Issue 19913: TR/Crypt.XPACK.Gen-4 in easy_install.exe
Created on 2013-12-06 21:13 by christian.heimes, last changed 2022-04-11 14:57 by admin. This issue is now closed.
Messages (8)
msg205402 - (view)
Author: Christian Heimes (christian.heimes) * 
Date: 2013-12-06 21:13
Date: 2013-12-06 21:43
Date: 2013-12-07 15:26
Date: 2013-12-07 16:05
Date: 2013-12-07 16:09
Date: 2013-12-07 16:18
Date: 2013-12-08 18:06
Date: 2013-12-15 11:24
Date: 2013-12-06 21:13
Since today test_venv fails because Avira Antivir claims that easy_install.exe contains the trojan horse TR/Crypt.XPACK.Gen-4. I haven't seen the issue before. I'm running CPython default on Windows 7 64bit with Avira 13.msg205407 - (view) Author: Christian Heimes (christian.heimes) *
Date: 2013-12-06 21:43
7 of 47 AV programs detect malicious software in PIPs easy_install.exe: Agnitum Packed/MPress 20131206 AhnLab-V3 Trojan/Win32.TesA 20131206 AntiVir TR/Crypt.XPACK.Gen4 20131206 Bkav HW32.CDB.9028 20131206 McAfee-GW-Edition Heuristic.BehavesLike.Win32.Suspicious-BAY.K 20131206 TrendMicro PAK_Generic.001 20131206 TrendMicro-HouseCall PAK_Generic.001 20131206 https://www.virustotal.com/de/file/4a22ec7ceae5bb480c3dbda55f13838af0cef9ed6e1d033e896723c29eadbb19/analysis/1386366065/msg205461 - (view) Author: Christian Heimes (christian.heimes) *
Date: 2013-12-07 15:26
I found the offenders. distlib's wrapper scripts are detected as malicious programs by some anti virus programs. pip/_vendor/distlib/t32.exe https://www.virustotal.com/de/file/d06ad386d9dab9d08bdc01a3a14c713bd90b218ec4893c22da819826bd452e31/analysis/1386429889/ pip/_vendor/distlib/t64.exe https://www.virustotal.com/de/file/b043b38b8c24c31cffed5e29e995d879a14228901bee5b15e4158b8428e2699e/analysis/1386429784/msg205463 - (view) Author: Vinay Sajip (vinay.sajip) *
Date: 2013-12-07 16:05
Hmmm. I use mpress (http://www.matcode.com/mpress.htm) to compress the executables. These AV results seem to be false positives, given that the files are green-lit by Symantec, Sophos, McAfee, Kaspersky, F-Prot, AVG, Avast and a bunch of other reputable AV products (based on Christian's links). I suppose the executables could be shipped uncompressed (apparently the UPX compressor also sometimes causes false positives with AV software - and UPX can't compress 64-bit executables). There have been complaints in the past that Avira's heuristics are not careful enough: https://forum.avira.com/wbb/index.php?page=Thread&threadID=127271 That link points to a 2011 thread.msg205464 - (view) Author: Christian Heimes (christian.heimes) *
Date: 2013-12-07 16:09
How are you creating these files anyway? I can't find any documentation or source files in distlib.msg205466 - (view) Author: Vinay Sajip (vinay.sajip) *
Date: 2013-12-07 16:18
It's in the docs at e.g. http://distlib.readthedocs.org/en/latest/reference.html?highlight=launcher#distlib.scripts.ScriptMaker.__init__ and in the code at e.g. https://bitbucket.org/vinay.sajip/distlib/src/a50562ee0b535b2966948f1a657c1cac4c1536eb/distlib/scripts.py?at=default#cl-272 The project to generate the launchers is at https://bitbucket.org/vinay.sajip/simple_launcher/msg205589 - (view) Author: Vinay Sajip (vinay.sajip) *
Date: 2013-12-08 18:06
This commit in distlib uses uncompressed launcher executables which pass the virustotal.com checks: https://bitbucket.org/pypa/distlib/commits/e23c9e4fd3125fa88063de4dec80367b1ac82affmsg206226 - (view) Author: Vinay Sajip (vinay.sajip) *
Date: 2013-12-15 11:24
I've released distlib 0.1.5 on PyPI. This release uses uncompressed launchers which (at the time of writing) pass the checks on virustotal.com.