Perl-Dist-Strawberry icon indicating copy to clipboard operation
Perl-Dist-Strawberry copied to clipboard
verified publisher icon StrawberryPerl

Update 5.40.2001. Avast AV has detected a Trojan in berkeleyDB.xs.dll ?

Open StupidMontyPythonGit opened this issue 6 months ago • 6 comments

Avast Antivirus has detected a Trojan in berkeleyDB.xs.dll, flagged as WIn64-Evo-gen[Trj]. It has quarantined the file and moved it elsewhere.

I know it could be a false positive, but I'm concerned. I can't find other reports of this, so that slightly eases my concern :-)

First question: Thoughts on this? Anyone else observed issues?

Second question: What is this .dll used for in Strawberry Perl? Can I operate without it installed (currently quarantined)?

StupidMontyPythonGit avatar Jun 01 '25 18:06 StupidMontyPythonGit

This is probably a false positive. See also https://github.com/StrawberryPerl/Perl-Dist-Strawberry/issues?q=state%3Aopen%20label%3A%22antivirus%22

If your code is not using BerkeleyDB then you should be OK to keep going without it.

The list of known reverse deps on CPAN is at https://metacpan.org/dist/BerkeleyDB/requires

And I presume you mean 5.40.2.1, not 5.40.2001? The latter is not a Strawberry Perl release number.

shawnlaffan avatar Jun 01 '25 22:06 shawnlaffan

Thanks. I've reported it to Avast.

As to the version number... huh:

Image

StupidMontyPythonGit avatar Jun 01 '25 23:06 StupidMontyPythonGit

Well, here's another bump in the road. I decided to uninstall and re-install to see if it fixed the version number. My previous install of 5.40.0.1 was directly sourced from strawberryperl.com. I let my upgrader program do the upgrade to 5.40.2.1 (5.40.2001 per Windows) and I was not 100% sure where the download came from. Just to be safe, I downloaded 5.4.2.1 from strawberryperl.com.

Right after the install started, I got this:

Image

Smartening up a little bit, I ran the virus scan on the 5.4.2.1 distribution. That throws the error I originally posted. Not unexpected, but it confirms that I didn't get a hijacked distribution from my updater program. Avast just doesn't like what's in that version.

I have scanned the 5.4.0.1 distribution and that comes up clean. It also installs without any issues. I think I'll stick to this one for now... short of hearing any reason that the 5.40.0.1 had inherent security issues that were patched by the later releases.

EDIT: The 5.40.0.1 version shows up in Windows 11 as "5.40.1". Looks like Microsoft has some formatting issues in the Apps list.

StupidMontyPythonGit avatar Jun 01 '25 23:06 StupidMontyPythonGit

Thanks for the details.

I've checked the code and the 5.40.2001 version number is correct. It is set as part of the MSI build step: https://github.com/StrawberryPerl/Perl-Dist-Strawberry/blob/ae610a751dd2370f1e28f1f049e96c91d6005d44/lib/Perl/Dist/Strawberry/Step/OutputMSI.pm#L72

shawnlaffan avatar Jun 02 '25 00:06 shawnlaffan

That version tweak must be in there as a reaction to the MS formatting problem as shown by "5.40.1" issue.

StupidMontyPythonGit avatar Jun 02 '25 18:06 StupidMontyPythonGit

I can confirm that the latest version of Strawberry 5.40.2.1 (MSI version, sha256sum fdb810474472a769d6a1327a36d0f0a4843d5b1eac3a503428d4d86a1836e222) is very difficult to install on Avast protected computer. Avast has currently attempted to quarantine three files so far during first time installation:

C:\WINDOWS\Installer\a0ffe.msi
C:\WINDOWS\Installer\a0fff.msi
C:\WINDOWS\Installer\22754.msi

But these filenames look randomized, so this might not be useful information.

VirusTotal doesn't seem to complain about the .msi file.

meator avatar Jul 05 '25 08:07 meator