/boost

degski

28 Jul 28 Jul

3:09 a.m.

On 27 July 2018 at 16:14, Zipper Fish via Boost wrote:

...

Paul, I already feel good and am not panicking, but thank you for your concern :-)

As you could have seen in the archive, quite a lot of people have looked at it, and found it to be not a problem. I am interested in the Windows 3rd party binaries because I try to avoid

...

building boost manually on Windows if at all possible. As you know, the Windows Zip file does not contain binaries for the non-header-only parts of boost.

You could use vcpkg and build boost (and many other libraries) without any fuss. I already gathered your strategy about using a separate partition to beat

...

the virus checkers from the archive link that Mateusz shared.

You can add excluded paths to Defender (and other AV's), add the build directories as well, it will speed up you build. As I wrote in my response to Mateusz, I am simply curious why a virus

...

checker would flag a false positive in compiled boost libraries.

It's an unsigned executable, the self extractor (tagged on at the end of the file) is possibly itself compressed. If that is done with upx, it will be flagged as a virus. There's an optimising exe compressor doing both 32- and 64-bit exe/dll's called mpress https://autohotkey.com/mpress/mpress_web.htm, this one will not get flagged (by my experience) ever. Is it because viruses use boost libraries? I've used quite a number of

...

libraries over the years and none that I can recall had this issue. (If this is off topic, my apologies.)

Before doing anything, check the suspicious file with malwarebytes https://www.malwarebytes.com/premium/ (just use the free version), if it is a problem, mb is very likely to find it. If you dare (and are allowed, i.e. you don't work for the potus), use kaspersky https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool, it *will* find it (and remove). degski -- *"If something cannot go on forever, it will stop" - Herbert Stein*

Mateusz Loskot

27 Jul 27 Jul

2:25 p.m.

On 27 July 2018 at 03:55, Zipper Fish via Boost wrote:

...

Just curious, why would a boost installer trigger virus detectors? Is the virus executable linked to a boost library?

No idea, sorry. Best regards, -- Mateusz Loskot, http://mateusz.loskot.net

Paul A. Bristow

3:35 p.m.

...

-----Original Message----- From: Boost [mailto:boost-bounces@lists.boost.org] On Behalf Of Mateusz Loskot via Boost Sent: 27 July 2018 15:25 To: boost@lists.boost.org Cc: Mateusz Loskot Subject: Re: [boost] TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

On 27 July 2018 at 03:55, Zipper Fish via Boost wrote:

...
Just curious, why would a boost installer trigger virus detectors? Is the virus executable linked to a boost library?

No idea, sorry.

Nor me neither - virus checkers work in mysterious ways - and have always suffered from false positives. Paul

Bjorn Reese

28 Jul 28 Jul

11:13 a.m.

On 07/27/18 17:35, Paul A. Bristow via Boost wrote:

...

Nor me neither - virus checkers work in mysterious ways - and have always suffered from false positives.

Back in the 90s when I was working on virus checkers, they were scanning the executable for certain revealing code patterns. Back then, those patterns were found by human analysts. My guess is that these days the patterns are found automatically, and if a virus is written using Boost libraries then the virus checkers will likely detect patterns of Boost code as suspicious.

Robert Ramey

27 Jul 27 Jul

2:02 p.m.

On 7/26/18 2:02 PM, Zipper Fish via Boost wrote:

...

Dear boost developers and/or release managers:

Today I downloaded boost_1_67_0-msvc-14.1-64.exe from the Windows binaries downloads page: https://dl.bintray.com/boostorg/release/1.67.0/binaries/

The file contains a Trojan, according to Windows Defender.

Screenshot: https://usercontent.irccloud-cdn.com/file/Uy6o19AC/2018-07-26%2016_29_52-Win...

Someone should verify this & check the other pre-built binaries ASAP to reduce exposure.

Thank you & best regards

_______________________________________________ Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost

Why do we even bother distributing binaries any more. Boost is a source code product. Robert Ramey

Zipper Fish

28 Jul 28 Jul

6:19 a.m.

Thanks Robert Have a great day On Fri, Jul 27, 2018 at 10:02 AM, Robert Ramey via Boost < boost@lists.boost.org> wrote:

...

On 7/26/18 2:02 PM, Zipper Fish via Boost wrote:

...
Dear boost developers and/or release managers:

Today I downloaded boost_1_67_0-msvc-14.1-64.exe from the Windows binaries downloads page: https://dl.bintray.com/boostorg/release/1.67.0/binaries/

The file contains a Trojan, according to Windows Defender.

Screenshot: https://usercontent.irccloud-cdn.com/file/Uy6o19AC/2018-07-2 6%2016_29_52-Windows%20Defender%20Security%20Center.jpg

Someone should verify this & check the other pre-built binaries ASAP to reduce exposure.

Thank you & best regards

_______________________________________________ Unsubscribe & other changes: http://lists.boost.org/mailman /listinfo.cgi/boost

Why do we even bother distributing binaries any more. Boost is a source code product.

Robert Ramey

_______________________________________________ Unsubscribe & other changes: http://lists.boost.org/mailman /listinfo.cgi/boost

2313

Age (days ago)

2315

Last active (days ago)

List overview

Download

11 comments

6 participants

participants (6)

Bjorn Reese
degski
Mateusz Loskot
Paul A. Bristow
Robert Ramey
Zipper Fish