[Opensim-users] Trojan alert

Sun Feb 24 10:16:33 UTC 2019

On Sun, Feb 24, 2019, at 1:56 AM, tringate at gmail.com wrote:
> I run regions on OSgrid and today I discovered an asset was loaded into 
> my asset cache which failed Microsoft virus scan.  It was put in 
> quarantine, the file was on my Linux server which runs the my regions.
> 
> Others may wish to purge this asset as well.  Maybe OSgrid should be 
> removing this asset if it indeed has this Trojan contained in it.
> 
> Trojan:Script/Foretype.A!ml
> Quarantined
> 2/23/2019 5:44 AM
> Trojan
> This program is dangerous and executes commands from an attacker.
> Affected items:
> file: \\BANDIT1\var\assetcache-master\8d1\8d184c53-6321-4347-955d-de53e88643a0

The other day, I tried to install (on Windows 7) an ordinary, relatively well-known Forth interpreter, Win32Forth.  Windows Defender was all, "THIS IS MONSTER TROJAN! I CRUSH MONSTER NOW!"  Not in those exact words, of course, ;) but that was the impression I got.  Either some real trojan has incorporated Win32Forth's kernel, or a common Forth interpreting technique has become widely used in malware.  

False positives such as these have been known since the first virus scanners.  No malware scanner can truly know what the code will do, it can only match patterns; code fragments.  Microsoft especially have a corporate culture of presenting their guesses and mistakes as certainty and fact, perhaps as much as Linden Labs, but it's not necessarily true.  (There's a horrible/hilarious story about a Microsoft rep arguing publicly and very determinedly at a conference that Microsoft's version of the ksh program was standards compliant.  Eventually, someone pointed out that the guy he was arguing with was the author of the original ksh!  The company may have got a bit better, I'm not sure, but the very nature of malware scanning tends to false certainties.)

There's also a matter of "how much is the data worth?"  I chose not to bother fighting the virus scanner over Win32Forth because I don't need it, I have 4 more powerful Forths already installed.  In the case of this asset, it could be someone's hard work on a texture or mesh which just happens to match some fragment of trojan code when encoded for asset storage.  If that seems unlikely, consider how many assets there are.  Or, it could be a genuine trojan copybotted from Second Life. :)

Anyway, you could answer Asaff's question (more or less) by running the file command in Linux.  It looks at file contents to determine what type it is.  It can be fooled too, but that's rather rare these days.  