Avira trojan warning

[Simn]

Email I received:

Hey folks of Haxe,
i just downloaded the latest haxe windows installer but suddenly avira told me, there would be a virus in it. Crypt.Xpack.81397 to be correct.
I then went to the irc and asked some beings there and they gave me a link to older builds to check them and on every installer i picked avira said the same virus would be on.

But the binaries seems to be fine for antvir.
Probably its an antivir issue, but neverthenless people may turn off if they encounter the same issue.

bye
chris

[andyli]

I've just submitted the 3.1.3 Windows installer to https://analysis.avira.com/en/submit

I wonder if we could sign the installer in some way as this antivirus issue comes up from time to time...

[waneck]

Last time I've contacted avira about these problems, they asked me to provide a screenshot from the user when it happened. It's pretty annoying.

[autonomnom]

here you go

[Simn]

Any news on this?

[andyli]

I haven't got any follow up from Avira.

According to VirusTotal, the haxe windows installer is not flagged as virus by Avira. But there are 3 other antivirus softwares do.

[ncannasse]

I think one possible cause for this is the way we build haxelib.exe, since we append the neko bytecode at the end of the executable it creates a binary that while perfectly correct might have its PE header not conformant to its actual size.

We could maybe try for the next release to ship a haxelib binary built with hxcpp

[Simn]

I don't feel brave enough to try that for 3.2, but we should look into this problem afterwards if it still exists.

[waneck]

I think there's a problem with haxelib selfupdate and running haxelib through haxe --run - that's why it's using the neko interface atm.

[ncannasse]

If you wish me to get a certificate so we can sign our installer, tell me.

[Simn]

I'm too stingy to suggest spending money on that. Let's just get big enough to the point where they can no longer ignore us. :)

[ncannasse]

@Simn sadly I don't think it will work

[ncannasse]

Even the bigger companies happen to be reported as false positive, hence the code signing (and it's not very expensive)

[bubblebenj]

It could also be that an included dll is seen as a treat.
Maybe sending the unziped installer to TotalVirus for instance could give some more clue on the actual issue.

[bubblebenj]

Throwing every file at VirusTotal, it found that haxesetup.exe is the treat (for 1 virus on 56 antivirus tested).
I also thrown every haxesetup files to it and none of them ring a bell. So I suppose the issue is in the way its packaged.

[ex]

Norton is flagging the latest haxelib with this virus: Heur.AdvML.B, pretty annoying

[andyli]

Was it the one bundled in haxe 3.3rc?
Would you help submit it to norton as false positive?

On Oct 24, 2016 11:18 PM, "Laurens Rodriguez" notifications@github.com
wrote:

Norton is flagging the latest haxelib with this virus: Heur.AdvML.B,
pretty annoying

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#77 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAGWKQ1N9gLXg-w9najVrqCGAU3210Izks5q3MwwgaJpZM4Cm4j3
.

[ex]

@andyli it was the latest build from github.
Yes I can submit it to Norton as a false positive, not sure if they would give me their attention, is there a procedure for this? Never reported something as false positive.

[andyli]

Just google "norton submit false positive" ;)

[ex]

I did this and they added the file to their whitelist, however I guess this needs to be done every time the file changes, Does haxelib.exe change so much?:

In relation to submission 7157.

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

    File name: haxelib.exe
    MD5: feb000b3acc10089d14aa492e859b045
    SHA256: 495096afe96911fc577c4e1795c3a8eba390abefa3c406be5c003bdc68c0f376
    Note: Whitelisting is available by downloading a RAPID RELEASE indicated in the Further Information section below or via the next Live Update

Further Information:
Required RAPID RELEASE sequence >= 181376

The latest Rapid Release definition available here: ftp://ftp.symantec.com/AVDEFS/norton_antivirus/rapidrelease
To check the current sequence number of the Rapid Release definition: http://www.symantec.com/security_response/definitions/rapidrelease
More information on Rapid Release definitions can be found: https://support.symantec.com/en_US/article.TECH103326.html

If detection persists, please contact support:
* Norton: https://support.norton.com/sp/en/us/home/current/info
* SEP: https://support.symantec.com/en_US/endpoint-protection.54619.html

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

If you are a software vendor and would like to upload your software for proactive whitelisting, please complete one of the following forms:
* If you are BCS customer: https://submit.symantec.com/whitelist/bcs
* Otherwise: https://submit.symantec.com/whitelist

For more information on best practices to reduce false positives:
http://www.symantec.com/content/en/us/enterprise/white_papers/b-to_increase_downloads-instill_trust_first_WP.en-us.pdf

[ibilon]

The haxelib.exe is different in each haxe release, so no not often ;)

[ibilon]

So what actions should we take?

Voting for the code signing,
it also makes it more professional looking when windows report that the exe wants administrator rights.

Would be nice to have this resolved for the stable release of 3.4.