llvmbot
commented
3 years ago test-pdb is still detected as Trjoan...
Open llvmbot opened 6 years ago
llvmbot
commented
3 years ago test-pdb is still detected as Trjoan...
rui314
commented
5 years ago In general, I don't think we should make a change on our side to tame antivirus programs because there are many antivirus programs out there, and if they find that our programs as "viruses", that's a false positive and that's their fault. I guess that one thing you can do is to report a false positive to the antivirus vendor by sending the file to the vendor, to train their database to fix the problem. Have you tried that?
1dd318e1-b32a-4285-9b63-9b014bea91d3
commented
5 years ago This was reported against the rust-lldb fork as well: https://github.com/rust-lang-nursery/lldb/issues/23
llvmbot
commented
6 years ago It might be possible to do that now that clang-cl can output PDBs. At the time, this PDB was emitted by MSVC compiler which won't work on non-Windows platforms for obvious reasons, so we checked in the binary. However, even using clang-cl to cross compile this binary will require windows headers and libraries to be present. I'll have to think more about what to do here.
tkrasnukha
commented
6 years ago Recently ran into this problem with Symantec Endpoint Protection. Found that other anti-viruses also did this: http://lists.llvm.org/pipermail/cfe-users/2017-April/001131.html
So, the problem is not specific for that concrete anti-virus software.
Is it possible to build this executable as dependency of the test project?
llvmbot
commented
6 years ago We compile some executables with weird flags to keep the binaries small enough that it's not a pain to check them in. For example, this one we compile with /nodefaultlib and /entry:main. It's no surprise that a program which defines a custom entry point would get triggered by a virus scanner. I'm not sure what the best solution is other than to remove the test.
rui314
commented
6 years ago I don't think there's anything we can do for that specific anti-virus software. Can you report it to the anti-virus vendor so that they don't recognize our executables as malware?
LW-archlinux
commented
2 years ago 4 security vendors flag this now as potential malware.
Maybe llvm devs could write an explanation why this is a false postive that can be attached to a report to vendors ?
Extended Description
Anti-virus ClamAV reported the file
lldb/unittests/SymbolFile/PDB/Inputs/test-pdb.exeto be suspicious. VirusTotal confirmed the outcome (see attachment). I verified it with the most recent version of the EXE.To reproduce simply upload the EXE to VirusTotal. Beware that passing the URL of the EXE download yields a different result than uploading.