Trojan:Win32/Triggre!plock

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Trojan:Win32/Triggre!plock

StoltHD
Why do I get a warning about this trojan in the file: C:\Program Files (x86)\GrampsAIO32-5.0.0-beta1\grampsd.exe

Given by Windows Defender...

Can anyone confirm its a false positive or if its an actual threat?

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel
Reply | Threaded
Open this post in threaded view
|

Re: Trojan:Win32/Triggre!plock

Simon C. Tremblay
Don't have it installed myself. Can you upload the exe file to virustotal.com for a second (or 60+) opinion?

Simon

On 18 March 2018 at 13:36, StoltHD <[hidden email]> wrote:
Why do I get a warning about this trojan in the file: C:\Program Files (x86)\GrampsAIO32-5.0.0-beta1\grampsd.exe

Given by Windows Defender...

Can anyone confirm its a false positive or if its an actual threat?

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel
Reply | Threaded
Open this post in threaded view
|

Re: Trojan:Win32/Triggre!plock

StoltHD
Its already deleted, Defender handled it befor I could do anything with it.

I have scanned my beta1-3 64-bit installation folder and grampsd.exe, without any warnings... thats why I was wondering if anybody else had seen this, or if anybody knew for a fact that its a MS Defender false positive. I know Defender can generate false positives often, but its strange that it didnt take the 64-bit, that was installed a few days later...

It tells me that either Microsoft has updated the definition file with the code, or the package of the beta1 32bit was infected... (if it was not a false poitive).

I think I have the installation fil on my computer still, can try to scan that, but no way do I install it again.

jaran

2018-03-18 18:44 GMT+01:00 Simon C. Tremblay <[hidden email]>:
Don't have it installed myself. Can you upload the exe file to virustotal.com for a second (or 60+) opinion?

Simon

On 18 March 2018 at 13:36, StoltHD <[hidden email]> wrote:
Why do I get a warning about this trojan in the file: C:\Program Files (x86)\GrampsAIO32-5.0.0-beta1\grampsd.exe

Given by Windows Defender...

Can anyone confirm its a false positive or if its an actual threat?

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel
Reply | Threaded
Open this post in threaded view
|

Re: Trojan:Win32/Triggre!plock

Simon C. Tremblay
I've just scanned my installation of GrampsAIO32-4.2.8 with McAfee and it did not find anything.  

I don't see a grampsd.exe file in there, so might be a new file in 5.x.

Simon



On 18 March 2018 at 14:19, StoltHD <[hidden email]> wrote:
Its already deleted, Defender handled it befor I could do anything with it.

I have scanned my beta1-3 64-bit installation folder and grampsd.exe, without any warnings... thats why I was wondering if anybody else had seen this, or if anybody knew for a fact that its a MS Defender false positive. I know Defender can generate false positives often, but its strange that it didnt take the 64-bit, that was installed a few days later...

It tells me that either Microsoft has updated the definition file with the code, or the package of the beta1 32bit was infected... (if it was not a false poitive).

I think I have the installation fil on my computer still, can try to scan that, but no way do I install it again.

jaran

2018-03-18 18:44 GMT+01:00 Simon C. Tremblay <[hidden email]>:
Don't have it installed myself. Can you upload the exe file to virustotal.com for a second (or 60+) opinion?

Simon

On 18 March 2018 at 13:36, StoltHD <[hidden email]> wrote:
Why do I get a warning about this trojan in the file: C:\Program Files (x86)\GrampsAIO32-5.0.0-beta1\grampsd.exe

Given by Windows Defender...

Can anyone confirm its a false positive or if its an actual threat?

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel
Reply | Threaded
Open this post in threaded view
|

Re: Trojan:Win32/Triggre!plock

Simon C. Tremblay
I could not find my GrampsAIO32-4.2.8-1 installer that I downloaded on February 18th, so I went and downloaded again today.  Before installing, I used 7Zip to peek inside and lo and behold, there is a grampsd.exe file in there.  It, gramps.exe, grampsw.exe and a dll file are all date stamped February 26, a different date than the rest of the files. I extracted just the files and submitted them to VirusTotal and all 3 gramps files got 4 detections: Cylance, Jiangmin, Panda and TrendMicro Housecall.

The package I downloaded is  GrampsAIO32-4.2.8-3_win32.exe.

Can any of the dev confirm that this is the latest build and that it was uploade on February 26  Also, can you check in the logs who uploaded it? If it was uploaded by a legitimate dev from the project, maybe his build environement was compromised.

Thanks for looking into this.

Simon


On 18 March 2018 at 14:39, Simon C. Tremblay <[hidden email]> wrote:
I've just scanned my installation of GrampsAIO32-4.2.8 with McAfee and it did not find anything.  

I don't see a grampsd.exe file in there, so might be a new file in 5.x.

Simon



On 18 March 2018 at 14:19, StoltHD <[hidden email]> wrote:
Its already deleted, Defender handled it befor I could do anything with it.

I have scanned my beta1-3 64-bit installation folder and grampsd.exe, without any warnings... thats why I was wondering if anybody else had seen this, or if anybody knew for a fact that its a MS Defender false positive. I know Defender can generate false positives often, but its strange that it didnt take the 64-bit, that was installed a few days later...

It tells me that either Microsoft has updated the definition file with the code, or the package of the beta1 32bit was infected... (if it was not a false poitive).

I think I have the installation fil on my computer still, can try to scan that, but no way do I install it again.

jaran

2018-03-18 18:44 GMT+01:00 Simon C. Tremblay <[hidden email]>:
Don't have it installed myself. Can you upload the exe file to virustotal.com for a second (or 60+) opinion?

Simon

On 18 March 2018 at 13:36, StoltHD <[hidden email]> wrote:
Why do I get a warning about this trojan in the file: C:\Program Files (x86)\GrampsAIO32-5.0.0-beta1\grampsd.exe

Given by Windows Defender...

Can anyone confirm its a false positive or if its an actual threat?

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel
Reply | Threaded
Open this post in threaded view
|

Re: Trojan:Win32/Triggre!plock

Simon C. Tremblay
Thanks Sam

What I find strange is that in my package downloaded on the 18th, there is no grampsd.exe and that in the package available on the site, only those 3 exe files were modified on the 26, and all three are scoring on virustotal.

When I submitted the hash, they each had a single detection from a scan a few days ago.  I asked for a rescan, and 3 more AV products are now seeing them as malicious.

I'm no dev. I'm a security professionnal, so I'm paid to be paranoid, but I even do it for free.

Simon

On 20 March 2018 at 00:01, Sam Manzi <[hidden email]> wrote:
Hi,

Those three programs are launchers used for Gramps.  The creators of the windows community installers can comment as to the way they are created.

All checks in a virtual machine using Windows Defender check as ok. Tested ok as well with malwarebytes.

My guess is that this is yet another false positive the last one was with F-Secure.

Kind Regards
Sam


10455: F-secure - Possible virus threat? GrampsAIO-5.0.0-beta1-1_win32.exe & 4.2.8 for Windows 64-bit [Confirmed false positive]
https://gramps-project.org/bugs/view.php?id=10455

On 20 March 2018 at 13:09, Simon C. Tremblay <[hidden email]> wrote:
I could not find my GrampsAIO32-4.2.8-1 installer that I downloaded on February 18th, so I went and downloaded again today.  Before installing, I used 7Zip to peek inside and lo and behold, there is a grampsd.exe file in there.  It, gramps.exe, grampsw.exe and a dll file are all date stamped February 26, a different date than the rest of the files. I extracted just the files and submitted them to VirusTotal and all 3 gramps files got 4 detections: Cylance, Jiangmin, Panda and TrendMicro Housecall.

The package I downloaded is  GrampsAIO32-4.2.8-3_win32.exe.

Can any of the dev confirm that this is the latest build and that it was uploade on February 26  Also, can you check in the logs who uploaded it? If it was uploaded by a legitimate dev from the project, maybe his build environement was compromised.

Thanks for looking into this.

Simon


On 18 March 2018 at 14:39, Simon C. Tremblay <[hidden email]> wrote:
I've just scanned my installation of GrampsAIO32-4.2.8 with McAfee and it did not find anything.  

I don't see a grampsd.exe file in there, so might be a new file in 5.x.

Simon



On 18 March 2018 at 14:19, StoltHD <[hidden email]> wrote:
Its already deleted, Defender handled it befor I could do anything with it.

I have scanned my beta1-3 64-bit installation folder and grampsd.exe, without any warnings... thats why I was wondering if anybody else had seen this, or if anybody knew for a fact that its a MS Defender false positive. I know Defender can generate false positives often, but its strange that it didnt take the 64-bit, that was installed a few days later...

It tells me that either Microsoft has updated the definition file with the code, or the package of the beta1 32bit was infected... (if it was not a false poitive).

I think I have the installation fil on my computer still, can try to scan that, but no way do I install it again.

jaran

2018-03-18 18:44 GMT+01:00 Simon C. Tremblay <[hidden email]>:
Don't have it installed myself. Can you upload the exe file to virustotal.com for a second (or 60+) opinion?

Simon

On 18 March 2018 at 13:36, StoltHD <[hidden email]> wrote:
Why do I get a warning about this trojan in the file: C:\Program Files (x86)\GrampsAIO32-5.0.0-beta1\grampsd.exe

Given by Windows Defender...

Can anyone confirm its a false positive or if its an actual threat?

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel
Reply | Threaded
Open this post in threaded view
|

Re: Trojan:Win32/Triggre!plock

prculley
Folks;
I created the 32-bit AIO.

The updated 32-bit AIO (there have been two updates) fixed a couple of items; the original Gramps was not being run in Python's Optimized mode, so both gramps.exe and grampsw.exe were effectively being run in 'debug' mode.  I had to patch up the installer to fix this (doing it much the same as what Josip did for his 64-bit version).  This allowed me to create the third grampsd.exe, which is now the only one run in 'debug' mode in the latest installer.

Another fix was to stop compressing one of the libraries used by graphviz for it's dot.exe program; that compression step was preventing the dot.exe program from working.

I'm trying to find out why the virus engines are calling our programs malware.  The best info I have at the moment is from the following report https://www.hybrid-analysis.com/sample/21e1229c463be364bd05f1dea50c07e2e9187e21f7b244e57ddeb5b8df6da981?environmentId=100 which seems to indicate that we are failing a heuristic analysis.

Of course I sincerely believe that my system and the source materials used to create Gramps are clean, I've passed several different scans with no issues.  But you never know.

If any one can shed additional light on what I can do to prevent from being detected as malware I would love to hear from you.

Paul C.

On Tue, Mar 20, 2018 at 9:19 AM, Simon C. Tremblay <[hidden email]> wrote:
Thanks Sam

What I find strange is that in my package downloaded on the 18th, there is no grampsd.exe and that in the package available on the site, only those 3 exe files were modified on the 26, and all three are scoring on virustotal.

When I submitted the hash, they each had a single detection from a scan a few days ago.  I asked for a rescan, and 3 more AV products are now seeing them as malicious.

I'm no dev. I'm a security professionnal, so I'm paid to be paranoid, but I even do it for free.

Simon

On 20 March 2018 at 00:01, Sam Manzi <[hidden email]> wrote:
Hi,

Those three programs are launchers used for Gramps.  The creators of the windows community installers can comment as to the way they are created.

All checks in a virtual machine using Windows Defender check as ok. Tested ok as well with malwarebytes.

My guess is that this is yet another false positive the last one was with F-Secure.

Kind Regards
Sam


10455: F-secure - Possible virus threat? GrampsAIO-5.0.0-beta1-1_win32.exe & 4.2.8 for Windows 64-bit [Confirmed false positive]
https://gramps-project.org/bugs/view.php?id=10455

On 20 March 2018 at 13:09, Simon C. Tremblay <[hidden email]> wrote:
I could not find my GrampsAIO32-4.2.8-1 installer that I downloaded on February 18th, so I went and downloaded again today.  Before installing, I used 7Zip to peek inside and lo and behold, there is a grampsd.exe file in there.  It, gramps.exe, grampsw.exe and a dll file are all date stamped February 26, a different date than the rest of the files. I extracted just the files and submitted them to VirusTotal and all 3 gramps files got 4 detections: Cylance, Jiangmin, Panda and TrendMicro Housecall.

The package I downloaded is  GrampsAIO32-4.2.8-3_win32.exe.

Can any of the dev confirm that this is the latest build and that it was uploade on February 26  Also, can you check in the logs who uploaded it? If it was uploaded by a legitimate dev from the project, maybe his build environement was compromised.

Thanks for looking into this.

Simon


On 18 March 2018 at 14:39, Simon C. Tremblay <[hidden email]> wrote:
I've just scanned my installation of GrampsAIO32-4.2.8 with McAfee and it did not find anything.  

I don't see a grampsd.exe file in there, so might be a new file in 5.x.

Simon



On 18 March 2018 at 14:19, StoltHD <[hidden email]> wrote:
Its already deleted, Defender handled it befor I could do anything with it.

I have scanned my beta1-3 64-bit installation folder and grampsd.exe, without any warnings... thats why I was wondering if anybody else had seen this, or if anybody knew for a fact that its a MS Defender false positive. I know Defender can generate false positives often, but its strange that it didnt take the 64-bit, that was installed a few days later...

It tells me that either Microsoft has updated the definition file with the code, or the package of the beta1 32bit was infected... (if it was not a false poitive).

I think I have the installation fil on my computer still, can try to scan that, but no way do I install it again.

jaran

2018-03-18 18:44 GMT+01:00 Simon C. Tremblay <[hidden email]>:
Don't have it installed myself. Can you upload the exe file to virustotal.com for a second (or 60+) opinion?

Simon

On 18 March 2018 at 13:36, StoltHD <[hidden email]> wrote:
Why do I get a warning about this trojan in the file: C:\Program Files (x86)\GrampsAIO32-5.0.0-beta1\grampsd.exe

Given by Windows Defender...

Can anyone confirm its a false positive or if its an actual threat?

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gramps-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gramps-devel