Re: [gwt-contrib] Re: Avira and HTML/CryptedGen (again)
This is Avira, isn't it? Ddi you ever hear anything back from them about this? It seems like it really ought to be fixed on their end, though I applaud your spelunking for a workaround :) On Tue, Mar 16, 2010 at 3:08 PM, Matt Mastracci matt...@mastracci.comwrote: On Mar 16, 12:42 pm, Matt Mastracci matt...@mastracci.com wrote: Holy cow -- how do they think that is an acceptable measure? Surely they could at least change the warning to say potentially dangerous JS or something rather than declaring it a virus. This probably will likely affect a significant number GWT applications that use RPC. Avira seems to check files ending in .js* and .html* for this pattern. I verified that the scanner intercepts these patterns in HTTP traffic and detects them in IE cache files. There might be some negative patterns as well: Avira doesn't block my message in the Google Groups web interface, but it does block it when viewing the raw message source. Even better: it turns out that if you put the string google anywhere in the file matching CryptedGen, it no longer matches the heuristic. I imagine that it would pick up the string from the class metadata for those not using -XdisableClassMetadata. So this is a virus: for eval .fromcharcode .charcodeat math.min 0,0,0,0,0,0 And this is not: google for eval .fromcharcode .charcodeat math.min 0,0,0,0,0,0 The easiest solution for us seems to be putting the string Google Web Toolkit in a comment in our header. Matt. -- http://groups.google.com/group/Google-Web-Toolkit-Contributors -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
Re: [gwt-contrib] Re: Avira and HTML/CryptedGen (again)
On Wed, Mar 17, 2010 at 10:48 AM, Joel Webber j...@google.com wrote: This is Avira, isn't it? Ddi you ever hear anything back from them about this? It seems like it really ought to be fixed on their end, though I applaud your spelunking for a workaround :) Well, they will have to change it anyway -- Matt just revealed that a JS malware writer can avoid detection just by including Google in the JS file :). If they are going to change it anyway, they might as well change it to something more reasonable. If they don't, it seems likely their customers may stop using the product if it is triggered on more and more AJAX sites. -- John A. Tamplin Software Engineer (GWT), Google -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
Re: [gwt-contrib] Re: Avira and HTML/CryptedGen (again)
My previous attempt to submit our code as a false positive disappeared into a black hole. I did get back a note saying it was acknowledged as a false positive and our user reports disappeared for a while. Unfortunately, it looks like they just hacked around the issue - the reports showed up again a few days ago. The original goal was to figure out what in the code was tickling the signature to see if it was RPC-related (which might look malicious to some). When I got the signature down to a handful of byte strings that matched string operations, I just ended up shaking my head. I found a technical support number that I can try calling and seeing if I can get escalated. If that doesn't work, it might be easier to submit a minimal, harmless testcase from those keywords as a false positive. :) Matt. On 2010-03-17, at 8:48 AM, Joel Webber wrote: This is Avira, isn't it? Ddi you ever hear anything back from them about this? It seems like it really ought to be fixed on their end, though I applaud your spelunking for a workaround :) On Tue, Mar 16, 2010 at 3:08 PM, Matt Mastracci matt...@mastracci.com wrote: On Mar 16, 12:42 pm, Matt Mastracci matt...@mastracci.com wrote: Holy cow -- how do they think that is an acceptable measure? Surely they could at least change the warning to say potentially dangerous JS or something rather than declaring it a virus. This probably will likely affect a significant number GWT applications that use RPC. Avira seems to check files ending in .js* and .html* for this pattern. I verified that the scanner intercepts these patterns in HTTP traffic and detects them in IE cache files. There might be some negative patterns as well: Avira doesn't block my message in the Google Groups web interface, but it does block it when viewing the raw message source. Even better: it turns out that if you put the string google anywhere in the file matching CryptedGen, it no longer matches the heuristic. I imagine that it would pick up the string from the class metadata for those not using -XdisableClassMetadata. So this is a virus: for eval .fromcharcode .charcodeat math.min 0,0,0,0,0,0 And this is not: google for eval .fromcharcode .charcodeat math.min 0,0,0,0,0,0 The easiest solution for us seems to be putting the string Google Web Toolkit in a comment in our header. Matt. -- http://groups.google.com/group/Google-Web-Toolkit-Contributors -- http://groups.google.com/group/Google-Web-Toolkit-Contributors -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
Re: [gwt-contrib] Re: Avira and HTML/CryptedGen (again)
On Wed, Mar 17, 2010 at 1:22 PM, Matt Mastracci matt...@mastracci.comwrote: I found a technical support number that I can try calling and seeing if I can get escalated. If that doesn't work, it might be easier to submit a minimal, harmless testcase from those keywords as a false positive. :) Given their approach, that seems likely to get that exact source added to a whitelist :). -- John A. Tamplin Software Engineer (GWT), Google -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
Re: [gwt-contrib] Re: Avira and HTML/CryptedGen (again)
I found a technical support number that I can try calling and seeing if I can get escalated. If that doesn't work, it might be easier to submit a minimal, harmless testcase from those keywords as a false positive. :) Given their approach, that seems likely to get that exact source added to a whitelist :). That might not be far from the truth. :) I called their tech support line and left a message to be passed on to their technical team, but the tech's solution was you'll have to submit your code again every time it changes. He said he'd pass on the message, but wouldn't guarantee that anyone would contact me with anything more than use the false positive form again. Gah. Matt. -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
Re: [gwt-contrib] Re: Avira and HTML/CryptedGen (again)
On Wed, Mar 17, 2010 at 3:10 PM, Matt Mastracci matt...@mastracci.comwrote: I called their tech support line and left a message to be passed on to their technical team, but the tech's solution was you'll have to submit your code again every time it changes. He said he'd pass on the message, but wouldn't guarantee that anyone would contact me with anything more than use the false positive form again. Gah. Are you a customer or know someone who is? If so, perhaps calling customer support with I am going to stop using this because of bogus false positives would get a better response. -- John A. Tamplin Software Engineer (GWT), Google -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
Re: [gwt-contrib] Re: Avira and HTML/CryptedGen (again)
On 2010-03-17, at 1:15 PM, John Tamplin wrote: I called their tech support line and left a message to be passed on to their technical team, but the tech's solution was you'll have to submit your code again every time it changes. He said he'd pass on the message, but wouldn't guarantee that anyone would contact me with anything more than use the false positive form again. Gah. Are you a customer or know someone who is? If so, perhaps calling customer support with I am going to stop using this because of bogus false positives would get a better response. Unfortunately not. I first heard about this company's anti-virus through some of our users (who are basically anonymous commenters on our Chrome extension page). I ran the heuristic tests against a trial version that I downloaded. If anyone on this list is an Avira customer and wants to try contacting tech-support to help add some pressure, their USA toll-free number is: +1 888 880 2925. cc'd dflorey, t.broyer and fatompa as three people who mentioned these false positives before and appear to be Avira customers (or know someone who is). Matt. -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
[gwt-contrib] Re: Avira and HTML/CryptedGen (again)
On Mar 16, 12:42 pm, Matt Mastracci matt...@mastracci.com wrote: Holy cow -- how do they think that is an acceptable measure? Surely they could at least change the warning to say potentially dangerous JS or something rather than declaring it a virus. This probably will likely affect a significant number GWT applications that use RPC. Avira seems to check files ending in .js* and .html* for this pattern. I verified that the scanner intercepts these patterns in HTTP traffic and detects them in IE cache files. There might be some negative patterns as well: Avira doesn't block my message in the Google Groups web interface, but it does block it when viewing the raw message source. Even better: it turns out that if you put the string google anywhere in the file matching CryptedGen, it no longer matches the heuristic. I imagine that it would pick up the string from the class metadata for those not using -XdisableClassMetadata. So this is a virus: for eval .fromcharcode .charcodeat math.min 0,0,0,0,0,0 And this is not: google for eval .fromcharcode .charcodeat math.min 0,0,0,0,0,0 The easiest solution for us seems to be putting the string Google Web Toolkit in a comment in our header. Matt. -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
