Date: Wed, 21 Apr 1999 10:55:20 +0200 From: Hans-Bernhard Broeker Message-Id: <199904210855.KAA08451@acp3bf.physik.rwth-aachen.de> To: peter DOT claessens AT student DOT kuleuven DOT ac DOT be Cc: djgpp AT delorie DOT com Subject: Re: Download site Newsgroups: comp.os.msdos.djgpp Organization: RWTH Aachen, III. physikalisches Institut B X-Newsreader: TIN [version 1.2 PL2] Reply-To: djgpp AT delorie DOT com In article <371D22A6 DOT 67CE927E AT student DOT kuleuven DOT ac DOT be> you wrote: > I had a similar problem. My scanner (it was TBAV I think) reported that > several executables downloaded from the djgpp site were infected by an > 'unknown virus'. I assumed it was a false alarm, I know that some virus > scanners don't like compilers, but since it kept bugging me about it I > removed the scanned and installed Winguard, which doesn't complain about > anything. > Was my assumption about the alert being a false hit too early? Could have been. It's hard to tell, or may be impossible, without knowing what made the scanner cry 'unknown virus', which is a rather unusual result from a scanning engine. They normally search for known viruses, so there must have been some heuristical method, and the engine should at least optionally give reasons *why* it thinks there's a virus. Of course, the first thing to do would be to re-check the scanner itself: virus signatures up-to-date? How old, exactly, are they -- the newer, the higher the odds of a false alarm. At least, you could have waited a while and then checked if a new update of TBAV, or a different scanner, still claims that there is a virus. Telling the TBAV makers about this suspected false positive would also have been a good idea. An immediate test is also possible: From someone else's computer (which has no virus infection; check!, boot off a write-protected floppy, if possible) repeat the download of some of the suspicious packages, and unpack some of the files that are said to be infected to a floppy. Write-protect that floppy, and take it home. Do not remove the write-protection under any circumstance, until you're sure that the alarm was a false positive. Now, do two checks: 1) a binary file-compare to see if the files on the floppy are identical to the ones on your harddisk. ('fc /b' does that). 2) a virus-scan of the floppy files with the scanner that reported your hard disk files to be infected. If test 1) says 'identical', and 2) says the floppy is infected, that leaves open only two choices: false alarm, or the *original* files at the download files are infected. So you should email all your findings to the site administrator (DJ, for the case of DJGPP tools). For someone with the necessary knowledge, it can even be possible to study the suspicious programs' behaviour in a controlled 'laboratory' environment, to check if the suspected infection does, indeed, spread. but this should really be left to a true 'hacker'. -- Hans-Bernhard Broeker (broeker AT physik DOT rwth-aachen DOT de) Even if all the snow were burnt, ashes would remain.