Virus in Rockbox Utility 1.2.8 Installer

[marthirial]

Am I to assume that saratoga speaks for the whole RockBox development team and therefore it is an official stand of RockBox to insult users instead of offering any explanation whatsoever?

We have posted 13 times in this thread and not once an "expert" or "developer" has posted any explanation whatsoever.

This is my last post.  I posted thinking this would help "noobs" that come excited to get this otherwise nice software but instead I got sidetrack bashing and childish insults.

And it is not like this software is for MRI machines that will save lives, relax dudes.

Llorean:  Yes, posted to Reddit and guess what, they had better answers than the actual developers here. 

My issue, one more time, is not if false positive happens or if AV are reliable.  I was just looking for an adult who could explain, simply, why an exe file is giving a false positive.

Something like this, you know: 

"Rockbox access resources in your computer that are similar to the behavior of malware.  We are committed to security and quality of our product and can assure no malicious programs are included in the installation package".  -  Att. RockBox developer.

See.  It even sound official and serious and helps bring credibility to the software.

[AlexP]

Am I to assume that saratoga speaks for the whole RockBox development team and therefore it is an official stand of RockBox to insult users instead of offering any explanation whatsoever?

No, for himself only, as are the views of everyone else.  I personally very much dislike the tone in this thread, and am sorry for that.

There isn't much of an explanation to give - Rockbox Utility downloads files and does some low level fiddling of hardware, but without access to the source code of the anti-virus software, we just don't know why they come up with this false positive.

[soap]

Am I to assume that saratoga speaks for the whole RockBox development team and therefore it is an official stand of RockBox to insult users instead of offering any explanation whatsoever?

saratoga speaks for saratoga.  

We're an anarcho-syndicalist commune.  We take it in turns to act as a sort of executive officer for the week.  But all the decision of that officer have to be ratified at a special biweekly meeting.  By a simple majority in the case of purely internal affairs, but by a two-thirds majority in the case of more...

EDIT:

But seriously.
Rockbox is a loose collective of people who have been entrusted "not to fuck up the code".
There is no leader, there is no spokesperson, there is no target market.

Just a bunch of people who enjoy working on a software project and give access, gratis, to their work.

Expecting some sort of "official" response from a non-corporate OSS project is missing the point.

[Llorean]

How is someone supposed to tell you why it's a false positive? We didn't write the anti-virus software. We don't have access to which of their various heuristics this set off.

It could be the code to fiddle with the MBR on iPods.

It could be the mere fact that it downloads updated builds.

It could even just be the content of one string happening to match exactly the content of a similar string in a virus.

There's a million things it could be. "It's a false positive" is all the answer one *can* give you without simply making things up or lying about it. Would you rather a truthful answer, or a more reassuring falsehood or guess?

[saratoga]

We have posted 13 times in this thread and not once an "expert" or "developer" has posted any explanation whatsoever.

First reply to the thread:

That report dates back to a file from before the current rbutil was released, so its probably just crappy antivirus software getting confused.

Reviewing the replies this was repeated to you several more times, so i think its unfair to say no one tried to help you understand.  I certainly did.  You just didn't like the answer so you ignored it.

Something like this, you know: 

"Rockbox access resources in your computer that are similar to the behavior of malware.  We are committed to security and quality of our product and can assure no malicious programs are included in the installation package".  -  Att. RockBox developer.

Hey, I did just that!

I like the description of the "threat":

"Downloads/requests other files from Internet."

Yes, I would think the tool for downloading rockbox from the internet probably does at some point download a file from the internet! 

Probably just some lazy AV vendors flagging a generic bit of code for downloading files as "virus like" without bothering to check if that bit of code is used in more then just malware.

Thats exactly what you just said you wanted to hear.  Did you not read those posts?  It really seems to me that you're faulting a lot of the wrong people here.

[gbl08ma]

Sorry, but for me it seems this whole discussion started at the point somebody (who relies too much on antivirus) got an antivirus warning saying that the Rockbox Utility file was a virus. Then that somebody got way too much alarmed and posted on Rockbox forums.

After that, the Rockbox community answers, trying to explain that false positives occur - and yes they don't show a good image to the newcomer, specially if you have one of those antivirus that delete the infected (or not so infected) file instantaneously once it is created.

As that somebody continues alarmed because of some antivirus warning, s/he keeps posting complaining there's no "official answer", I think is what s/he wants. Hey, like soap said, on non-corporate OSS projects there's no "official", there's a community that, ideally, acts like a family or a group of friends and works together to meet an objective.

In fact, I have already downloaded many OSS software from well known sites and publishers, and also some from not-so-well-known publishers, and many antivirus software classifies them as being malware. I'm also a software developer, and once I added an automated updater to my software (that doesn't download anything without previous user acknowledge and agreement), some antivirus software classified them as dangerous because it "downloaded files" (exactly what's happening with RB Util). Did I stop using that software (including mine) just because some antivirus said it is or contains a virus? No. At a maximum, when I don't trust the software in question, I go having a bit of work and look on the source code for dangerous operations - most of the times, I found that the point is on automated updaters and things like that. So, RB Utility is not immune to being classified as a virus.

Let's stop with this whole discussion - in fact now I think I have written too much. No one is obligated to use Rockbox, much less Rockbox Utility; in fact it voids your warranty in many (if not all) targets. The somebody that created the thread would have reasons to complain if s/he had paid for Rockbox or Rockbox Utility, but as an OSS project, you only use it if you want, and if you don't like it that way, you can change it.

"Somebody" is used on this post to demonstrate that cases like this can happen with anyone, and not to take away the honor of marthirial. In fact, what I described could not have happened with s/he, but it's a situation that actually can happen.

This is just my point of view! And no, you're not obligated to read this or agree with me.

[bluebrother]

Llorean:  Yes, posted to Reddit and guess what, they had better answers than the actual developers here. 

What answer do you expect? Someone saying "it's a false positive"? People did that, plus why they can't say why it's impossible why it's a false positive. This still doesn't change the problem that you need to trust someone posting in these forums -- or trust your virus software. You are the one to decide who you want to trust.

Edit: I've just checked the result of the scan that was posted on Reddit. It shows 3 scanners out of 43 considering the file malicious, so 40 scanners think it's ok. Do you trust 40 scanners saying the same or 3 scanners saying something else (but not exactly the same)? I'm more likely to go with the majority ...

[M_Koga]

PMJI (duck, cringe, etc.)

Not having a dog in the fight, trying to be a bit of a peacemaker, hoping for the best, and so on...

A long time ago, when the net was a far safer, friendlier place, I got infected -- the ONLY time I ever got infected -- by a COMMERCIAL PRODUCT by a top-tier company that shall remain nameless.  I don't remember if I was acting in the role of beta tester, or software review writer (this was a long time ago, I have forgotten more than I ever knew).

Fortunately, it was a relatively benign infection (a Word macro virus that shat upon every doc it could find, causing me lots of fun doing manual cleanup).  I notified the vendor who turned eleven shades of purple, thanked me profusely for informing them, and proceeded to do the same on their in-house machines.

Some time earlier, I did NOT get infected, because the "disease" I was sold was incapable of doing any damage to me, having "destroyed its host" before landing in my hand.  It as an updated motherboard BIOS (manufacturer shall remain nameless).  This was during the 286 era, when BIOSs were purchased as either masked ROMs, PROMs, or EPROMs (this was long before we were able to flash our own firmware -- we had to physically replace a pair of ROM chips).

When I installed the chip pair I'd purchased from the mobo mfgr, my machine would not boot.  After much "fun" I ended up writing a program that parsed both chips (original BIOS reinstalled, and suspect chips read in my PROM blaster), interleaved the hi/lo byte pairs, and extracted "likely ASCII" so that I could see what the hell was going on (suspicious sort that I was).

I stopped my investigation when I encountered a string that said something like "DISK KILLER TROJAN"

I then packed it in, and informed the mobo manufacturer, who proceeded to shit a pile of giant economy sized bricks, and tell me how bloody grateful they were to me for discovering that their machines were infected (the LIVE virus in their systems had corrupted the BIOS files before they burned them).

Of course, their talk of SHOWING me how grateful they were (there was some hinting about sending me a hot new mobo) amounted to naught. They had what they wanted, and I had to be satisfied with replacment chips (or maybe they only sent me the files so that I could burn my own, I don't remember, t'was a long time ago).

My point is that this sort of thing happened on occasion in a much more innocent age.  Nowadays, the image I see when I think of the Internet is like that scene from Pfeiffer's "Little Murders" where the guy opens the steel cover protecting the window in the highrise apartment, and INSTANTLY bullets start flying in, until he shuts the steel cover again.

This brand of ever-present abuse causes a lot of jangled nerves. People are jumpy, and predisposed to freaking out.  (This is why so many TRULY fraudulent "antivirus" crapwares are sold, many of which are nothing more than vectors OF infection themselves, with the less=noxious of them being "merely" garbageware that serves only to collect payment for the BELIEF of protection being provided.

It's a nasty, often brutal world, and getting worse by the moment.

To put this ALL into perspective, I have found Rockbox to be one of the MOST solid, stable, robust, well-designed pieces of software I have ever used.  I am amazed at how fantastic it is, and I only use a small fraction of its capability.

Code like this can ONLY be produced by people that TRULY CARE about what they are doing.  And, if there is ANY software I'd trust, Rockbox would be way at the top of that list.

[R3n4]

I had a similar experience when my anti-virus has also detected this threat. I just immediately submit this issue to my anti-virus lab. They found out that the virus is a false positive. There's no need to worry about this issue because there is no virus in the installer.

[wolftail]

I have just scanned the file in Microsoft Security Essentials (with up to date definitions) and it found nothing. Also virustotal.com gives a 2.43% chance of being infected (only one out of 43 AVs, nProtect detects anything). So I would definitely call it a false positive.

http://www.virustotal.com/file-scan/report.html?id=c384f29391e169aee74920b18279914c8aa67b2e0fb039f472a9b1c5390d8cbc-1295882127