Minirosetta executable detected as Security Risk

Message boards : Number crunching : Minirosetta executable detected as Security Risk

To post messages, you must log in.

AuthorMessage
Tamaster

Send message
Joined: 29 May 09
Posts: 4
Credit: 40,943
RAC: 0
Message 61973 - Posted: 27 Jun 2009, 14:55:37 UTC

Has anyone seen this:
Symantec Corporation Norton Internet Security
Version: 16.5.0.135

minirosetta_1.80_windows_intelx86.exe detected by SONAR

Risk Name:
minirosetta_1.80_windows_intelx86.exe

Risk Type:
File Based

Severity:
High

Component:
SONAR

Risk State:
Fully removed

Definitions Version:
2009.06.26.054

ERASER Version:
109.1.0.61


Reported by my antivirus this morning. I went to look to see if the file was there and a new .zip had been downloaded following detection and removal. The message digests for the newly downloaded executable are:
(MD5) 34F18CD07435ABD14098D79FE228F727
(SHA1) 02E9513E28CB2DCCF16B54B7C5F64F42CAF43C89

Clues anyone?
ID: 61973 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Paul

Send message
Joined: 29 Oct 05
Posts: 193
Credit: 66,745,352
RAC: 6,845
Message 61985 - Posted: 28 Jun 2009, 12:33:53 UTC - in response to Message 61973.  

This is not a new issue. It happens every few months.

They will fix it. Thanks for reporting.

thanks for crunching.
Thx!

Paul

ID: 61985 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Tamaster

Send message
Joined: 29 May 09
Posts: 4
Credit: 40,943
RAC: 0
Message 61986 - Posted: 28 Jun 2009, 13:39:30 UTC

It looked like a false positive to me.

Was there a new build recently or do we believe this was Symantec definitions related?

I guess it's a good idea to have BIONC just download a new copy if an executable disappears like that (though I'm a bit uncomfortable with the idea).
ID: 61986 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
mikey
Avatar

Send message
Joined: 5 Jan 06
Posts: 1896
Credit: 9,387,844
RAC: 9,807
Message 62003 - Posted: 29 Jun 2009, 9:02:45 UTC - in response to Message 61986.  

It looked like a false positive to me.

Was there a new build recently or do we believe this was Symantec definitions related?

I guess it's a good idea to have BIONC just download a new copy if an executable disappears like that (though I'm a bit uncomfortable with the idea).


There was a big brew-ha-ha a few months ago and it was discovered that the anti-virus companies had decided that something that Boinc does was then a problem, sounds like the companies are at it again. Most people have set the anti-virus so it just doesn't scan the Boinc directories and then there are no more problems. Yes that can be a bit scary at first but you are just connecting to your favorite project with Boinc, not going to the whole internet with it.
ID: 62003 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Tamaster

Send message
Joined: 29 May 09
Posts: 4
Credit: 40,943
RAC: 0
Message 62019 - Posted: 30 Jun 2009, 12:08:51 UTC

I've added C:Documents and SettingsAll UsersApplication DataBOINCprojects to the Scan Exclusions settings. Since I run boinc as the daemon, I'm not too concerned about the security issues (IBM has done a fine job lending a hand at getting the containment model secured).

I'm more concerned about work stoppage or loss. There are already too many host related failures across all the various projects, mostly due to inattentive owners. I wonder what kind of statistics there are for replication efficiency over the millions of systems.
ID: 62019 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Sid Celery

Send message
Joined: 11 Feb 08
Posts: 2185
Credit: 41,726,991
RAC: 6,784
Message 62042 - Posted: 2 Jul 2009, 2:21:28 UTC - in response to Message 62019.  
Last modified: 2 Jul 2009, 2:22:24 UTC

I've added C:Documents and SettingsAll UsersApplication DataBOINCprojects to the Scan Exclusions settings. Since I run Boinc as the daemon, I'm not too concerned about the security issues (IBM has done a fine job lending a hand at getting the containment model secured).

That's a good idea for those who repeatedly have this problem.

I'm more concerned about work stoppage or loss. There are already too many host related failures across all the various projects, mostly due to inattentive owners. I wonder what kind of statistics there are for replication efficiency over the millions of systems.

That may be true, but it's also harsh because it's not the complete story.

- Norton 360 (all versions that I've used) don't reject the minirosetta executable.
- Norton Antivirus doesn't reject the minirosetta executable either (that I'm aware).
- Norton Internet Security rejects the minirosetta executable every time there's a new minirosetta version.

So, to some extent, there's an inconsistency with Symantec themselves that they have to address.

Kaspersky has also had this problem in the past, as has ESET NOD32 if I recall correctly.
ID: 62042 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile robertmiles

Send message
Joined: 16 Jun 08
Posts: 1235
Credit: 14,360,346
RAC: 1,269
Message 62072 - Posted: 3 Jul 2009, 14:19:28 UTC - in response to Message 62042.  

That may be true, but it's also harsh because it's not the complete story.

- Norton 360 (all versions that I've used) don't reject the minirosetta executable.
- Norton Antivirus doesn't reject the minirosetta executable either (that I'm aware).
- Norton Internet Security rejects the minirosetta executable every time there's a new minirosetta version.

So, to some extent, there's an inconsistency with Symantec themselves that they have to address.


Norton Internet Security 2009 seems to have fixed the problem the previous Norton programs had with slowly corrupting the database of the Windows Mail email/newsreader program that comes with Vista, but some its recent updates seem to have introduced new problems. Could we get some of the RALPH@home alpha testers to test for problems with running new minirosetta versions on computers that also have Norton Internet Security installed, and scan the BOINC folders whenever any new version of minirosetta is available?

I just created a custom Norton Internet Security scan on my x64 Vista computer to scan only the BOINC directories, ran it, and everything passed. The alpha testers could use such tests to report false positives. I remember a setting for including heuristic scanning, but don't remember whether it was for Norton Internet Security or for Microsoft Windows Defender, another program for which recent updates have added false positives.

At least for Microsoft Windows Defender, the changes needed to control the problem seen to include having every new version of minirosetta include the files needed to tell Windows Defender where that program came from, and a few more things needed to tell Windows Defender to treat the program better than a program downloaded from an unknown source.
ID: 62072 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Sid Celery

Send message
Joined: 11 Feb 08
Posts: 2185
Credit: 41,726,991
RAC: 6,784
Message 62091 - Posted: 5 Jul 2009, 11:03:12 UTC - in response to Message 62072.  

That may be true, but it's also harsh because it's not the complete story.

- Norton 360 (all versions that I've used) don't reject the minirosetta executable.
- Norton Antivirus doesn't reject the minirosetta executable either (that I'm aware).
- Norton Internet Security rejects the minirosetta executable every time there's a new minirosetta version.

So, to some extent, there's an inconsistency with Symantec themselves that they have to address.

Norton Internet Security 2009 seems to have fixed the problem the previous Norton programs had with slowly corrupting the database of the Windows Mail email/newsreader program that comes with Vista, but some its recent updates seem to have introduced new problems.

Yes. sorry about that. A team-mate confirmed to me that Mini 1.80 was the first for a long time to get through NIS2009 without problems. Hopefully that continues now.
ID: 62091 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Tamaster

Send message
Joined: 29 May 09
Posts: 4
Credit: 40,943
RAC: 0
Message 62237 - Posted: 15 Jul 2009, 12:38:57 UTC

This only happened immediately following the 1.80 update, so it appears that NIS 2009 still has an issue. BIONC (and r@h), however, recovered gracefully and went right on about their business of crunching.

I added the exclusion rule, just in case, though I'm not all that comfortable with the idea. I've had no issues since.

With the new update to 1.82 (which got downloaded last night) I deleted the exclusion this morning, performed a manual scan on the main directory and all subs, and of over a thousand items scanned there were zero (0) detections.

I'm leaving the exclusion off for the time being to see if it happens again.
ID: 62237 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote

Message boards : Number crunching : Minirosetta executable detected as Security Risk



©2025 University of Washington
https://www.bakerlab.org