Windows quarantines boost_1_68_0.7z
Quick note: it seems that Windows currently quarantines boost_1_68_0.7z. Could someone from Boost please contact Microsoft to whitelist it? Thanks, Miguel
On Tue, 11 Dec 2018 at 19:09, Miguel Ojeda via Boost
Quick note: it seems that Windows currently quarantines boost_1_68_0.7z. Could someone from Boost please contact Microsoft to whitelist it?
You can just create a "special" [trusted] download directory [file folder] and whitelist that folder in defender. It's probably a good idea to whitelist your build folders as well, so as to not have defender interfere [slow it down] with your build. degski -- *“If something cannot go on forever, it will stop" - Herbert Stein*
On Wed, Dec 12, 2018 at 5:44 AM degski
You can just create a "special" [trusted] download directory [file folder] and whitelist that folder in defender.
It's probably a good idea to whitelist your build folders as well, so as to not have defender interfere [slow it down] with your build.
I was not asking for solutions, but thank you! I thought dropping a quick message to document was a good idea :-) Cheers, Miguel
I was not asking for solutions, but thank you! I thought dropping a quick message to document was a good idea :-)
It seems to me rather unrealistic to ask MS to whitelist every trusted [by [by default] untrustworthy individuals] file existing on the internet. My guess is that the archive is [judged by defender] to be too large to be opened and scanned [it does seem to do that with smaller archives, as they, iff nothing nasty is inside, do pass] and therefor takes the safe route to judge it to be not-trusted. degski -- *“If something cannot go on forever, it will stop" - Herbert Stein*
The realistic thing to do is to somehow ask them which file in our archive is flagged so we can fix or remove it.
All batch files, I guess. Boost could use another extension (.bbat), as the approach to "dangerous" is rather simplistic. I still really doubt defender actually attempt to decompress an archive that spans 1.5GB disk space, though. And, as it doesn't seem to flag the .zip file [no reports from this], can it even open .7z files [license issues maybe] at all? I have turned defender off completely [easy] and run MalwareBytes on a regular basis instead [and image my system disk for backup]. Defender is useless [as in: doesn't find real threats, or even minor ones], comes up with many false positives and consumes [continuously] huge resources. degski -- *“If something cannot go on forever, it will stop" - Herbert Stein*
On Sat, Dec 15, 2018 at 8:21 AM degski via Boost
I have turned defender off completely [easy] and run MalwareBytes on a regular basis instead [and image my system disk for backup]. Defender is useless [as in: doesn't find real threats, or even minor ones], comes up with many false positives and consumes [continuously] huge resources.
That is not a realistic solution for many environments out there (e.g. company policy). Cheers, Miguel
On Sat, Dec 15, 2018 at 7:05 AM degski
It seems to me rather unrealistic to ask MS to whitelist every trusted [by [by default] untrustworthy individuals] file existing on the internet.
If you don't tell upstream (i.e. MS) about their bugs (i.e. false positives), they will have a harder time fixing them.
My guess is that the archive is [judged by defender] to be too large to be opened and scanned [it does seem to do that with smaller archives, as they, iff nothing nasty is inside, do pass] and therefor takes the safe route to judge it to be not-trusted.
I very much doubt any antivirus vendor simply flags every medium-sized file as a virus. That is simply broken logic. Cheers, Miguel
On 15/12/2018, Miguel Ojeda
I very much doubt any antivirus vendor simply flags every medium-sized file as a virus. That is simply broken logic.
If you have a better explanation, please do put that forward. The fact that this particular file get's flagged at all indicates that same broken logic. degski -- *“If something cannot go on forever, it will stop" - Herbert Stein*
On 15.12.2018 11:54, degski via Boost wrote:
If you have a better explanation, please do put that forward. The fact that this particular file get's flagged at all indicates that same broken logic.
It wouldn't surprise me if part of the 7z header plus some of the (essentially) random bytes of data after triggers it. We experience something like this rather frequently with the programming language at work, Delphi, which is also used by a lot of malware writers for the same reason we do: RAD. What happens is parts of the compiled standard library gets used as a signature, causing a lot of false positives. - Asbjørn
On Sat, Dec 15, 2018 at 11:54 AM degski
If you have a better explanation, please do put that forward. The fact that this particular file get's flagged at all indicates that same broken logic.
No, it doesn't. Even if a particular antivirus doesn't support unpacking of some type of archive, that does not imply they simply flag it because it is too big. As Asbjørn said, it is likely it analyzes the archive as if it was a binary blob, searching for some patterns; and given that compression returns basically random data, there is a chance to hit some false positive. And yes, I expect antivirus vendors to whitelist "famous" files if they happen to hit a pattern. :) Cheers, Miguel
On Tue, Dec 11, 2018 at 6:09 PM Miguel Ojeda via Boost
Quick note: it seems that Windows currently quarantines boost_1_68_0.7z. Could someone from Boost please contact Microsoft to whitelist it?
1.69 is affected as well.. does the source variant contain binaries? -- Olaf
participants (5)
-
Asbjørn -
degski -
Miguel Ojeda -
Olaf van der Spek -
Peter Dimov