Yes, I agree, the source for that file is fairly simple. If I understand it correctly, it is used for both versions of javaw.exe, so it surprises me that one gets flags as a virus and the other does not.
I have, in fact, implemented a workaround much like Oliver suggested -- I'm not including bin/javaw.exe with my project, and it runs and doesn't set off any virus scanners. I wish I had some suggestions. When Sun had a problem like this<http://www.java.com/en/download/faq/Trojan3.uj.xml>, it appears that they contacted the antiviral vendors and got them to update their filters. This sounds like the proper "fix", as your code is not broken; I wonder how difficult it would be to do. Thanks again for looking into this. Cheers, Clinton On Wed, Jun 8, 2011 at 2:37 AM, Tim Ellison <t.p.elli...@gmail.com> wrote: > Clinton, > > Thanks for agreeing to move this conversation onto the developers' list. > > I see where the difference has occurred. I was testing the javaw.exe > contained in harmony-6.0-jdk-991881\jre\bin, and you were testing the > javaw.exe in harmony-6.0-jdk-991881\bin. > > I now get the same results as you from the on-line virus checkers. My > local copy of Symantec considers it safe. > > You can see the source for this file [1] is quite simple, though it is > creating a child process in a reasonably generic way that might be > suspicious to virus checkers. > > It would be helpful if other people could also check that this file is > safe and post their results here on the dev list. > > [1] > > http://svn.apache.org/viewvc/harmony/enhanced/java/trunk/jdktools/modules/samsa/src/main/native/samsa/windows/javaw.c?view=markup > > Regards, > Tim > > > On 07/Jun/2011 23:06, Clinton Blackmore wrote: > > Hi Tim. > > > > Thank you for looking into this. I must admit that I'm very surprised > > that you get different results when scanning than I do. It makes me > > wonder if we are checking different versions. > > > > I'm checking the latest stable release of the version 6 JDK, entitled > > "Apache Harmony 6.0M3 JDK for 32-bit Windows". I downloaded it most > > recently through this URL and mirror: > > > > > http://apache.mirror.rafal.ca//harmony/milestones/6.0/M3/apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip > > > > When I check, the zip file has the following checksums: > > md5: c3173509225f982fd9f37534d3746362 > > sha1: b609375c7c6dc0d86931c091c1391cf7c7cdaef6 > > > > The Harmony download page lists them as: > > > > c3173509225f982fd9f37534d3746362 > apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip > > > > b609375c7c6dc0d86931c091c1391cf7c7cdaef6 > apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip > > > > which match. > > > > > > > > When extracted, a folder called harmony-6.0-jdk-991881 is created. > > Within the bin directory is javaw.exe, with the following checksums: > > > > md5: 7bb1c7fdf083d511eb4bc4937ab41733 > > sha1: 314ff2031a2da4bae8d188c20bf0f7e39eb3599f > > > > > > I did try to check the most recent snapshot, but, while I see several > > Harmony builds there, I do not see Harmony 1.6 for Windows, and was thus > > unable to download and scan it. > > > > I have attached pdf files with the test results that I get. One of the > > scanners provided a permanent link to the results: > > > http://virusscan.jotti.org/en/scanresult/b93c536dc68f1f67bbd14f9b43d9f747b1995459 > > > > If you could double-check that specific version of Harmony, I would > > really appreciate it. I don't understand how we could get different > > results from the same scanners on the same files -- one expects virus > > scanners to be deterministic : ) > > > > > > You have my permission to make all or parts of my comments in the > > original note and follow-ups public. I would be pleased to be able to > > point people at a mailing list posting on the subject. > > > > Thanks again for all your work on this project. I'm grateful to be able > > to stand on the shoulders of giants. > > > > Cheers, > > Clinton Blackmore > > > > On Tue, Jun 7, 2011 at 3:08 PM, Tim Ellison <t.p.elli...@gmail.com > > <mailto:t.p.elli...@gmail.com>> wrote: > > > > Clinton, > > > > Thanks again for taking the time to tell us about your experience > with > > an antivirus program flagging a warning with 'javaw.exe'. > > > > A couple of us have double-checked the files in Apache Harmony's > > distribution, and we are happy that there are no viruses in the > > downloads available from the project. I agree that it is most likely > a > > false positive by a particular virus checker programme. > > > > Just so you know, we have checked the files with the on-line virus > > checkers you mention below, Symantec anti-virus, ClamAV, and > Microsoft > > Security Essentials on Windows XP. Even the on-line virus checkers > > report all clean, unlike your results. > > > > I'm happy to publish these scan results on the public Apache Harmony > > mailing list which will give you a link to share with any concerned > > users. You should either post your original concern to > > dev@harmony.apache.org <mailto:dev@harmony.apache.org>, or let me > > know that you are happy for me to make > > parts of your original note public. > > > > It's always great to hear from people who are using Apache Harmony in > > new and interesting ways. Thanks again for getting in touch, and > good > > luck with Enchanting. > > > > Regards, > > Tim > > > > > > > > On 07/Jun/2011 13:23, Tim Ellison wrote: > > > Clinton, > > > > > > Thank you for your note which has been passed to the Apache Harmony > > > private mailing list as a potential security issue. > > > > > > This is just a quick response to let you know it has been received > > > safely and we are taking a look at it. > > > > > > We'll be in touch shortly with a fuller reply to your observations. > > > > > > Regards, > > > Tim > > > > > >> -------- Original Message -------- > > >> Subject: Some virus scanners flag javaw.exe as containing a Trojan > > >> Date: Mon, 6 Jun 2011 08:32:09 -0600 > > >> From: Clinton Blackmore <clinton.blackm...@gmail.com > > <mailto:clinton.blackm...@gmail.com>> > > >> To: secur...@apache.org <mailto:secur...@apache.org> > > >> > > >> Greetings. > > >> > > >> I don't think this is a security vulnerability per-se, but I > > figured I would > > >> err on the side of caution. If you would like me to contact > > another mailing > > >> list or person, please refer me to them and I will be happy to do > > so. I did > > >> try general net searches and checked the bug database and mailing > > lists > > >> before contacting you. > > >> > > >> I am developing an application called Enchanting ( > > >> http://enchanting.robotclub.ab.ca/ ) to help kids program LEGO > > robots, and > > >> am bundling Apache Harmony with the Windows version -- and I'm > > grateful for > > >> the work of the Harmony team which gives me this option! I > > installed it on > > >> one of my robotics student's computers, running Windows XP, and > his > > >> antiviral software flagged javaw.exe as containing a trojan. (I > > didn't take > > >> down the details). I did double-check the MD5 and SHA checksums > > of the > > >> release I am using -- Apache Harmony 6.0M3 JDK for 32-bit Windows > > -- and > > >> they match (and I also extracted the zip file again and diffed it > > against > > >> the files I'm releasing, and they match). > > >> > > >> I believe the error is a false positive, especially after reading > > this > > >> article from Sun/Oracle: > > >> http://www.java.com/en/download/faq/Trojan3.uj.xml. However, I'm > > >> concerned by the remote possibility of a virus, I'd like to > > >> be able to assure people that there is not a trojan (perhaps by > > pointing > > >> them to an authoritative document that says so), and I wanted to > > notify you. > > >> > > >> I just tested the file using free online services that will scan > > a file with > > >> multiple virus scanners. (I don't have the scanner that my > > student used). > > >> > > >> - At http://virusscan.jotti.org/en , most virus scanners give > > it a clean > > >> bill of heath, but some identify it as containing: > > >> Gen:Trojan.Heur.JP.amW@aOjomBc, Gen.Trojan.Heur!IK, > > Gen.Trojan.Heur, or > > >> TR/Spy.10240.116 (which I suspect are all different names for > > the same > > >> thing). > > >> > > >> > > >> - At http://www.virustotal.com/ , 3 of 47 virus scanners claim > > javaw.exe > > >> contains Gen:Trojan.Heur.JP.amW@aOjomBc. > > >> > > >> > > >> I certainly don't believe there is a virus, but I'd sure feel > > better if I > > >> could tell people that that is the case. I appreciate your time > > looking > > >> into this. > > >> > > >> Thank you, > > >> Clinton Blackmore > > >> > > > > >
