Pages:
Author

Topic: Av reports viruses in sst file (Read 4795 times)

hero member
Activity: 798
Merit: 1000
June 03, 2014, 01:31:34 AM
#22
1) Set virus scanner to scan only executables/scriptables
2) No more false positives
3) Faster PC
4) Profit



I don't recommend this. Simply set the blockchain as an exception, and let it scan other stuff.
Word macro viruses are common nowadays, and they can also be embedded into a picture.
legendary
Activity: 4542
Merit: 3393
Vile Vixen and Miss Bitcointalk 2021-2023
April 16, 2014, 10:24:54 PM
#21
1) Set virus scanner to scan only executables/scriptables
2) No more false positives
3) Faster PC
4) Profit
5) Create office software that allows programs to be embedded in ordinary documents to be automatically executed when opening said documents.
6) No more safe assumptions about what types of files may contain executables.
7) Slower PC.
8​) Microsoft profits.
hero member
Activity: 493
Merit: 500
April 16, 2014, 09:37:23 PM
#20
1) Set virus scanner to scan only executables/scriptables
2) No more false positives
3) Faster PC
4) Profit

full member
Activity: 244
Merit: 101
April 13, 2014, 09:14:52 PM
#19
Just noticed something similar after doing a full scan with avast.  I used a couple other scanners as well but avast was the only one that picked these up.   And reading the earlier reply it seems like if I re-download the blockchain these will still appear because they aren't actually on my pc and can't affect me?  (at least that's how I understand it?)  Any ideas?


newbie
Activity: 14
Merit: 0
April 13, 2014, 11:09:12 AM
#18
a  good idea ! sound  like  a  generation of  revolution
member
Activity: 94
Merit: 10
April 13, 2014, 05:52:09 AM
#17
What AV is this
legendary
Activity: 1500
Merit: 1022
I advocate the Zeitgeist Movement & Venus Project.
April 11, 2014, 10:39:44 PM
#16
Got this in MSE:

Quote
Virus:DOS/Stoned

Category: Virus

Description: This program is dangerous and replicates by infecting other files.

Recommended action: Remove this software immediately.

Items:
file:C:\Users\xxxxx\AppData\Roaming\Bitcoin\chainstate\162057.sst
sr. member
Activity: 333
Merit: 250
April 11, 2014, 09:51:31 PM
#15
For whatever its worth, I had Microsoft Security Essentials report a similar thing on my recently installed 0.9.1 on Windows x64.

Detected Item
Virus:BAT/Dakuma.1935

Alert level
Severe

Category: Virus

Description: This program is dangerous and replicates by infecting other files.

Recommended action: Remove this software immediately.

Items:
file:C:\Users\*\AppData\Roaming\Bitcoin\chainstate\313280.sst

Get more information about this item online.

staff
Activity: 4284
Merit: 8808
April 07, 2014, 10:37:32 AM
#14
https://people.xiph.org/~greg/m.sst  is a 16 byte sequence that appears to trigger anywhere in the file for clamav, so long as the file is under 32 MBytes in size.
legendary
Activity: 2618
Merit: 1007
April 06, 2014, 02:07:55 PM
#13
Yeah, just tried it - neither works in the middle, end nor beginning of a file if there is any other data beyond just the EICAR test string.
member
Activity: 80
Merit: 10
April 06, 2014, 01:57:43 PM
#12
http://en.wikipedia.org/wiki/EICAR_test_file is ~70 bytes but might be worth a try if you want to mess with virus scanners... (calling them "anti virus" programs is a bit too flattering imho).

IIRC the test string doesn't trigger in the middle of another file, so that won't do anything.
legendary
Activity: 2618
Merit: 1007
April 05, 2014, 06:02:45 AM
#11
http://en.wikipedia.org/wiki/EICAR_test_file is ~70 bytes but might be worth a try if you want to mess with virus scanners... (calling them "anti virus" programs is a bit too flattering imho).
newbie
Activity: 2
Merit: 0
April 05, 2014, 05:40:01 AM
#10
mastahofdesastah, thanx for the hint, now it's OK. Although it's a scary thing to do ) The folder's quite sensitive isn't it?
full member
Activity: 163
Merit: 100
April 05, 2014, 05:02:32 AM
#9
i added the hole chainstate folder to exceptions. Since then the AV are happy.

Some of the "Viruses" seems over 20 years old Smiley
newbie
Activity: 2
Merit: 0
April 05, 2014, 04:57:08 AM
#8
Same thing with another AV, it shows one sst file has 'Dutch (Sequence)' malware. Even after adding to exceptions, bitcoin-qt stops with fatal error
Code:
EXCEPTION: 13leveldb_error, Database I/O error 
...\bitcoin-qt.exe in Runaway exception

Reinstallation of the bt client doesn't help. WTF, any ideas? Should have probably made the copy of the Blockchain... (
staff
Activity: 4284
Merit: 8808
April 04, 2014, 10:16:57 PM
#7
Quote
The Little problem with classifying these as FP is that they aren't false positives.
That isn't true. It's being triggered by little 16 byte sequences (for example), no virus itself is 16 bytes long. You may also note that it doesn't actually report _anything_ against the actual blockchain, only the leveldb SST files.

It's not a really hard dilemma at all: Obfuscating the block files was a suggestion made back in 2010 or 2011, it's a relatively trivial change but I'm not eager to do it if its not absolutely necessary as doing so will break armory and any other tool that processes the blocks, and still won't provide complete confidence against broken AV software because they're being triggered by obscenely short strings...

In your extended diatribe above it would have been nice if you'd explain why the report here is against the sst files only and not the actual blockchain.
full member
Activity: 129
Merit: 119
April 04, 2014, 07:45:15 PM
#6
The Little problem with classifying these as FP is that they aren't false positives. It is actually a virus loaded into the blockchain, but in such a way the virus cannot be used or executed.
This means that the AV Company have 2 choices:
Either leave the issue as it, and keep the detection, thus catching both the real virus and the blockchain.
Or remove the signature altogheter, but that would give the real virus a exception and no detection on the real virus.

So basically, theres 2 types of a "nuisance detection":
A false positive. A false positive is defined as when the antivirus detects a file thats not intended to be detected. For example: A AV detects the genuine bitcoind as a bitcoin-stealing trojan, because the real trojan had bitcoind embedded. That can be easily solved by extending the signature so it requires something more, this "more" being the difference between the fake bitcoind and the real bitcoind.
A correct positive, that still is a nuisance detection: For example this case, detecting viruses in blockchain. Same with detections that occur because people post loveletter source code in forums and such, and the AV attacks the cache of the web browser. Thats not really a false positive, rather its a nuisance detection that still is a detection for a correct virus. Only solution here is to remove the signature altogheter, leaving the real virus free time.

Its really not possible for the AV to "whitelist" the location of the QT SST files carelessly, since if a non-BTC (or a user that does not use the QT client but a Another client) user then gets the virus, then the virus can hide in the QT SST files location (since the real client do not occupy the location) to go under the radar.
Thus BTC users must itself whitelist the location.

Hashing or signing "accepted" SST files must be done on BTC's end, not AV end, and AV programs needs to in some way to "learn to read and verify these signatures", since the SST files depend on the time on which blocks arrived at client, and thus each SST file is unique. (SST files are according to documentation, not stored in block order, rather in block receive order, which means block can appear to be "out of order" in the file).

Since thats not gonna happen (AV companies are not going to learn Another file signature protocol, nor they will give out API for signing files to get them excepted, for obvious security reasons, especially not to open source software developers, because then the virus makers can simply "sign" their viruses), better idea is:
Its really a hard dilemma, and thats why I said that we need to encode the blocks in ways that clients cannot predict. (and thus cannot encode adresses or transaction that would in encoded state match a antivirus signature)
full member
Activity: 163
Merit: 100
April 04, 2014, 06:31:24 PM
#5
Avira free AV

Good idea, i will report it tomorrow.

I added the chainstate folder to scan exceptions, but thats not the solution for everyone...
staff
Activity: 4284
Merit: 8808
April 04, 2014, 06:00:21 PM
#4
Since yesterday 01.20 GMT+1 my AV goes crazy. Multiple times per minute it reports viruses on my sst files from QT client.
I deletet all the files manually, and now its downloading the blockchain files again.
What AV is this? (as an aside, have you reported the false positives?)

Anything that is actively scanning the leveldb files in real time is going to be very bad for performance.
full member
Activity: 163
Merit: 100
April 04, 2014, 05:21:06 PM
#3
aahh i thought some kiddies Smiley

i delete the thread in a few min, when mods didn't place it right.

Thank you
Pages:
Jump to: