Questions and Answers :
Windows :
My Trend Micro Office Scan reports TROJ_GEN.FA2CZLJ in BOINC file
Message board moderation
Author | Message |
---|---|
linlali Send message Joined: 3 May 03 Posts: 2 Credit: 21,248,959 RAC: 0 |
Hi, Suddenly my anti virus software reports the file C:\ProgramData\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe as containing malware (TROJ_GEN.FA2CZLJ). Anyone else seen this? /Lars |
Cyawcat Send message Joined: 24 Nov 05 Posts: 1 Credit: 7,290,465 RAC: 4 |
The same problem is brought up in my PC. The greater part of data cannot begin calculating. |
Jord Send message Joined: 9 Jun 99 Posts: 15184 Credit: 4,362,181 RAC: 3 |
Check the executable with http://www.virustotal.com/ If more than half of the virus scanners there says there's a virus in it, there's probably a virus in it. If only your and likewise AV scanners say there is, it's more probably a false positive. Software such as the numbers checker from Seti does this to anti virus scanners. Since it's looking in files (tasks) for big number sequences (the signal), so that shows as being suspicious for some AV scanners. It is always better to completely exclude your BOINC Data directory from being actively scanned by your anti virus and other anti-malware scanners. Also ONLY scan the BOINC DAta directory by hand, while BOINC is NOT running (File->Exit). |
Patrick M. ORourke Send message Joined: 21 Aug 02 Posts: 28 Credit: 643,752 RAC: 0 |
Whitelist the file. Patrick M. O'Rourke |
Grenadier Send message Joined: 15 May 99 Posts: 63 Credit: 5,445,784 RAC: 0 |
Trend caught this on me too. Since this is a corporate environment, whitelisting is not an issue. I've been running SETI since before there was a BOINC, and never gotten a false positive with the SETI app before. Something has changed with this version, methinks. |
skildude Send message Joined: 4 Oct 00 Posts: 9541 Credit: 50,759,529 RAC: 60 |
It's more likely that something has changed with the AV. In a rich man's house there is no place to spit but his face. Diogenes Of Sinope |
OzzFan Send message Joined: 9 Apr 02 Posts: 15691 Credit: 84,761,841 RAC: 28 |
Trend caught this on me too. Since this is a corporate environment, whitelisting is not an issue. I've been running SETI since before there was a BOINC, and never gotten a false positive with the SETI app before. Something has changed with this version, methinks. I actually got a couple false-positives with the old SETI running Norton AV. It's the AV vendor's problem for not updating their heuristics. |
Larry Send message Joined: 8 Jul 08 Posts: 11 Credit: 692,410 RAC: 0 |
Yes, I am seeing the same issue. This does not seem to be a large data file at all. It is a new version of the seti@home .exe that is attempting to be downloaded. This file has version 6.03 as part of it's name. It seems very curious since the other files associated with version 6.03 are dated 8/21/2008. Why would a different version of the .exe be downloaded now? Boinc reports the download as failing due to a checksum error. I don't know if this is a result of Trend or the file is actually corrupted in some other way. I'll post any additional info I see. BTW, my system has been down for several days and I just noticed the issue so it may have been going on for some time. Larry |
skildude Send message Joined: 4 Oct 00 Posts: 9541 Credit: 50,759,529 RAC: 60 |
That sounds like you changed something on seti or your AV deleted the false positive file. In a rich man's house there is no place to spit but his face. Diogenes Of Sinope |
Larry Send message Joined: 8 Jul 08 Posts: 11 Credit: 692,410 RAC: 0 |
Unfortunately the Boinc log file does not survive a reboot so I lost anything prior to the 28th. For what ever reason, setiathome_6.03_windows_intelx86.exe could not be found so it was downloaded. This download is failing the virus filter repeatedly. Unfortunately any earlier log data that may have shed more light on this is gone. Before I assume that this is a false positive, I am running this by Trend. |
Jord Send message Joined: 9 Jun 99 Posts: 15184 Credit: 4,362,181 RAC: 3 |
Unfortunately the Boinc log file does not survive a reboot so I lost anything prior to the 28th. BOINC stores all its own logs into stdoutdae.txt with a backup file called stdoutdae.old in the BOINC Data directory. At normal logging, these files are 2 MB big, enough space for several days worth of logging. BOINC stores problems about itself in stderrdae.txt and stderrdae.old, similar fashion. So where does the BOINC Data directory live on your system? If you didn't change its place in the installer, default places can be found here. Else exit & restart BOINC and check in the first couple of lines in the Messages. |
Larry Send message Joined: 8 Jul 08 Posts: 11 Credit: 692,410 RAC: 0 |
I am still using Boinc 5. The discription is for Boinc 6. There is no c:\programdata\boinc folder. I did not see a longer log file along with the other control files in c:\program files\boinc |
Gundolf Jahn Send message Joined: 19 Sep 00 Posts: 3184 Credit: 446,358 RAC: 0 |
Even with BOINC 5 the name of the log file was stdoutdae.txt, only that there was only one BOINC directory (which you have probably found). Is there a file named client_state.xml with an actual modification date? Gruß, Gundolf |
Larry Send message Joined: 8 Jul 08 Posts: 11 Credit: 692,410 RAC: 0 |
Thanks, I found the log file. All was fine prior to shutting down on the 22nd. It then looks like the first attempt to use the file on the 29th failed the AV scan on open. There was an update to the AV prior to this. It looks very much like the original file, setiathome_6.03_windows_intelx86.exe was determined to be bad on it's first use after the 22nd and removed. All subsequent download attemps were also found bad. This effectively kills any new seti at home work units. Astropulse continues to work just fine. This would seem to point to AV updates on the 28th and 29th causing a scan failure of the file that had been in use for a long time. I suppose it still remains to be seen if this is a false posative or just a new revelation since I don't know what the effect of the virus might be if true. |
Jord Send message Joined: 9 Jun 99 Posts: 15184 Credit: 4,362,181 RAC: 3 |
See what Richard Haselgrove did, here: Hi @all, |
Larry Send message Joined: 8 Jul 08 Posts: 11 Credit: 692,410 RAC: 0 |
Yes, I saw that too. An alternative view might be that it is a newly discovered virus. I wonder if other AV vendors will pick this up and cause more issues with Seti even if this turns out to be bogus? Of course some might say that Seti at Home is itself malware. LOL I am trying to get a response from Trend. Regards Larry |
Jord Send message Joined: 9 Jun 99 Posts: 15184 Credit: 4,362,181 RAC: 3 |
Yes, I saw that too. An alternative view might be that it is a newly discovered virus. Then a lot more AV scanners would be picking it up by now and they aren't. But even then, it's highly implausible. It would indicate that a virus has infected the Seti servers. But here's the thing, Seti makes and stores the executables for all its platforms on a server that runs some version of Linux. Go think when was the last time you heard about: A) Any specific server of the University of Berkeley being attacked with a virus? B) A virus that manages to run and infect other files on a nondescript distro of Linux? |
Larry Send message Joined: 8 Jul 08 Posts: 11 Credit: 692,410 RAC: 0 |
Well all it takes is one person and a flash drive. Be serious. It could be very vulnerable. That's exactly how the Siemens industrial control HMI software was recently brought down. However, the bigger issue is that there may be millions of folks running Trend Micro AV who currently cannot run Seti at home. Dell has been shipping it as it's default AV for several years. It has also been very popular as a better replacement for the most popular guy out there. It could well be a false positive. Even if it is, it could no doubt bring Seti at Home down if not corrected. I would not doubt that a lot of the server time is being spent attempting downloads of the executable. I believe that the Seti Crew needs to get into this and determine a fix. I'm sure that there are many users out there that have no idea this is going on. It could be a significant percentage. FWIW |
skildude Send message Joined: 4 Oct 00 Posts: 9541 Credit: 50,759,529 RAC: 60 |
as stated before Trend is the only AV software that is making this hit. It's a simple matter of putting your BOINC folder in the AV's white list. Also lets look at this scenario. Say Berkeley got infected and S@H specifically and the jerk that infected the system deliberately made virus the exact same size as the multibeam app. Don't you think we'd have hundred if not thousands of people querying the forums as to the new download of the app. This doesnt appear to be happening. Nor does it appear that the S@H staff are idiots. BTW what software was seimens running. Bet it was windows. In a rich man's house there is no place to spit but his face. Diogenes Of Sinope |
Jord Send message Joined: 9 Jun 99 Posts: 15184 Credit: 4,362,181 RAC: 3 |
Well all it takes is one person and a flash drive. Be serious. Not just that, but what not many people know is that the application is digitally signed. Only the Seti admin have the key to sign the app correctly. If all's well, it's stored on a computer that isn't on the network and that isn't easily accessible. And here's a fun thing... the BOINC architecture doesn't allow anyone to name any application exactly the same as a previous one and put it in distribution. You will have to make a new version when you make one. Or substitute a virus infected app for the one already there. And then digitally sign it with Seti's secret key-pair on the computer that has the keys. Just so you are able to send it to BOINC clients without the latter saying "hey, this one isn't the true app". That's a very serious hacker going about his business there. So... no. Not gonna happen. |
©2024 University of California
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.