Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...
On 9/4/15, 8:51 PM, "macports-users-boun...@lists.macosforge.org on behalf of Ryan Schmidt"wrote: > >On Sep 4, 2015, at 5:27 PM, Brandon Allbery wrote: > >> Others have reported this. Unfortunately, there is no guarantee that >>some random chunk of code or data won't hash to the same value as a >>virus; it's statistically unlikely, but over time the probability of a >>false positive will tend toward unity. And in fact false positives are >>rare but known to happen, as one would expect. > >The whole point of hash algorithms is to provide something very close to >that guarantee. Some hash algorithms are broken, so they can no longer >provide that guarantee; md5 is an example of a broken hash algorithm. >Tools exist to let you craft two different files that hash to the same >md5 sum. But newer algorithms like sha256 and rmd160 are not yet broken >and still provide sufficiently strong assurances that if the hash of a >file is the expected value, then the contents of the file are the >expected contents as well. That's why we use sha256 and rmd160 checksums >to verify the integrity of the files MacPorts ports download. > >I assume the Sophos claim of iPh/WireLurk-G in zlib is a false positive >and refer concerned users to Sophos. I had this problem and reported it to our IT staff, who reported it to sophos, who confirmed that there was a problem with the virus definitions. They say that it’s been fixed now. — Steve ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...
Saw the same a few minutes ago myself. On Fri, Sep 4, 2015 at 5:18 PM, Marko Käningwrote: > Hi folks, > > today I got a warning from my "Sophos Antivirus" w.r.t. MacPorts!!! > > It claimed that zlib’s dylib file > > /opt/local/lib/libz.1.2.8.dylib > > carried a virus called > > iPh/WireLurk-G > > and I wonder now whether this was > - actually true or > - a false positive or > - whether Sophos is trying to trade snake oil to me… > > > It was very weird, that at some stage the dylib file - despite being > readable - > --- > $ ls -l /opt/local/lib/libz.1.2.8.dylib > -rwxr-xr-x 1 root admin 76404 Nov 15 2013 /opt/local/lib/libz.1.2.8.dylib > --- > could _not_ be read by any user. > Later it was readable again... > Was I tricked by some OSX internals (triggered by Sophos’ > quarantine workflow) > or indeed by a virus? > > > Is there a way to verify whether the files installed by port “zlib” are > actually those > currently to be found in MacPorts’ own archives? Are there verifiable > hashes for files > installed by a port somewhere? > > Greets, > Marko > > ___ > macports-users mailing list > macports-users@lists.macosforge.org > https://lists.macosforge.org/mailman/listinfo/macports-users > ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...
On Fri, Sep 4, 2015 at 6:18 PM, Marko Käningwrote: > - a false positive or > Others have reported this. Unfortunately, there is no guarantee that some random chunk of code or data won't hash to the same value as a virus; it's statistically unlikely, but over time the probability of a false positive will tend toward unity. And in fact false positives are rare but known to happen, as one would expect. -- brandon s allbery kf8nh sine nomine associates allber...@gmail.com ballb...@sinenomine.net unix, openafs, kerberos, infrastructure, xmonadhttp://sinenomine.net ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...
Your Hackathon Challenge, should you choose to accept it: Prepend a jump table to a virus that results in a word processor. This list post will self-destruct in five seconds. Michael David Crawford P.E., Consulting Process Architect mdcrawf...@gmail.com http://mike.soggywizard.com/ One Must Not Trifle With Wizards For It Makes Us Soggy And Hard To Light. On Fri, Sep 4, 2015 at 3:29 PM, Marko Käningwrote: > Hi Mihai, > > On 05 Sep 2015, at 00:23 , Mihai Moldovan wrote: >> https://trac.macports.org/ticket/48756 > > thanks for the pointer! > > I admit that I hadn’t searched trac before posting this… > I should have! :) > > Greets, > Marko > > ___ > macports-users mailing list > macports-users@lists.macosforge.org > https://lists.macosforge.org/mailman/listinfo/macports-users ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...
Hi Mihai, On 05 Sep 2015, at 00:23 , Mihai Moldovanwrote: > https://trac.macports.org/ticket/48756 thanks for the pointer! I admit that I hadn’t searched trac before posting this… I should have! :) Greets, Marko ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...
Hi folks, today I got a warning from my "Sophos Antivirus" w.r.t. MacPorts!!! It claimed that zlib’s dylib file /opt/local/lib/libz.1.2.8.dylib carried a virus called iPh/WireLurk-G and I wonder now whether this was - actually true or - a false positive or - whether Sophos is trying to trade snake oil to me… It was very weird, that at some stage the dylib file - despite being readable - --- $ ls -l /opt/local/lib/libz.1.2.8.dylib -rwxr-xr-x 1 root admin 76404 Nov 15 2013 /opt/local/lib/libz.1.2.8.dylib --- could _not_ be read by any user. Later it was readable again... Was I tricked by some OSX internals (triggered by Sophos’ quarantine workflow) or indeed by a virus? Is there a way to verify whether the files installed by port “zlib” are actually those currently to be found in MacPorts’ own archives? Are there verifiable hashes for files installed by a port somewhere? Greets, Marko ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...
On 05.09.2015 12:18 AM, Marko Käning wrote: > today I got a warning from my "Sophos Antivirus" w.r.t. MacPorts!!! > > It claimed that zlib’s dylib file > > /opt/local/lib/libz.1.2.8.dylib > > carried a virus called > > iPh/WireLurk-G https://trac.macports.org/ticket/48756 (Trac is currently unreachable for me, but there's the same report.) Mihai signature.asc Description: OpenPGP digital signature ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Re: Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...
On Sep 4, 2015, at 5:27 PM, Brandon Allbery wrote: > Others have reported this. Unfortunately, there is no guarantee that some > random chunk of code or data won't hash to the same value as a virus; it's > statistically unlikely, but over time the probability of a false positive > will tend toward unity. And in fact false positives are rare but known to > happen, as one would expect. The whole point of hash algorithms is to provide something very close to that guarantee. Some hash algorithms are broken, so they can no longer provide that guarantee; md5 is an example of a broken hash algorithm. Tools exist to let you craft two different files that hash to the same md5 sum. But newer algorithms like sha256 and rmd160 are not yet broken and still provide sufficiently strong assurances that if the hash of a file is the expected value, then the contents of the file are the expected contents as well. That's why we use sha256 and rmd160 checksums to verify the integrity of the files MacPorts ports download. I assume the Sophos claim of iPh/WireLurk-G in zlib is a false positive and refer concerned users to Sophos. ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users