Topic: Av reports viruses in sst file (Read 4765 times)

I don't recommend this. Simply set the blockchain as an exception, and let it scan other stuff.
Word macro viruses are common nowadays, and they can also be embedded into a picture.

5) Create office software that allows programs to be embedded in ordinary documents to be automatically executed when opening said documents.
6) No more safe assumptions about what types of files may contain executables.
7) Slower PC.
8​) Microsoft profits.

1) Set virus scanner to scan only executables/scriptables
2) No more false positives
3) Faster PC
4) Profit

Just noticed something similar after doing a full scan with avast.  I used a couple other scanners as well but avast was the only one that picked these up.   And reading the earlier reply it seems like if I re-download the blockchain these will still appear because they aren't actually on my pc and can't affect me?  (at least that's how I understand it?)  Any ideas?

a  good idea ! sound  like  a  generation of  revolution

What AV is this

Got this in MSE:

For whatever its worth, I had Microsoft Security Essentials report a similar thing on my recently installed 0.9.1 on Windows x64.

Detected Item
Virus:BAT/Dakuma.1935

Alert level
Severe

Category: Virus

Description: This program is dangerous and replicates by infecting other files.

Recommended action: Remove this software immediately.

Items:
file:C:\Users\*\AppData\Roaming\Bitcoin\chainstate\313280.sst

Get more information about this item online.

https://people.xiph.org/~greg/m.sst  is a 16 byte sequence that appears to trigger anywhere in the file for clamav, so long as the file is under 32 MBytes in size.

Yeah, just tried it - neither works in the middle, end nor beginning of a file if there is any other data beyond just the EICAR test string.

IIRC the test string doesn't trigger in the middle of another file, so that won't do anything.

http://en.wikipedia.org/wiki/EICAR_test_file is ~70 bytes but might be worth a try if you want to mess with virus scanners... (calling them "anti virus" programs is a bit too flattering imho).

mastahofdesastah, thanx for the hint, now it's OK. Although it's a scary thing to do ) The folder's quite sensitive isn't it?

i added the hole chainstate folder to exceptions. Since then the AV are happy.

Some of the "Viruses" seems over 20 years old

Same thing with another AV, it shows one sst file has 'Dutch (Sequence)' malware. Even after adding to exceptions, bitcoin-qt stops with fatal error

Reinstallation of the bt client doesn't help. WTF, any ideas? Should have probably made the copy of the Blockchain... (

That isn't true. It's being triggered by little 16 byte sequences (for example), no virus itself is 16 bytes long. You may also note that it doesn't actually report _anything_ against the actual blockchain, only the leveldb SST files.

It's not a really hard dilemma at all: Obfuscating the block files was a suggestion made back in 2010 or 2011, it's a relatively trivial change but I'm not eager to do it if its not absolutely necessary as doing so will break armory and any other tool that processes the blocks, and still won't provide complete confidence against broken AV software because they're being triggered by obscenely short strings...

In your extended diatribe above it would have been nice if you'd explain why the report here is against the sst files only and not the actual blockchain.

The Little problem with classifying these as FP is that they aren't false positives. It is actually a virus loaded into the blockchain, but in such a way the virus cannot be used or executed.
This means that the AV Company have 2 choices:
Either leave the issue as it, and keep the detection, thus catching both the real virus and the blockchain.
Or remove the signature altogheter, but that would give the real virus a exception and no detection on the real virus.

So basically, theres 2 types of a "nuisance detection":
A false positive. A false positive is defined as when the antivirus detects a file thats not intended to be detected. For example: A AV detects the genuine bitcoind as a bitcoin-stealing trojan, because the real trojan had bitcoind embedded. That can be easily solved by extending the signature so it requires something more, this "more" being the difference between the fake bitcoind and the real bitcoind.
A correct positive, that still is a nuisance detection: For example this case, detecting viruses in blockchain. Same with detections that occur because people post loveletter source code in forums and such, and the AV attacks the cache of the web browser. Thats not really a false positive, rather its a nuisance detection that still is a detection for a correct virus. Only solution here is to remove the signature altogheter, leaving the real virus free time.

Its really not possible for the AV to "whitelist" the location of the QT SST files carelessly, since if a non-BTC (or a user that does not use the QT client but a Another client) user then gets the virus, then the virus can hide in the QT SST files location (since the real client do not occupy the location) to go under the radar.
Thus BTC users must itself whitelist the location.

Hashing or signing "accepted" SST files must be done on BTC's end, not AV end, and AV programs needs to in some way to "learn to read and verify these signatures", since the SST files depend on the time on which blocks arrived at client, and thus each SST file is unique. (SST files are according to documentation, not stored in block order, rather in block receive order, which means block can appear to be "out of order" in the file).

Since thats not gonna happen (AV companies are not going to learn Another file signature protocol, nor they will give out API for signing files to get them excepted, for obvious security reasons, especially not to open source software developers, because then the virus makers can simply "sign" their viruses), better idea is:
Its really a hard dilemma, and thats why I said that we need to encode the blocks in ways that clients cannot predict. (and thus cannot encode adresses or transaction that would in encoded state match a antivirus signature)

Avira free AV

Good idea, i will report it tomorrow.

I added the chainstate folder to scan exceptions, but thats not the solution for everyone...

What AV is this? (as an aside, have you reported the false positives?)

Anything that is actively scanning the leveldb files in real time is going to be very bad for performance.

aahh i thought some kiddies

i delete the thread in a few min, when mods didn't place it right.

Thank you