Re: Troyan horse in vimrun.exe ?
On 13/08/13 13:30, Joost Andrae wrote: Hi, I've re-built Vim 7.4 (32 bit) without using upx and suddenly the antivirus software doesn't quarantine the vimrun.exe file. Good! It was a false alarm then. Unfortunately Cygwin's strip command doesn't strip much of the file size... Well, what "strip" removes is usually just symbol tables and such, otherwise AFAIK it doesn't "compress" the executable. I hope you kept the unstripped binary too, it can be useful for debugging (if you crash with the unstripped executable, the debugger can get symbols from it). Best regards, Tony. -- Nobody is one block of harmony. We are all afraid of something, or feel limited in something. We all need somebody to talk to. It would be good if we talked to each other--not just pitter-patter, but real talk. We shouldn't be so afraid, because most people really like this contact; that you show you are vulnerable makes them free to be vulnerable too. It's so much easier to be together when we drop our masks. -- Liv Ullman -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: Troyan horse in vimrun.exe ?
Hi, I've re-built Vim 7.4 (32 bit) without using upx and suddenly the antivirus software doesn't quarantine the vimrun.exe file. Unfortunately Cygwin's strip command doesn't strip much of the file size... > > Do you still get the same error if you _don't_ pack the executables with > upx? Packing executables is something which can be done with any > program, good or bad, and if your antivirus software has imprecise > signatures generated from the "packing software" part of a packed trojan > executable, false alarms may result on legit software packed by the same > means. > Thanks for your comment! Kind regards, Joost -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: Troyan horse in vimrun.exe ?
Hi Tony, thank you very much for your reply. > > Do you still get the same error if you _don't_ pack the executables with > upx? Packing executables is something which can be done with any > program, good or bad, and if your antivirus software has imprecise > signatures generated from the "packing software" part of a packed trojan > executable, false alarms may result on legit software packed by the same > means. > I expect it to be a false positive. I'll try to re-build it without using upx. Otherwise I could re-build it using GCC and afterwards strip the binaries within my Cygwin environment. Kind regards, Joost -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: Troyan horse in vimrun.exe ?
On 12/08/13 14:04, Joost Andrae wrote:
Hi,
I just hg cloned the 7.4 source tree and built i with MSVC 2010 Express
on my Win 7 Pro 64 bit system. After sucessfully building and copying
the files into a local directory like described in INSTALLpc.txt, then
packing the binaries with upx (from sf.net) and starting the vim.exe
(GUI+OLE built-in) suddenly my Norton Internet Security quarantined the
file vimrun.exe because it thought it contains Suspicious.Mystic
http://www.symantec.com/security_response/writeup.jsp?docid=2010-062900-4618-99&vid=42288&product=Norton%20Internet%20Security&version=20.4.0.40&plang=sym:GE&layouttype=Retail&buildname=Retail&heartbeatID=70E43493-C73E-4541-AE4D-794AC87FEADD&env=prod&vendorid=1002400&plid=2&plgid=2&skup=21261306&skum=21234392&skuf=21228658&endpointid={70E43493-C73E-4541-AE4D-794AC87FEADD}&partnerid=1002400&lic_type=2&lic_attr=21124114&psn=987DM6RRK9QW&osvers=6.1&oslocale=iso:DEU&oslang=iso:GER&os=windows
I'm not suscribed to this list. I've posted via Gmane to let you know...
Kind regards, Joost
Do you still get the same error if you _don't_ pack the executables with
upx? Packing executables is something which can be done with any
program, good or bad, and if your antivirus software has imprecise
signatures generated from the "packing software" part of a packed trojan
executable, false alarms may result on legit software packed by the same
means.
Best regards,
Tony.
--
Coward, n.:
One who in a perilous emergency thinks with his legs.
-- Ambrose Bierce, "The Devil's Dictionary"
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups "vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Troyan horse in vimrun.exe ?
Hi,
I just hg cloned the 7.4 source tree and built i with MSVC 2010 Express
on my Win 7 Pro 64 bit system. After sucessfully building and copying
the files into a local directory like described in INSTALLpc.txt, then
packing the binaries with upx (from sf.net) and starting the vim.exe
(GUI+OLE built-in) suddenly my Norton Internet Security quarantined the
file vimrun.exe because it thought it contains Suspicious.Mystic
http://www.symantec.com/security_response/writeup.jsp?docid=2010-062900-4618-99&vid=42288&product=Norton%20Internet%20Security&version=20.4.0.40&plang=sym:GE&layouttype=Retail&buildname=Retail&heartbeatID=70E43493-C73E-4541-AE4D-794AC87FEADD&env=prod&vendorid=1002400&plid=2&plgid=2&skup=21261306&skum=21234392&skuf=21228658&endpointid={70E43493-C73E-4541-AE4D-794AC87FEADD}&partnerid=1002400&lic_type=2&lic_attr=21124114&psn=987DM6RRK9QW&osvers=6.1&oslocale=iso:DEU&oslang=iso:GER&os=windows
I'm not suscribed to this list. I've posted via Gmane to let you know...
Kind regards, Joost
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups "vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
