Closed GoogleCodeExporter closed 9 years ago
The issue seems a false positive, pointing to zpaq that being a less known
executable that sometimes was mistakenly reported as suspicious in the past
(every time the issue was recognized as false positive).
Alternatively, as "is-RKPK0.tmp" is not featured in the installer neither
packed, nor as temporary file to be created during installation or when using
PeaZip, I can think to an external, possibly malicious software with no
relation to PeaZip using this path to cove its tracks.
I'll try to contact Security Essentials team to report the incident.
Original comment by giorgio.tani.software@gmail.com
on 17 Aug 2013 at 11:05
OK, thanks for the quick response.
One other observation/question on the same matter - can you confirm that your
website is hosted on sourceforge. Whilst I select www.peazip.org as the domain
in my browser, once there, is refreshed with a sourceforge address?
Thanks.
Original comment by sid1997...@googlemail.com
on 18 Aug 2013 at 9:49
Yes, as stated on Project Home tab PeaZip migrated to SourceForge due Google
Code ceasing to provide download service in Jan 2014:
http://google-opensource.blogspot.co.uk/2013/05/a-change-to-google-code-download
-service.html
SourceForge is now the main hosting resource for website and downloads due its
high performances and reliability, however peazip.org domain is still alive
even for most things points to SF, for various reasons, mainly
1) some countries are not allowed to access SourceForge
2) links in PeaZip's help menu: it is not reasonable to assume every user will
update just because domains change, so I need to keep a fixed domain that may
be redirected to any more convenient path if things changes in future.
Original comment by giorgio.tani.software@gmail.com
on 18 Aug 2013 at 11:42
Thanks again for the reply and patience. I have found more information in
respect of the installation package:
I have tried reinstalling and filename differs.
Resorted to Peazip 4 and managed to get hold of a copy of the tmp file created:
See below between the ********:
(note I did not try and capture the file under PZ 5, but can have a go if that
helps. The information below may shed light on what is happening:
Note also under the PZ4 installation, no virus warning.
The file is created when extracting files from the ZPAQ folder in the install
package.
Is this part of the install process?
*********
(zpaq 0.08 file tuned for high compression (slow)
on the Calgary corpus. Uses 278 MB memory)
comp 5 9 0 3 22 (hh hm ph pm n)
0 const 160
1 icm 5 (orders 0-6)
2 isse 13 1 (sizebits j)
3 isse 16 2
4 isse 18 3
5 isse 19 4
6 isse 20 5
7 isse 20 6
8 match 22 24
9 icm 17 (order 0 word)
10 isse 19 9 (order 1 word)
11 icm 10 (sparse with gaps 1-3)
12 icm 10
13 icm 10
14 icm 14 (pic)
15 mix 16 0 15 24 255 (mix orders 1 and 0)
16 mix 8 0 16 10 255 (including last mixer)
17 mix2 0 15 16 24 0
18 sse 8 17 32 255 (order 0)
19 mix2 8 17 18 16 255
20 sse 16 19 32 255 (order 1)
21 mix2 0 19 20 16 0
hcomp
c++ *c=a b=c a=0 (save in rotating buffer)
d= 2 hash *d=a b-- (orders 1,2,3,4,5,7)
d++ hash *d=a b--
d++ hash *d=a b--
d++ hash *d=a b--
d++ hash *d=a b--
d++ hash b-- hash *d=a b--
d++ hash *d=a b-- (match, order 8)
d++ a=*c a&~ 32 (lowercase words)
a< 65 jt 14 a> 90 jt 10
d++ hashd d-- (added: update order 1 word hash)
*d<>a a+=*d a*= 20 *d=a jmp 9
a=*d a== 0 jt 3 (order 1 word)
d++ *d=a d--
*d=0 d++
d++ b=c b-- a=0 hash *d=a (sparse 2)
d++ b-- a=0 hash *d=a (sparse 3)
d++ b-- a=0 hash *d=a (sparse 4)
d++ a=b a-= 212 b=a a=0 hash
*d=a b<>a a-= 216 b<>a a=*b a&= 60 hashd (pic)
d++ a=*c a<<= 9 *d=a (mix)
d++
d++
d++ d++
d++ *d=a (sse)
halt
post
0 (may be 0 for PASS or x for EXE/DLL (E8E9) or p for LZP)
(if x, set ph=0, pm=3. LZP not recommmeded for max compression)
end
*************
Appreciate that you are not an anti-virus expert, but this is from within the
Peazip install process.
Many thanks.
Original comment by sid1997...@googlemail.com
on 18 Aug 2013 at 6:13
After re-testing 32 and 64 bit installers of different 5 and 4.x versions I can
confirm you that no .tmp files are featured in the installer: you may
see/detect .tmp files while they are being extracted from the installer and
written to the disk, but those are simply InnoSetup installer temporary work
files and should not appear after the installation process completed
successfully.
The file sample is from max.cfg, a zpaq configuration file used in an older
release of PeaZip, the file should be named max.cfg once it is extracted by the
installer and you should see it named max.cfg if installation completed
successfully.
The file is not featured in PeaZip 5 package, due to newer version of zpaq,
anyway of course you will find temporary work files during extraction of each
file from installer.
A guess I can cast from the first post, probably the virus scanning analyzed an
incomplete file while it was being written to disk and raised a warning as it
was mistaken for a viral file, that would probably not happen scanning the
complete file.
Anyway it should not happen and in fact it is the first report of this type I
receive, warning for a temporary file in the exact moment it is extracted from
the installer.
Original comment by giorgio.tani.software@gmail.com
on 19 Aug 2013 at 7:54
Original issue reported on code.google.com by
sid1997...@googlemail.com
on 17 Aug 2013 at 6:34