Trojan in trinity.dll

[Diaaz]

Your prebuilt trinity.dll in the lib folder and our own built trinity.dll both contain a trojan according to Trendmicro. You can try this yourself in an online scanner like https://virusscan.jotti.org or on your local machine using https://www.trendmicro.com/en_nl/forHome/products/housecall.html.

One of our customers raised an issue at Trendmicro and this is their response: We have analyzed the following file and verified this to be malicious. We will be retaining its current detection as: Trinity.dll (SHA1:89587d26164ecab114233cf5873b1c2f044ba2de) as Trojan.Win64.BAZALOADER.SMYAAJ-A The detection pattern is already included in the latest Smart Scan pattern in the Conventional Enterprise OPR (18.535.00).

Do you have any idea how to fix this?

Kind regards, Jeroen

[TaviTruman]

Hi. I am running local security scans now on two of my dev and build machines. I, like you, have applications deployed to users for a few years now and we have never seen this problem. I perform local builds and do update the lib folder contents. We perform a scan before we ship all of our apps we have never run into this problem. I'll get back to you shortly.

[TaviTruman]

Okay, I have scanned two machines now and these files in particular the machines are clean. I use the built-in Windows 11 Defender (complete scan) and Malwarebytes (most rigorous) for Teams 4.5.32; I will now run an offline scan as well.

[Diaaz]

Thanks for checking. Only Trendmicro detects it as a trojan, but that is exactly the scanner some of our customers are using. This is the output of jotty.org on trinity.dll (from your lib folder).

[TaviTruman]

I am also testing using TotalAV and it does not report the file to contain a Trojan. I will check with one other party; my guess is that this maybe a false positive. I will check with another objective party that tracks Trojan signatures.

[Diaaz]

Thanks! If it is a false positive, do you know how to work around that? TrendMicro says it is a trojan, but can recompiling trinity in some other way work around that? The problem is we cannot deploy to some customers now, because they use trendmicro.

[TaviTruman]

@Diaaz I think you have answered this question already; have you tried to build the trinity.dll yourself? As you know the trinity.dll is written in C++; I will review the compile process as well as the libraries use in the build process. I will get vack to you shortly. What time zone are you in?

[Diaaz]

Yes, we have built it ourselves and that does not solve the problem. Still a 'trojan'. I am in Central European Time

[TaviTruman]

I will run this past the Microsoft C++ Security runtime group. I don't see the problem on my build machines. I am building with the Specter Intel fix. I will also see if the Microsoft Research team has any time ideas. I have never encountered a problem like this.

[TaviTruman]

@Diaaz I found the code that represents what looks to be a Trojan, and I can almost guarantee you that it is not. I just need to verify what I found with the Microsoft Graph Engine team lead; what you see in the DLL is the SHA-512 encoding of the word, TRINITY. :-)

[Diaaz]

Do you know why the previous version is found 'clean'? Is this sha-512 encoding added in the last version?

[KayodeBakker]

Following this topic for interests.

[shaobin]

@Diaaz There is absolutely no Trojan in the prebuilt binary. Since all the source code can be found in this public repository, everyone can inspect it. It is possible that a certain binary sequence triggered the false alarm. I have recently updated the dependencies and rebuilt the binary files in the "lib" folder using the latest source code in the repo. I believe this issue has been resolved with the updated files. Here are the scanning results using the URL mentioned in your post:

[shaobin]

I believe the issue has been resolved, so I will be closing this issue. Feel free to reopen it if you have any further questions.

[Diaaz]

@shaobin Thanks! Problem solved.