subject:"Sophos Antivirus claims port 'zlib' ships a Virus\/Spyware called \"iPh\/WireLurk\-G\"..."

Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

2015-09-09 Thread Langer, Stephen A.



On 9/4/15, 8:51 PM, "macports-users-boun...@lists.macosforge.org on behalf
of Ryan Schmidt"  wrote:

>
>On Sep 4, 2015, at 5:27 PM, Brandon Allbery wrote:
>
>> Others have reported this. Unfortunately, there is no guarantee that
>>some random chunk of code or data won't hash to the same value as a
>>virus; it's statistically unlikely, but over time the probability of a
>>false positive will tend toward unity. And in fact false positives are
>>rare but known to happen, as one would expect.
>
>The whole point of hash algorithms is to provide something very close to
>that guarantee. Some hash algorithms are broken, so they can no longer
>provide that guarantee; md5 is an example of a broken hash algorithm.
>Tools exist to let you craft two different files that hash to the same
>md5 sum. But newer algorithms like sha256 and rmd160 are not yet broken
>and still provide sufficiently strong assurances that if the hash of a
>file is the expected value, then the contents of the file are the
>expected contents as well. That's why we use sha256 and rmd160 checksums
>to verify the integrity of the files MacPorts ports download.
>
>I assume the Sophos claim of iPh/WireLurk-G in zlib is a false positive
>and refer concerned users to Sophos.

I had this problem and reported it to our IT staff, who reported it to
sophos, who confirmed that there was a problem with the virus definitions.
 They say that it’s been fixed now.

 — Steve

___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

2015-09-04 Thread Bill Christensen

Saw the same a few minutes ago myself.

On Fri, Sep 4, 2015 at 5:18 PM, Marko Käning  wrote:

> Hi folks,
>
> today I got a warning from my "Sophos Antivirus" w.r.t. MacPorts!!!
>
> It claimed that zlib’s dylib file
>
> /opt/local/lib/libz.1.2.8.dylib
>
> carried a virus called
>
> iPh/WireLurk-G
>
> and I wonder now whether this was
> - actually true or
> - a false positive or
> - whether Sophos is trying to trade snake oil to me…
>
>
> It was very weird, that at some stage the dylib file - despite being
> readable -
> ---
> $ ls -l /opt/local/lib/libz.1.2.8.dylib
> -rwxr-xr-x 1 root admin 76404 Nov 15  2013 /opt/local/lib/libz.1.2.8.dylib
> ---
> could _not_ be read by any user.
> Later it was readable again...
> Was I tricked by some OSX internals (triggered by Sophos’
> quarantine workflow)
> or indeed by a virus?
>
>
> Is there a way to verify whether the files installed by port “zlib” are
> actually those
> currently to be found in MacPorts’ own archives? Are there verifiable
> hashes for files
> installed by a port somewhere?
>
> Greets,
> Marko
>
> ___
> macports-users mailing list
> macports-users@lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/macports-users
>
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

2015-09-04 Thread Brandon Allbery

On Fri, Sep 4, 2015 at 6:18 PM, Marko Käning  wrote:

> - a false positive or
>

Others have reported this. Unfortunately, there is no guarantee that some
random chunk of code or data won't hash to the same value as a virus; it's
statistically unlikely, but over time the probability of a false positive
will tend toward unity. And in fact false positives are rare but known to
happen, as one would expect.

-- 
brandon s allbery kf8nh   sine nomine associates
allber...@gmail.com  ballb...@sinenomine.net
unix, openafs, kerberos, infrastructure, xmonadhttp://sinenomine.net
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

2015-09-04 Thread Michael David Crawford

Your Hackathon Challenge, should you choose to accept it:

Prepend a jump table to a virus that results in a word processor.

This list post will self-destruct in five seconds.
Michael David Crawford P.E., Consulting Process Architect
mdcrawf...@gmail.com
http://mike.soggywizard.com/

  One Must Not Trifle With Wizards For It Makes Us Soggy And Hard To Light.

On Fri, Sep 4, 2015 at 3:29 PM, Marko Käning  wrote:
> Hi Mihai,
>
> On 05 Sep 2015, at 00:23 , Mihai Moldovan  wrote:
>> https://trac.macports.org/ticket/48756
>
> thanks for the pointer!
>
> I admit that I hadn’t searched trac before posting this…
> I should have! :)
>
> Greets,
> Marko
>
> ___
> macports-users mailing list
> macports-users@lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/macports-users
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

2015-09-04 Thread Marko Käning

Hi Mihai,

On 05 Sep 2015, at 00:23 , Mihai Moldovan  wrote:
> https://trac.macports.org/ticket/48756

thanks for the pointer!

I admit that I hadn’t searched trac before posting this…
I should have! :)

Greets,
Marko

___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

2015-09-04 Thread Marko Käning

Hi folks,

today I got a warning from my "Sophos Antivirus" w.r.t. MacPorts!!!

It claimed that zlib’s dylib file

/opt/local/lib/libz.1.2.8.dylib

carried a virus called

iPh/WireLurk-G

and I wonder now whether this was
- actually true or
- a false positive or 
- whether Sophos is trying to trade snake oil to me…


It was very weird, that at some stage the dylib file - despite being readable -
---
$ ls -l /opt/local/lib/libz.1.2.8.dylib
-rwxr-xr-x 1 root admin 76404 Nov 15  2013 /opt/local/lib/libz.1.2.8.dylib
---
could _not_ be read by any user.
Later it was readable again...
Was I tricked by some OSX internals (triggered by Sophos’ 
quarantine workflow)
or indeed by a virus?


Is there a way to verify whether the files installed by port “zlib” are 
actually those
currently to be found in MacPorts’ own archives? Are there verifiable hashes 
for files
installed by a port somewhere?

Greets,
Marko

___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

2015-09-04 Thread Mihai Moldovan

On 05.09.2015 12:18 AM, Marko Käning wrote:
> today I got a warning from my "Sophos Antivirus" w.r.t. MacPorts!!!
> 
> It claimed that zlib’s dylib file
> 
>   /opt/local/lib/libz.1.2.8.dylib
> 
> carried a virus called
> 
>   iPh/WireLurk-G

https://trac.macports.org/ticket/48756

(Trac is currently unreachable for me, but there's the same report.)



Mihai



signature.asc
Description: OpenPGP digital signature
___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

2015-09-04 Thread Ryan Schmidt

On Sep 4, 2015, at 5:27 PM, Brandon Allbery wrote:

> Others have reported this. Unfortunately, there is no guarantee that some 
> random chunk of code or data won't hash to the same value as a virus; it's 
> statistically unlikely, but over time the probability of a false positive 
> will tend toward unity. And in fact false positives are rare but known to 
> happen, as one would expect.

The whole point of hash algorithms is to provide something very close to that 
guarantee. Some hash algorithms are broken, so they can no longer provide that 
guarantee; md5 is an example of a broken hash algorithm. Tools exist to let you 
craft two different files that hash to the same md5 sum. But newer algorithms 
like sha256 and rmd160 are not yet broken and still provide sufficiently strong 
assurances that if the hash of a file is the expected value, then the contents 
of the file are the expected contents as well. That's why we use sha256 and 
rmd160 checksums to verify the integrity of the files MacPorts ports download.

I assume the Sophos claim of iPh/WireLurk-G in zlib is a false positive and 
refer concerned users to Sophos.

___
macports-users mailing list
macports-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-users

Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

8 matches

Site Navigation

Mail list logo

Footer information