|
|
Boost : |
Subject: Re: [boost] [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?
From: Tom Kent (lists_at_[hidden])
Date: 2018-05-25 11:32:49
On Thu, May 24, 2018 at 3:14 AM, Mateusz Loskot via Boost <
boost_at_[hidden]> wrote:
> Hi,
>
> One user reported via #boost at cpplang.slack.com that
> Windows Defender reported trojan in the latest Windows binaries.
> I checked myself and I can confirm the latest up-to-date
> Windows Defender is detecting Vigorf.A in the installer archive.
>
> Is this false report?
>
> Best regards,
> --
> Mateusz Loskot, http://mateusz.loskot.net
Can you check the SHA-256 of the exe matches the one published and signed?
I believe it should be:
402d07022fe9671e401efc4e90a1ff25e1bc9e1c23b3d8b1c65e4a2e6799abfc
boost_1_67_0-msvc-14.1-64.exe
But the real way to check, is to download SHA256SUMS.asc [1], verify the
signature (it is signed by myself, "Thomas Kent <teeks99_at_[hidden]>"), then
use the verified SHA-256 checksum to ensure that the file hasn't been
modified on the server.
I had a pretty good chain of control from when the hash was computed until
it was signed, but it is possible some malicious hacker had infected my
system and modified the binaries in the few minutes before I ran the has on
them....though I find that to be an *extremely* remote possibility. None
the less, I think I'll update my build process to generate the hashes on
the machine (a clean VM created each time a build is run) that does the
build. I just need to get the sha tools onto windows.
Tom
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk