Subject: Re: [boost] [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?
From: Geert Martin Ijewski (gm.ijewski_at_[hidden])
Date: 2018-05-24 09:59:26
The VT Link checked the *URL* not the binary itself. As the executable
is above 20MB there's no way (AFAIK) to let it be checked by VT.
Vigorf.A is a "generic" detection which basically means that it
classifies the program as malicious based on behaviour or other
heuristics --- thus there often is no definitive single thing that
causes the detection, it's a combination of many small factors. After
taking a quick look at the executable possible flags are:
* the data to be installed is appended to the executable (often called
overlay or EOF data). This is a technique often used by so called
"binders" which pack a legitimate and an malicious executable together
and execute both - so the user sees a legitimate programm running and
thinks that the whole executable was legitimate.
* the file itself has very high entropy (7.96), which indicates
encrypted or packed data. AV flag executables with an entropy higher 6
(thresholds may vary) because, well, encrypted or packed data (from the
POV of the AV) means that data is hidden and thus cannot be analyzed.
I'm not sure how to handle that situation, those are (basically)
necassary for the installer to function. Storing the data unpacked would
bloat the binary way beyond anything sensible, storing it any other way
(as a resource or in .data) won't help either. Not to mention that this
would require mucking around with InnoSetup.
Maybe MicroSoft is willing to create an exception but then this problem
would just resurface every new release. Another might be codesigning,
but that requires money, infrastructure and time.
Am 24.05.2018 um 10:24 schrieb Peter Dimov via Boost:
> Mateusz Loskot wrote:
>> One user reported via #boost at cpplang.slack.com that Windows
>> Defender reported trojan in the latest Windows binaries.
>> I checked myself and I can confirm the latest up-to-date Windows
>> Defender is detecting Vigorf.A in the installer archive.
>> Is this false report?
> VirusTotal says clean:
> Unsubscribe & other changes:
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk