On 08/06/2011 09:37, Tim Ellison wrote:
Clinton,
Thanks for agreeing to move this conversation onto the developers' list.
I see where the difference has occurred. I was testing the javaw.exe
contained in harmony-6.0-jdk-991881\jre\bin, and you were testing the
javaw.exe in harmony-6.0-jdk-991881\bin.
I had just spotted the same thing. The javaw.exe in jre/bin passes all
tests. When I run the sdk/bin version of javaw through the online
scanners I get the same failure results as Clinton. My local Symantec
still gives it a clean scan.
I now get the same results as you from the on-line virus checkers. My
local copy of Symantec considers it safe.
You can see the source for this file [1] is quite simple, though it is
creating a child process in a reasonably generic way that might be
suspicious to virus checkers.
I've also looked through the code and, as you say, it is fairly simple
and innocuous, which leads me to believe this is a false positive likely
triggered by the CreateProcess() call.
It would be helpful if other people could also check that this file is
safe and post their results here on the dev list.
Done, and agreed that it is safe.
If the realtime virus scanning keeps flagging this up on the students'
computers and this becomes an inconvenience, a workaround would be to
launch the javaw.exe in jre/bin instead. From our investigations, this
should not trigger any detections.
Regards,
Oliver
[1]
http://svn.apache.org/viewvc/harmony/enhanced/java/trunk/jdktools/modules/samsa/src/main/native/samsa/windows/javaw.c?view=markup
Regards,
Tim
On 07/Jun/2011 23:06, Clinton Blackmore wrote:
Hi Tim.
Thank you for looking into this. I must admit that I'm very surprised
that you get different results when scanning than I do. It makes me
wonder if we are checking different versions.
I'm checking the latest stable release of the version 6 JDK, entitled
"Apache Harmony 6.0M3 JDK for 32-bit Windows". I downloaded it most
recently through this URL and mirror:
http://apache.mirror.rafal.ca//harmony/milestones/6.0/M3/apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip
When I check, the zip file has the following checksums:
md5: c3173509225f982fd9f37534d3746362
sha1: b609375c7c6dc0d86931c091c1391cf7c7cdaef6
The Harmony download page lists them as:
c3173509225f982fd9f37534d3746362
apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip
b609375c7c6dc0d86931c091c1391cf7c7cdaef6
apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip
which match.
When extracted, a folder called harmony-6.0-jdk-991881 is created.
Within the bin directory is javaw.exe, with the following checksums:
md5: 7bb1c7fdf083d511eb4bc4937ab41733
sha1: 314ff2031a2da4bae8d188c20bf0f7e39eb3599f
I did try to check the most recent snapshot, but, while I see several
Harmony builds there, I do not see Harmony 1.6 for Windows, and was thus
unable to download and scan it.
I have attached pdf files with the test results that I get. One of the
scanners provided a permanent link to the results:
http://virusscan.jotti.org/en/scanresult/b93c536dc68f1f67bbd14f9b43d9f747b1995459
If you could double-check that specific version of Harmony, I would
really appreciate it. I don't understand how we could get different
results from the same scanners on the same files -- one expects virus
scanners to be deterministic : )
You have my permission to make all or parts of my comments in the
original note and follow-ups public. I would be pleased to be able to
point people at a mailing list posting on the subject.
Thanks again for all your work on this project. I'm grateful to be able
to stand on the shoulders of giants.
Cheers,
Clinton Blackmore
On Tue, Jun 7, 2011 at 3:08 PM, Tim Ellison<t.p.elli...@gmail.com
<mailto:t.p.elli...@gmail.com>> wrote:
Clinton,
Thanks again for taking the time to tell us about your experience with
an antivirus program flagging a warning with 'javaw.exe'.
A couple of us have double-checked the files in Apache Harmony's
distribution, and we are happy that there are no viruses in the
downloads available from the project. I agree that it is most likely a
false positive by a particular virus checker programme.
Just so you know, we have checked the files with the on-line virus
checkers you mention below, Symantec anti-virus, ClamAV, and Microsoft
Security Essentials on Windows XP. Even the on-line virus checkers
report all clean, unlike your results.
I'm happy to publish these scan results on the public Apache Harmony
mailing list which will give you a link to share with any concerned
users. You should either post your original concern to
dev@harmony.apache.org<mailto:dev@harmony.apache.org>, or let me
know that you are happy for me to make
parts of your original note public.
It's always great to hear from people who are using Apache Harmony in
new and interesting ways. Thanks again for getting in touch, and good
luck with Enchanting.
Regards,
Tim
On 07/Jun/2011 13:23, Tim Ellison wrote:
> Clinton,
>
> Thank you for your note which has been passed to the Apache Harmony
> private mailing list as a potential security issue.
>
> This is just a quick response to let you know it has been received
> safely and we are taking a look at it.
>
> We'll be in touch shortly with a fuller reply to your observations.
>
> Regards,
> Tim
>
>> -------- Original Message --------
>> Subject: Some virus scanners flag javaw.exe as containing a Trojan
>> Date: Mon, 6 Jun 2011 08:32:09 -0600
>> From: Clinton Blackmore<clinton.blackm...@gmail.com
<mailto:clinton.blackm...@gmail.com>>
>> To: secur...@apache.org<mailto:secur...@apache.org>
>>
>> Greetings.
>>
>> I don't think this is a security vulnerability per-se, but I
figured I would
>> err on the side of caution. If you would like me to contact
another mailing
>> list or person, please refer me to them and I will be happy to do
so. I did
>> try general net searches and checked the bug database and mailing
lists
>> before contacting you.
>>
>> I am developing an application called Enchanting (
>> http://enchanting.robotclub.ab.ca/ ) to help kids program LEGO
robots, and
>> am bundling Apache Harmony with the Windows version -- and I'm
grateful for
>> the work of the Harmony team which gives me this option! I
installed it on
>> one of my robotics student's computers, running Windows XP, and his
>> antiviral software flagged javaw.exe as containing a trojan. (I
didn't take
>> down the details). I did double-check the MD5 and SHA checksums
of the
>> release I am using -- Apache Harmony 6.0M3 JDK for 32-bit Windows
-- and
>> they match (and I also extracted the zip file again and diffed it
against
>> the files I'm releasing, and they match).
>>
>> I believe the error is a false positive, especially after reading
this
>> article from Sun/Oracle:
>> http://www.java.com/en/download/faq/Trojan3.uj.xml. However, I'm
>> concerned by the remote possibility of a virus, I'd like to
>> be able to assure people that there is not a trojan (perhaps by
pointing
>> them to an authoritative document that says so), and I wanted to
notify you.
>>
>> I just tested the file using free online services that will scan
a file with
>> multiple virus scanners. (I don't have the scanner that my
student used).
>>
>> - At http://virusscan.jotti.org/en , most virus scanners give
it a clean
>> bill of heath, but some identify it as containing:
>> Gen:Trojan.Heur.JP.amW@aOjomBc, Gen.Trojan.Heur!IK,
Gen.Trojan.Heur, or
>> TR/Spy.10240.116 (which I suspect are all different names for
the same
>> thing).
>>
>>
>> - At http://www.virustotal.com/ , 3 of 47 virus scanners claim
javaw.exe
>> contains Gen:Trojan.Heur.JP.amW@aOjomBc.
>>
>>
>> I certainly don't believe there is a virus, but I'd sure feel
better if I
>> could tell people that that is the case. I appreciate your time
looking
>> into this.
>>
>> Thank you,
>> Clinton Blackmore
>>
--
Oliver Deakin
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
