Hi,
Suddenly my anti virus software reports the file C:\ProgramData\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe as containing malware (TROJ_GEN.FA2CZLJ).
Anyone else seen this?
/Lars

---

The same problem is brought up in my PC.
The greater part of data cannot begin calculating.

---

Check the executable with http://www.virustotal.com/
If more than half of the virus scanners there says there's a virus in it, there's probably a virus in it. If only your and likewise AV scanners say there is, it's more probably a false positive.

Software such as the numbers checker from Seti does this to anti virus scanners. Since it's looking in files (tasks) for big number sequences (the signal), so that shows as being suspicious for some AV scanners.

It is always better to completely exclude your BOINC Data directory from being actively scanned by your anti virus and other anti-malware scanners. Also ONLY scan the BOINC DAta directory by hand, while BOINC is NOT running (File->Exit).

---

Whitelist the file.

---

Patrick M. O'Rourke

Trend caught this on me too. Since this is a corporate environment, whitelisting is not an issue. I've been running SETI since before there was a BOINC, and never gotten a false positive with the SETI app before. Something has changed with this version, methinks.

---

It's more likely that something has changed with the AV.

---

In a rich man's house there is no place to spit but his face.
Diogenes Of Sinope

Trend caught this on me too. Since this is a corporate environment, whitelisting is not an issue. I've been running SETI since before there was a BOINC, and never gotten a false positive with the SETI app before. Something has changed with this version, methinks.

I actually got a couple false-positives with the old SETI running Norton AV. It's the AV vendor's problem for not updating their heuristics.

Yes, I am seeing the same issue. This does not seem to be a large data file at all. It is a new version of the seti@home .exe that is attempting to be downloaded.

This file has version 6.03 as part of it's name. It seems very curious since the other files associated with version 6.03 are dated 8/21/2008. Why would a different version of the .exe be downloaded now?

Boinc reports the download as failing due to a checksum error. I don't know if this is a result of Trend or the file is actually corrupted in some other way.

I'll post any additional info I see.

BTW, my system has been down for several days and I just noticed the issue so it may have been going on for some time.

Larry

That sounds like you changed something on seti or your AV deleted the false positive file.

---

In a rich man's house there is no place to spit but his face.
Diogenes Of Sinope

Unfortunately the Boinc log file does not survive a reboot so I lost anything prior to the 28th.

For what ever reason, setiathome_6.03_windows_intelx86.exe could not be found so it was downloaded. This download is failing the virus filter repeatedly. Unfortunately any earlier log data that may have shed more light on this is gone.

Before I assume that this is a false positive, I am running this by Trend.

Unfortunately the Boinc log file does not survive a reboot so I lost anything prior to the 28th.

BOINC stores all its own logs into stdoutdae.txt with a backup file called stdoutdae.old in the BOINC Data directory. At normal logging, these files are 2 MB big, enough space for several days worth of logging.

BOINC stores problems about itself in stderrdae.txt and stderrdae.old, similar fashion.

So where does the BOINC Data directory live on your system? If you didn't change its place in the installer, default places can be found here. Else exit & restart BOINC and check in the first couple of lines in the Messages.

---

I am still using Boinc 5. The discription is for Boinc 6. There is no c:\programdata\boinc folder.

I did not see a longer log file along with the other control files in c:\program files\boinc

Even with BOINC 5 the name of the log file was stdoutdae.txt, only that there was only one BOINC directory (which you have probably found). Is there a file named client_state.xml with an actual modification date?

Gruß,
Gundolf

Thanks,

I found the log file. All was fine prior to shutting down on the 22nd. It then looks like the first attempt to use the file on the 29th failed the AV scan on open.

There was an update to the AV prior to this. It looks very much like the original file, setiathome_6.03_windows_intelx86.exe was determined to be bad on it's first use after the 22nd and removed. All subsequent download attemps were also found bad. This effectively kills any new seti at home work units. Astropulse continues to work just fine.

This would seem to point to AV updates on the 28th and 29th causing a scan failure of the file that had been in use for a long time.

I suppose it still remains to be seen if this is a false posative or just a new revelation since I don't know what the effect of the virus might be if true.

See what Richard Haselgrove did, here:

Hi @all,

i got a Virus (Trojan) in my last workunit. Trend Micro shows me: TROJ_GEN.FA2CZLJ in ..\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe

hey guys, whats going up? Please check your systems. I stop further download.

fred

Since neither Fred, not the other poster on the BOINC message board, has posted any follow-up data, I thought I'd better check this report out.

I pasted the download url "http://boinc2.ssl.berkeley.edu/sah/download_fanout/setiathome_6.03_windows_intelx86.exe" into http://www.virustotal.com/ - so the file was downloaded directly from Berkeley to virustotal, without contamination or modification by my machine.

This is the report:

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware. 
File name: setiathome_6.03_windows_intelx86.exe
Submission date: 2010-12-23 00:52:44 (UTC)
Current status: queued queued analysing finished


Result: 3/ 43 (7.0%)
 VT Community

not reviewed
 Safety score: -  
Compact Print results Antivirus Version Last Update Result 
AhnLab-V3 2010.12.23.01 2010.12.22 - 
AntiVir 7.11.0.144 2010.12.22 - 
Antiy-AVL 2.0.3.7 2010.12.22 Worm/Win32.Mabezat.gen 
Avast 4.8.1351.0 2010.12.22 - 
Avast5 5.0.677.0 2010.12.22 - 
AVG 9.0.0.851 2010.12.23 - 
BitDefender 7.2 2010.12.23 - 
CAT-QuickHeal 11.00 2010.12.22 - 
ClamAV 0.96.4.0 2010.12.23 - 
Command 5.2.11.5 2010.12.22 - 
Comodo 7155 2010.12.22 - 
DrWeb 5.0.2.03300 2010.12.23 - 
Emsisoft 5.1.0.1 2010.12.22 - 
eSafe 7.0.17.0 2010.12.22 - 
eTrust-Vet 36.1.8055 2010.12.22 - 
F-Prot 4.6.2.117 2010.12.22 - 
F-Secure 9.0.16160.0 2010.12.23 - 
Fortinet 4.2.254.0 2010.12.21 - 
GData 21 2010.12.23 - 
Ikarus T3.1.1.90.0 2010.12.22 - 
Jiangmin 13.0.900 2010.12.22 - 
K7AntiVirus 9.74.3319 2010.12.22 - 
Kaspersky 7.0.0.125 2010.12.23 - 
McAfee 5.400.0.1158 2010.12.23 - 
McAfee-GW-Edition 2010.1C 2010.12.22 - 
Microsoft 1.6402 2010.12.22 - 
NOD32 5726 2010.12.22 - 
Norman 6.06.12 2010.12.22 - 
nProtect 2010-12-22.01 2010.12.22 - 
Panda 10.0.2.7 2010.12.22 - 
PCTools 7.0.3.5 2010.12.23 - 
Prevx 3.0 2010.12.23 - 
Rising 22.79.01.04 2010.12.22 - 
Sophos 4.60.0 2010.12.23 - 
SUPERAntiSpyware 4.40.0.1006 2010.12.23 - 
Symantec 20101.3.0.103 2010.12.23 - 
TheHacker 6.7.0.1.104 2010.12.21 - 
TrendMicro 9.120.0.1004 2010.12.22 TROJ_GEN.FA2CZLJ 
TrendMicro-HouseCall 9.120.0.1004 2010.12.23 TROJ_GEN.FA2CZLJ 
VBA32 3.12.14.2 2010.12.21 - 
VIPRE 7765 2010.12.23 - 
ViRobot 2010.12.22.4214 2010.12.22 - 
VirusBuster 13.6.108.0 2010.12.22 - 
Additional informationShow all  
MD5   : d53249aadb1d72cc19db36359e63425a 
SHA1  : 2e784ab66e039c8bfead07705d821b7a6801f371 
SHA256: 3fb12cb159de5235045dbbf3800ffaf7fd6e8d36b10574c2e3807822000d6168 

(PDF version of report available - PM me with email address)

With 40 'clean' reports out of 43, and two of the positives coming from the same company, I would judge this program to be safe to run. But each user must make their own decision.

---

Yes, I saw that too. An alternative view might be that it is a newly discovered virus.

I wonder if other AV vendors will pick this up and cause more issues with Seti even if this turns out to be bogus?

Of course some might say that Seti at Home is itself malware. LOL

I am trying to get a response from Trend.

Regards

Larry

Yes, I saw that too. An alternative view might be that it is a newly discovered virus.

Then a lot more AV scanners would be picking it up by now and they aren't.

But even then, it's highly implausible. It would indicate that a virus has infected the Seti servers. But here's the thing, Seti makes and stores the executables for all its platforms on a server that runs some version of Linux. Go think when was the last time you heard about:

A) Any specific server of the University of Berkeley being attacked with a virus?
B) A virus that manages to run and infect other files on a nondescript distro of Linux?

---

Well all it takes is one person and a flash drive. Be serious. It could be very vulnerable. That's exactly how the Siemens industrial control HMI software was recently brought down.

However, the bigger issue is that there may be millions of folks running Trend Micro AV who currently cannot run Seti at home. Dell has been shipping it as it's default AV for several years. It has also been very popular as a better replacement for the most popular guy out there.

It could well be a false positive. Even if it is, it could no doubt bring Seti at Home down if not corrected.

I would not doubt that a lot of the server time is being spent attempting downloads of the executable.

I believe that the Seti Crew needs to get into this and determine a fix. I'm sure that there are many users out there that have no idea this is going on. It could be a significant percentage.

FWIW

as stated before Trend is the only AV software that is making this hit. It's a simple matter of putting your BOINC folder in the AV's white list.

Also lets look at this scenario. Say Berkeley got infected and S@H specifically and the jerk that infected the system deliberately made virus the exact same size as the multibeam app. Don't you think we'd have hundred if not thousands of people querying the forums as to the new download of the app. This doesnt appear to be happening. Nor does it appear that the S@H staff are idiots.

BTW what software was seimens running. Bet it was windows.

---

In a rich man's house there is no place to spit but his face.
Diogenes Of Sinope

Well all it takes is one person and a flash drive. Be serious.

Say Berkeley got infected and S@H specifically and the jerk that infected the system deliberately made virus the exact same size as the multibeam app.

Not just that, but what not many people know is that the application is digitally signed. Only the Seti admin have the key to sign the app correctly. If all's well, it's stored on a computer that isn't on the network and that isn't easily accessible.

And here's a fun thing... the BOINC architecture doesn't allow anyone to name any application exactly the same as a previous one and put it in distribution. You will have to make a new version when you make one. Or substitute a virus infected app for the one already there. And then digitally sign it with Seti's secret key-pair on the computer that has the keys. Just so you are able to send it to BOINC clients without the latter saying "hey, this one isn't the true app".

That's a very serious hacker going about his business there.
So... no. Not gonna happen.

---