tectonic
tectonic copied to clipboard
tectonic-typesetting
Virus detected in tectonic-0.8.0-x86_64-pc-windows-msvc.zip by Windows Defender
When I downloaded the last (0.8.0) version today, Windows Defender blocked the zip file by reporting a Trojan:
Detected : Trojan:Win32/Spursint.F!cl
Status : Removed
Affected items:
file : D:\Downloads\tectonic-0.8.0-x86_64-pc-windows-msvc.zip
webfile: D:\Downloads\tectonic-0.8.0-x86_64-pc-windows-msvc.zip|https://objects.githubusercontent.com/github-production-release-asset-2e65be/74936681/00b8929f-a2bf-40cb-9fbd-02ef176de6cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211104%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211104T113811Z&X-Amz-Expires=300&X-Amz-Signature=85a4521b95acd10bdc28ffa239cb5e6f4166cf5671cccd3436dfce2d62d65810&X-Amz-SignedHeaders=host&actor_id=3142701&key_id=0&repo_id=74936681&response-content-disposition=attachment%3B%20filename%3Dtectonic-0.8.0-x86_64-pc-windows-msvc.zip&response-content-type=application%2Foctet-stream|pid:10044,ProcessStart:132804994946093994
As the tectonic release does not have a CHECKSUMS file, I could not check if the possible infection is already present on the release file or if it was infected on my computer.
Here is the SHA256 and size of the corresponding zip:
Name: tectonic-0.8.0-x86_64-pc-windows-msvc.zip
Size: 16224022 bytes (15 MiB)
SHA256: A5E6E8F7BA30D231076EBB2CF2314AC1F41C48C6EC1AF066EF503EA4538277A9
Recently I also obtained a false detection by Windows Defender when using upx on one of my projects.
So, true or false alarm? Can anyone using Windows confirm or disconfirm this threat?
I've checked with virustotal and the zip file looks clean :
https://www.virustotal.com/gui/file/a5e6e8f7ba30d231076ebb2cf2314ac1f41c48c6ec1af066ef503ea4538277a9/detection
So probably this is a false alert.
Thanks for inquiring, This sort of thing has been reported before, and it turned out to be another false alarm. I have only a very superficial idea of how these tools work — based on which I think it's unlikely that there's a way to prevent false alarms from happening, but maybe someone with more knowledge would have some suggestions?
FWIW, the tectonic executables are created and uploaded in an entirely automated fashion within Azure Pipelines CI/CD machinery, which I think is the most secure approach we can take.
If there's interest in adding a CHECKSUMS-type file to the release artifacts, I think it wouldn't be too hard to accomplish.
@kpym Yes, that's what I get. This is from downloading the Zip file from the GitHub releases page, so that's only verifying the last stage of the supply chain.
@pkgw Thanks, I will use it in this case. By the way, I tried to download the zip to another Windows 10 computer and Windows Defender reported again that the file was infected.
@kpym I have to imagine that Defender is searching for a whole bunch of virus signatures in the file and we happen to match one of them by happenstance. If there's a way to get Defender to report the specific signature that matches, we could at least document the known issue.
@pkgw It seems that this is no longer the case: Windows Defender doesn't just look for a signature, it uses AI to decide... so I don't think this can be documented (or prevented in a simple way). One possible solution is to digitally sign the .exe file, but I have no idea how that works.