My previous attempt to submit our code as a false positive disappeared into a black hole. I did get back a note saying it was acknowledged as a false positive and our user reports disappeared for a while. Unfortunately, it looks like they just hacked around the issue - the reports showed up again a few days ago.
The original goal was to figure out what in the code was tickling the signature to see if it was RPC-related (which might look malicious to some). When I got the signature down to a handful of byte strings that matched string operations, I just ended up shaking my head. I found a technical support number that I can try calling and seeing if I can get escalated. If that doesn't work, it might be easier to submit a minimal, harmless testcase from those keywords as a false positive. :) Matt. On 2010-03-17, at 8:48 AM, Joel Webber wrote: > This is Avira, isn't it? Ddi you ever hear anything back from them about > this? It seems like it really ought to be fixed on their end, though I > applaud your spelunking for a workaround :) > > On Tue, Mar 16, 2010 at 3:08 PM, Matt Mastracci <matt...@mastracci.com> wrote: > On Mar 16, 12:42 pm, Matt Mastracci <matt...@mastracci.com> wrote: > > > > Holy cow -- how do they think that is an acceptable measure? Surely they > > > could at least change the warning to say "potentially dangerous JS" or > > > something rather than declaring it a virus. > > > This probably will likely affect a significant number GWT applications that > > use RPC. Avira seems to check files ending in .js* and .html* for this > > pattern. I verified that the scanner intercepts these patterns in HTTP > > traffic and detects them in IE cache files. There might be some negative > > patterns as well: Avira doesn't block my message in the Google Groups web > > interface, but it does block it when viewing the raw message source. > > Even better: it turns out that if you put the string "google" anywhere > in the file matching CryptedGen, it no longer matches the heuristic. I > imagine that it would pick up the string from the class metadata for > those not using -XdisableClassMetadata. > > So this is a virus: > > "for eval .fromcharcode .charcodeat math.min 0,0,0,0,0,0" > > And this is not: > > "google for eval .fromcharcode .charcodeat math.min 0,0,0,0,0,0" > > The easiest solution for us seems to be putting the string "Google Web > Toolkit" in a comment in our header. > > Matt. > > -- > http://groups.google.com/group/Google-Web-Toolkit-Contributors > > > -- > http://groups.google.com/group/Google-Web-Toolkit-Contributors -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
