Virus in Rockbox Utility 1.2.8 Installer

[marthirial]

The following threat has been detected inside the Utility Installer: Hoax.Win32.ArchSMS.iyq

The archive is located at http://download.rockbox.org/rbutil/win32/rockboxutility-v1.2.8.zip

More information about the threat here:
http://www.threatexpert.com/report.aspx?md5=288390c98f3394b6fd144acf249b0233

[saratoga]

That report dates back to a file from before the current rbutil was released, so its probably just crappy antivirus software getting confused.

[marthirial]

The crappy antivirus in question is Kaspersky Internet Security 2011 AND Microsoft Security Essentials.

[Chronon]

What is your point?  They are both susceptible to either missing actual threats or misidentifying benign files as false positives.  You can inspect the source code for yourself, so please point out the virus in the code.

[marthirial]

My point is that as a community-driven application, it is my part to inform about things that could be looked upon by the developers, in this case, even if it is a false positive, why is there a false positive in an installation package.

Calling an antivirus crappy for doing its job as solution to a somewhat serious issue only diminishes even more the confidence that this website or the software is not compromised, as it shows an attitude of inflexibility.

I wish I had the time or the knowledge to dissect and analyze the files but I don't, so I guess I just need to apologize for bringing this to attention.

[torne]

Antivirus software *is* crappy. The job it does is a crappy job that cannot be done well and is best not done at all. So, yes, most developers are likely to be dismissive of AV false positives.

[gevaerts]

My point is that as a community-driven application, it is my part to inform about things that could be looked upon by the developers, in this case, even if it is a false positive, why is there a false positive in an installation package.

Have you reported this to the people who are actually responsible for this issue, i.e. Kaspersky and Microsoft?

[saratoga]

I like the description of the "threat":

"Downloads/requests other files from Internet."

Yes, I would think the tool for downloading rockbox from the internet probably does at some point download a file from the internet! 

Probably just some lazy AV vendors flagging a generic bit of code for downloading files as "virus like" without bothering to check if that bit of code is used in more then just malware. 

[marthirial]

Well well... seems like the file has or was pulled from download. 

That's more constructive than talking platitudes about the reliability of antivirus software.

VirusTotal is reporting 3/47 results:

http://www.virustotal.com/file-scan/report.html?id=2f55445e74027eadc75152ad2286dc9ee0d4f1bd0b2395993857436eb3405272-1285949421

[Llorean]

http://download.rockbox.org/rbutil/win32/RockboxUtility-v1.2.8.zip seems to still be there.

Basically it looks like there's something about this file that makes it "suspicious" without actually having anything wrong with it.

"Programs classified as Hoax do not directly inflict any damage on the victim computer. They do send messages saying that damage has been done or will be done, or warn the user of a threat that does not actually exist. These “bad jokes” include programs that frighten users with messages about reformatting their disk (although no formatting is actually taking place), and display messages typical of viruses, etc. depending on the program author’s “sense of humor”."

[saratoga]

Well well... seems like the file has or was pulled from download. 

That's more constructive than talking platitudes about the reliability of antivirus software.

I don't understand why you're trying to defend this crap.  No one takes these automated heuristics seriously because they're not useful.  They're marketing crap designed to give gullible and uninformed people a sense of false security so they look at a few extra ads or cough up couple bucks for a subscription.

[torne]

Well well... seems like the file has or was pulled from download. 

It hasn't been pulled, the link you put in your post just has the R and U of RockboxUtility in lower case, which is wrong.

[marthirial]

It's just that I thought this was a serious Open Source software development team OPEN (!) to discussion about how to improve accessibility and satisfaction for the software.

Instead it turned into a AV bashing circlejerk distracting from the initial point: Is it 100% safe to download and install RB Utility 1.2.8 with the developers' knowledge that this false positive could occur?

Most software that may behave similar as a virus because of the resources it will access has a warning and disclaimer in the download page.  That may be also helpful in this case.

Is there a mature developer in this forum who can post an official statement a bit more reassuring than "I don't understand why you're trying to defend this crap." ?

[saratoga]

It's just that I thought this was a serious Open Source software development team OPEN (!) to discussion about how to improve accessibility and satisfaction for the software.

It is, we're just interested in things a little more serious then this.

Is it 100% safe to download and install RB Utility 1.2.8 with the developers' knowledge that this false positive could occur?

Yes of course.  We all know that false positives occur and we still put up the link.  We wouldn't give you a download link if we thought there was a risk.

Most software that may behave similar as a virus because of the resources it will access has a warning and disclaimer in the download page.  That may be also helpful in this case.

"Warning:  if you use bad virus software, you should get better software before using this site"

Not sure thats really helpful. 

Is there a mature developer in this forum who can post an official statement a bit more reassuring than "I don't understand why you're trying to defend this crap." ?

Heres one:  stop being such a noob.  These things happen with every program on earth, no need to get so upset about them. 

[Llorean]

You could attempt to show some maturity yourself. Posting on Reddit about how a virus was found in Rockbox's installer (when there is no solid evidence one actually is there right now) isn't the behaviour of someone who's just interested in a discussion of how to improve accessibility.

Have you gone to the antivirus software authors and told them about the false positive? Are you proactively trying to solve this, or just attempting to complain about a non-issue.

Basically, false positives happen. Our software doesn't behave similar to a virus (in the sense that it is in no way self replicating, does not attempt to hide its activity from the system, etc, etc) but does do some fundamentally low level things to certain players (that we make no secret of). What warning should we offer? We can't consistently predict when a virus scanner will get it wrong. Any behaviour could set it off.

The virus that has been detected is in the category "hoax" which is specifically non-harmful viruses which means it's not likely even any of our abnormal activity that triggered the warning, but rather some of our normal activity that shares a similar behaviour to some virus. It could be as simple as how we choose to download the builds from the master build server (plenty of malware downloads further things). The link to the virus description you posted on Reddit specifically says that all this type of program does is try to convince you to send SMS messages after claiming to be encrypted and requiring an unlock. Did you take the time to verify whether RBUtil does this before reporting on it, or blindly trust a virus scanner that says nothing more than it's "suspicious"?