The scanner may have a whitelist for a particular path which might be the difference between the two.
Alex Sent from my (old) iPhone On 9 Jun 2011, at 02:46, Clinton Blackmore <clinton.blackm...@gmail.com> wrote: > Yes, I agree, the source for that file is fairly simple. If I understand it > correctly, it is used for both versions of javaw.exe, so it surprises me > that one gets flags as a virus and the other does not. > > I have, in fact, implemented a workaround much like Oliver suggested -- I'm > not including bin/javaw.exe with my project, and it runs and doesn't set off > any virus scanners. > > I wish I had some suggestions. When Sun had a problem like > this<http://www.java.com/en/download/faq/Trojan3.uj.xml>, > it appears that they contacted the antiviral vendors and got them to update > their filters. This sounds like the proper "fix", as your code is not > broken; I wonder how difficult it would be to do. > > Thanks again for looking into this. > > Cheers, > Clinton > > On Wed, Jun 8, 2011 at 2:37 AM, Tim Ellison <t.p.elli...@gmail.com> wrote: > >> Clinton, >> >> Thanks for agreeing to move this conversation onto the developers' list. >> >> I see where the difference has occurred. I was testing the javaw.exe >> contained in harmony-6.0-jdk-991881\jre\bin, and you were testing the >> javaw.exe in harmony-6.0-jdk-991881\bin. >> >> I now get the same results as you from the on-line virus checkers. My >> local copy of Symantec considers it safe. >> >> You can see the source for this file [1] is quite simple, though it is >> creating a child process in a reasonably generic way that might be >> suspicious to virus checkers. >> >> It would be helpful if other people could also check that this file is >> safe and post their results here on the dev list. >> >> [1] >> >> http://svn.apache.org/viewvc/harmony/enhanced/java/trunk/jdktools/modules/samsa/src/main/native/samsa/windows/javaw.c?view=markup >> >> Regards, >> Tim >> >> >> On 07/Jun/2011 23:06, Clinton Blackmore wrote: >>> Hi Tim. >>> >>> Thank you for looking into this. I must admit that I'm very surprised >>> that you get different results when scanning than I do. It makes me >>> wonder if we are checking different versions. >>> >>> I'm checking the latest stable release of the version 6 JDK, entitled >>> "Apache Harmony 6.0M3 JDK for 32-bit Windows". I downloaded it most >>> recently through this URL and mirror: >>> >>> >> http://apache.mirror.rafal.ca//harmony/milestones/6.0/M3/apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip >>> >>> When I check, the zip file has the following checksums: >>> md5: c3173509225f982fd9f37534d3746362 >>> sha1: b609375c7c6dc0d86931c091c1391cf7c7cdaef6 >>> >>> The Harmony download page lists them as: >>> >>> c3173509225f982fd9f37534d3746362 >> apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip >>> >>> b609375c7c6dc0d86931c091c1391cf7c7cdaef6 >> apache-harmony-6.0-jdk-r991881-windows-x86-snapshot.zip >>> >>> which match. >>> >>> >>> >>> When extracted, a folder called harmony-6.0-jdk-991881 is created. >>> Within the bin directory is javaw.exe, with the following checksums: >>> >>> md5: 7bb1c7fdf083d511eb4bc4937ab41733 >>> sha1: 314ff2031a2da4bae8d188c20bf0f7e39eb3599f >>> >>> >>> I did try to check the most recent snapshot, but, while I see several >>> Harmony builds there, I do not see Harmony 1.6 for Windows, and was thus >>> unable to download and scan it. >>> >>> I have attached pdf files with the test results that I get. One of the >>> scanners provided a permanent link to the results: >>> >> http://virusscan.jotti.org/en/scanresult/b93c536dc68f1f67bbd14f9b43d9f747b1995459 >>> >>> If you could double-check that specific version of Harmony, I would >>> really appreciate it. I don't understand how we could get different >>> results from the same scanners on the same files -- one expects virus >>> scanners to be deterministic : ) >>> >>> >>> You have my permission to make all or parts of my comments in the >>> original note and follow-ups public. I would be pleased to be able to >>> point people at a mailing list posting on the subject. >>> >>> Thanks again for all your work on this project. I'm grateful to be able >>> to stand on the shoulders of giants. >>> >>> Cheers, >>> Clinton Blackmore >>> >>> On Tue, Jun 7, 2011 at 3:08 PM, Tim Ellison <t.p.elli...@gmail.com >>> <mailto:t.p.elli...@gmail.com>> wrote: >>> >>> Clinton, >>> >>> Thanks again for taking the time to tell us about your experience >> with >>> an antivirus program flagging a warning with 'javaw.exe'. >>> >>> A couple of us have double-checked the files in Apache Harmony's >>> distribution, and we are happy that there are no viruses in the >>> downloads available from the project. I agree that it is most likely >> a >>> false positive by a particular virus checker programme. >>> >>> Just so you know, we have checked the files with the on-line virus >>> checkers you mention below, Symantec anti-virus, ClamAV, and >> Microsoft >>> Security Essentials on Windows XP. Even the on-line virus checkers >>> report all clean, unlike your results. >>> >>> I'm happy to publish these scan results on the public Apache Harmony >>> mailing list which will give you a link to share with any concerned >>> users. You should either post your original concern to >>> dev@harmony.apache.org <mailto:dev@harmony.apache.org>, or let me >>> know that you are happy for me to make >>> parts of your original note public. >>> >>> It's always great to hear from people who are using Apache Harmony in >>> new and interesting ways. Thanks again for getting in touch, and >> good >>> luck with Enchanting. >>> >>> Regards, >>> Tim >>> >>> >>> >>> On 07/Jun/2011 13:23, Tim Ellison wrote: >>>> Clinton, >>>> >>>> Thank you for your note which has been passed to the Apache Harmony >>>> private mailing list as a potential security issue. >>>> >>>> This is just a quick response to let you know it has been received >>>> safely and we are taking a look at it. >>>> >>>> We'll be in touch shortly with a fuller reply to your observations. >>>> >>>> Regards, >>>> Tim >>>> >>>>> -------- Original Message -------- >>>>> Subject: Some virus scanners flag javaw.exe as containing a Trojan >>>>> Date: Mon, 6 Jun 2011 08:32:09 -0600 >>>>> From: Clinton Blackmore <clinton.blackm...@gmail.com >>> <mailto:clinton.blackm...@gmail.com>> >>>>> To: secur...@apache.org <mailto:secur...@apache.org> >>>>> >>>>> Greetings. >>>>> >>>>> I don't think this is a security vulnerability per-se, but I >>> figured I would >>>>> err on the side of caution. If you would like me to contact >>> another mailing >>>>> list or person, please refer me to them and I will be happy to do >>> so. I did >>>>> try general net searches and checked the bug database and mailing >>> lists >>>>> before contacting you. >>>>> >>>>> I am developing an application called Enchanting ( >>>>> http://enchanting.robotclub.ab.ca/ ) to help kids program LEGO >>> robots, and >>>>> am bundling Apache Harmony with the Windows version -- and I'm >>> grateful for >>>>> the work of the Harmony team which gives me this option! I >>> installed it on >>>>> one of my robotics student's computers, running Windows XP, and >> his >>>>> antiviral software flagged javaw.exe as containing a trojan. (I >>> didn't take >>>>> down the details). I did double-check the MD5 and SHA checksums >>> of the >>>>> release I am using -- Apache Harmony 6.0M3 JDK for 32-bit Windows >>> -- and >>>>> they match (and I also extracted the zip file again and diffed it >>> against >>>>> the files I'm releasing, and they match). >>>>> >>>>> I believe the error is a false positive, especially after reading >>> this >>>>> article from Sun/Oracle: >>>>> http://www.java.com/en/download/faq/Trojan3.uj.xml. However, I'm >>>>> concerned by the remote possibility of a virus, I'd like to >>>>> be able to assure people that there is not a trojan (perhaps by >>> pointing >>>>> them to an authoritative document that says so), and I wanted to >>> notify you. >>>>> >>>>> I just tested the file using free online services that will scan >>> a file with >>>>> multiple virus scanners. (I don't have the scanner that my >>> student used). >>>>> >>>>> - At http://virusscan.jotti.org/en , most virus scanners give >>> it a clean >>>>> bill of heath, but some identify it as containing: >>>>> Gen:Trojan.Heur.JP.amW@aOjomBc, Gen.Trojan.Heur!IK, >>> Gen.Trojan.Heur, or >>>>> TR/Spy.10240.116 (which I suspect are all different names for >>> the same >>>>> thing). >>>>> >>>>> >>>>> - At http://www.virustotal.com/ , 3 of 47 virus scanners claim >>> javaw.exe >>>>> contains Gen:Trojan.Heur.JP.amW@aOjomBc. >>>>> >>>>> >>>>> I certainly don't believe there is a virus, but I'd sure feel >>> better if I >>>>> could tell people that that is the case. I appreciate your time >>> looking >>>>> into this. >>>>> >>>>> Thank you, >>>>> Clinton Blackmore >>>>> >>> >>> >>
