[smartmontools-support] Virus detected in automated builds

Christian Franke Christian.Franke at t-online.de
Tue Jan 22 18:27:19 CET 2019 

Peter Ohlerich wrote:
> Hello!
>
> I downloaded Build #655 for Win32 from https://builds.smartmontools.org/
> (
> https://655-105252244-gh.circle-artifacts.com/0/builds/smartmontools-win32-setup-7.1-r4891.exe
> )
> and my AV scanner detected a virus in the downloaded file.

Which scanner?
Could you possibly send an request for analysis to the vendor?

>
> Virustotal has 21 of 68 engines detecting a virus
>
> https://www.virustotal.com/#/file/6334ca3b90f2481d1be8c3e8456f0f903e7cc5fab7cd3a7351be801ad0fbe8a8/detection

The original detection was 9/70, and as usual the detection ratio first 
increased from day to day, likely because scanners borrow results from 
others.
Here the current scan history of this file:
https://www.virustotal.com/en/file/6334ca3b90f2481d1be8c3e8456f0f903e7cc5fab7cd3a7351be801ad0fbe8a8/analysis/1547246653/
https://www.virustotal.com/en/file/6334ca3b90f2481d1be8c3e8456f0f903e7cc5fab7cd3a7351be801ad0fbe8a8/analysis/1547500325/
https://www.virustotal.com/en/file/6334ca3b90f2481d1be8c3e8456f0f903e7cc5fab7cd3a7351be801ad0fbe8a8/analysis/1547626001/
https://www.virustotal.com/en/file/6334ca3b90f2481d1be8c3e8456f0f903e7cc5fab7cd3a7351be801ad0fbe8a8/analysis/1547939902/
https://www.virustotal.com/en/file/6334ca3b90f2481d1be8c3e8456f0f903e7cc5fab7cd3a7351be801ad0fbe8a8/analysis/1548174462/


> When manually extracting the files from the archive via 7-Zip, the
> extracted files are not detected individually. Can you clarify whether
> this is a false positive?

All builds are cross compiled under Ubuntu using MinGW-w64 and NSIS 
cross toolchains running in a docker container at CircleCI. Actual 
infection is possible in theory, but IMO unlikely in practice.


The most recent release build "smartmontools-7.0-1.win32-setup.exe" also 
suffered from similar false positive results. It was build using same 
docker container and same options, but in a local Linux VM.
Here an excerpt from the scan history:
https://www.virustotal.com/en/file/bf0416c2e214c6323fdf1af8b853f761c846760f02950453c8a5bb276c961fbe/analysis/1546184092/
https://www.virustotal.com/en/file/bf0416c2e214c6323fdf1af8b853f761c846760f02950453c8a5bb276c961fbe/analysis/1546189720/
https://www.virustotal.com/en/file/bf0416c2e214c6323fdf1af8b853f761c846760f02950453c8a5bb276c961fbe/analysis/1546192969/
https://www.virustotal.com/en/file/bf0416c2e214c6323fdf1af8b853f761c846760f02950453c8a5bb276c961fbe/analysis/1546193155/
https://www.virustotal.com/en/file/bf0416c2e214c6323fdf1af8b853f761c846760f02950453c8a5bb276c961fbe/analysis/1546260594/
https://www.virustotal.com/en/file/bf0416c2e214c6323fdf1af8b853f761c846760f02950453c8a5bb276c961fbe/analysis/1546340850/
https://www.virustotal.com/en/file/bf0416c2e214c6323fdf1af8b853f761c846760f02950453c8a5bb276c961fbe/analysis/1546707326/
https://www.virustotal.com/en/file/bf0416c2e214c6323fdf1af8b853f761c846760f02950453c8a5bb276c961fbe/analysis/1546707609/
https://www.virustotal.com/en/file/bf0416c2e214c6323fdf1af8b853f761c846760f02950453c8a5bb276c961fbe/analysis/1547996425/
https://www.virustotal.com/en/file/bf0416c2e214c6323fdf1af8b853f761c846760f02950453c8a5bb276c961fbe/analysis/1548145281/

During the first days after release, I sent false positive reports to 
various scanner vendors.

The following vendors confirmed that this is a false positive and 
removed the detection:
AVG, Avira, DrWeb, GData, Microsoft
https://www.microsoft.com/en-us/wdsi/submission/9815776c-665c-4560-ba40-86cce1ca83c0

The following Vendors did NOT reply, but removed the detection:
Bitdefender, Cyren, Sophos

The following vendors did not reply and the detection is still present:
Qihoo-360

McAfee was not considered as they do not offer an easy way to report 
false positives.


Further experiments show that compiler options affect the detection:

Rebuild of smartctl.exe 7.0 x64 using default optimization flags:
https://www.virustotal.com/en/file/6e80ab93a50fbe1f02fe625ba2fd549e60321dc2c29b5ee896f8db1fcf1afebd/analysis/1546334642/
https://www.virustotal.com/en/file/6e80ab93a50fbe1f02fe625ba2fd549e60321dc2c29b5ee896f8db1fcf1afebd/analysis/1547157313/
https://www.virustotal.com/en/file/6e80ab93a50fbe1f02fe625ba2fd549e60321dc2c29b5ee896f8db1fcf1afebd/analysis/1548177122/

Rebuild from same source, but with -O1 instead of -O2:
https://www.virustotal.com/en/file/437bf6d6fb0f04978fb9473eb8b4c664a0c74d4f1e5c1489c202a90261e957ab/analysis/1546295547/
https://www.virustotal.com/en/file/437bf6d6fb0f04978fb9473eb8b4c664a0c74d4f1e5c1489c202a90261e957ab/analysis/1548177069/

Interesting, IMO....

Thanks,
Christian

More information about the Smartmontools-support mailing list