Bitcoin Forum
December 13, 2024, 12:45:08 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Avast quarantined Bitcoin-QT.exe 0.13.0 binary  (Read 1713 times)
mertliti (OP)
Newbie
*
Offline Offline

Activity: 25
Merit: 0


View Profile
August 25, 2016, 01:29:09 AM
 #1

I just upgraded to Bitcoin-QT 0.13.0 on Windows 7 64 bit.
Before anyone asks, yes I verified the download signature against the SHA256SUMS.asc file, whose signature correctly matched that of Wladimir J. van der Laan's PGP key (that I downloaded long ago, before the recent threat announcement).

When I tried to run it for the first time, Avast did a deep scan and quarantined the binary.
Is anyone else having this issue or found a solution?
Could a file that passed signature verification still have an infection?!
achow101
Moderator
Legendary
*
Offline Offline

Activity: 3570
Merit: 6927


Just writing some code


View Profile WWW
August 25, 2016, 01:40:35 AM
 #2

This is actually not uncommon. It happens to quite a few people. The antivirus warning is usually a false positive. Of course, you should double check and re-verify the download just to be sure. If the download verifies, then it is extremely unlikely that there is a virus as multiple things (your gpg install, your connection to bitcoin.org, and your checksum utility) would have to be compromised.

mertliti (OP)
Newbie
*
Offline Offline

Activity: 25
Merit: 0


View Profile
August 25, 2016, 02:07:11 AM
 #3

Thanks. I'm getting concerned though...
On this page, there is a message posted and signed by Wladimir:

https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-June/009045.html

Code:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

Starting with 0.11.0rc3, SHA256SUMS.asc will be signed with the following key:

    pub   4096R/36C2E964 2015-06-24 Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj at gmail.com>
    Primary key fingerprint: 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

For gitian and commit signing I will keep using this key.

Wladimir
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJViphCAAoJEHSBCwEjRsmmtRoIALBzJMGXzoj5t9OQSedxjnjP
sxfHuBwQxeuPYXbRlMjY5UZhmabbt0/mLRfVSdscnCzp0YxbMRwD7I6MdHqXyBtd
oS+TUfMNir5lk7Ti2hRStgvxqsAbHUJ08LlqpJXV5dq3QgeJyJwZM76a6yyaGwxP
SwqvKklQZ/qdrKOgjjn6d5HywgsmybJSDzEDR3k+ogkLsfM1jcpqZhwFeRVpk94m
SgZGLLx5zAIKcLHn4I1FaZ+OAmmS0ukYcmotMOUk6NBEjHTDfjEFBrbrlwvL4G7r
kjd1mRxkaJMxX3nJicXiEQClVoeUrMVyJrrsTGyPixSicdQbItuyLWXm37fAfE0=
=4v49
-----END PGP SIGNATURE-----


For some reason, when I try to verify this message with PGP (Symantec Encryption Desktop 10.3.0), using the same key, I signed **years** ago in my PGP keyring, and that still shows as verified, I am getting a mismatch:

Code:
*** PGP SIGNATURE VERIFICATION ***
*** Status:   Bad Signature
*** Alert:    Signature did not verify. Message has been altered.
*** Signer:   Wladimir J. van der Laan <laanwj@gmail.com> (0x2346C9A6)
*** Signed:   6/24/2015 1:45:06 PM
*** Verified: 8/25/2016 4:03:21 AM
*** BEGIN PGP VERIFIED MESSAGE ***

Hello,

Starting with 0.11.0rc3, SHA256SUMS.asc will be signed with the following key:

    pub   4096R/36C2E964 2015-06-24 Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj at gmail.com>
    Primary key fingerprint: 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

For gitian and commit signing I will keep using this key.

Wladimir

*** END PGP VERIFIED MESSAGE ***

The key signature matches! Is there some possible incompatibility between PGP and GPG? Some whitespace / line endings mismatch?
Given, that "state-sponsored" attackers are suspected to be a risk, I'm starting to get paranoid now!!! This is the first time I think I've ever seen verifications fail.

Can anyone else verify the signature on that message with Wladimir's key?
achow101
Moderator
Legendary
*
Offline Offline

Activity: 3570
Merit: 6927


Just writing some code


View Profile WWW
August 25, 2016, 02:16:52 AM
 #4

Interesting that that happens. When I pull up the email from Thunderbird, enigmail says that it is a good signature.

It might just be a formatting problem caused by the mailing list archive.

mertliti (OP)
Newbie
*
Offline Offline

Activity: 25
Merit: 0


View Profile
August 25, 2016, 02:23:55 AM
 #5

Could you perhaps do me a favor and share this thread's URL on the mailing list to the devs?
I'm not on the list, but would appreciate getting advice from the devs, as I'm trying to follow the instructions on their notice posted here (https://bitcoin.org/en/alert/2016-08-17-binary-safety), and it says to verify the message at that link above (
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-June/009045.html).

Thanks!
phantomcircuit
Sr. Member
****
Offline Offline

Activity: 463
Merit: 252


View Profile
August 25, 2016, 02:42:26 AM
 #6

I just upgraded to Bitcoin-QT 0.13.0 on Windows 7 64 bit.
Before anyone asks, yes I verified the download signature against the SHA256SUMS.asc file, whose signature correctly matched that of Wladimir J. van der Laan's PGP key (that I downloaded long ago, before the recent threat announcement).

When I tried to run it for the first time, Avast did a deep scan and quarantined the binary.
Is anyone else having this issue or found a solution?
Could a file that passed signature verification still have an infection?!

You're running into an issue with whitespace and HTML.

Try again http://pastebin.com/raw/PWcYtqi3
mertliti (OP)
Newbie
*
Offline Offline

Activity: 25
Merit: 0


View Profile
August 25, 2016, 02:59:40 AM
 #7

Hey thanks!
No, it wasn't whitespace but it was email obfuscation formatting that was done on that first page!

<laanwj@gmail.com>  BECAME    <laanwj at gmail.com>

Well, it seems like a bad link for the security notice to be asking people to verify, because it's NOT going to verify!
Hope someone can share this with the devs still. They should provide better, working instructions for verification if people are going to be able to fend off potential attacks.

With the "raw" URL you sent, the verification is now working:


Code:
*** PGP SIGNATURE VERIFICATION ***
*** Status:   Good Signature
*** Signer:   Wladimir J. van der Laan <laanwj@gmail.com> (0x2346C9A6)
*** Signed:   6/24/2015 1:45:06 PM
*** Verified: 8/25/2016 4:56:28 AM
*** BEGIN PGP VERIFIED MESSAGE ***

Hello,

Starting with 0.11.0rc3, SHA256SUMS.asc will be signed with the following key:

    pub   4096R/36C2E964 2015-06-24 Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>
    Primary key fingerprint: 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

For gitian and commit signing I will keep using this key.

Wladimir

*** END PGP VERIFIED MESSAGE ***
Shiroslullaby
Sr. Member
****
Offline Offline

Activity: 434
Merit: 250



View Profile
August 25, 2016, 03:08:07 AM
 #8

For someone that is concerned with verifying file checksums, state sponsored attacks, etc... 
I'm surprised you are using Avast! Good antivirus, but I had to remove it when they started snooping on users encrypted traffic. 
(MITM traffic interception using pre-installed certificates)

Heres a good write-up for anyone interested: 
http://www.thesafemac.com/avasts-man-in-the-middle/

mertliti (OP)
Newbie
*
Offline Offline

Activity: 25
Merit: 0


View Profile
August 25, 2016, 03:26:29 AM
 #9

For someone that is concerned with verifying file checksums, state sponsored attacks, etc... 
I'm surprised you are using Avast! Good antivirus, but I had to remove it when they started snooping on users encrypted traffic. 
(MITM traffic interception using pre-installed certificates)

Heres a good write-up for anyone interested: 
http://www.thesafemac.com/avasts-man-in-the-middle/

OT maybe, but interesting nonetheless!
I just verified my Google SSL certificates in Chrome are signed by GeoTrust Global (not Avast), and BofA by VeriSign.
And Avast is blocking https://revoked.grc.com/ (revoked certificate test mentioned in that article).

On Firefox, it is blocking the revoked certificate, but it *is* using its own certificate on google.com! Just disabled HTTPS scanning. Bad Avast!

Thanks
Cereberus
Legendary
*
Offline Offline

Activity: 910
Merit: 1000



View Profile
August 27, 2016, 04:45:56 PM
 #10

I downloaded it in my second partition where I have windows just to try and Avira says nothing about it so I think is safe and your antivirus warning is just a false positive. Its not recommended keeping sensitive data , like storing your bitcoins in a windows system. I have all the desktop wallets installed in Linux Mint latest. Bitcoin core, Electrum and Multibit HD.




    ██    ██    ██    ██
  ██    ██    ██    ██
██    ██    ██    ██
              ██    ██
            ██    ██
          ██    ██
        ██    ██
      ██    ██       
    ██    ██    ██    ██
  ██    ██    ██    ██
██    ██    ██    ██
TRADEPLAYZ
█ 
█ 
█     
█  █
█  █ 
█  █ 
█  █
    █  █
  █  █
  █  █
        █
    █
      █   
TOURNAMENT PVP SYSTEM
  FACEBOOK |  TWITTER  |  LINKEDIN  |  TELEGRAM  |  GITHUB  |  ANN  | INSTAGRAM 

█ 
█ 
█     
█  █
█  █ 
█  █ 
█  █
    █  █
  █  █
  █  █
        █
    █
      █   

                     █▄
                     ████▄
                     ██████▄
                     ████████▄
                     ██████████▄
                     ████████████▄
                     ██████████████▄
                     ███████████████
                     ██████████████▀
                     ████████████▀
                     ██████████▀
                     ████████▀
                     ██████▀
                     ████▀
                     █
█▀
GOOGLE PLAY

                            ▄█████████████▄
                            ███████████████
                            █░░░░░░░░░░░░░█
                            █░░░░░░░░░░░░░█
                            █░░░░░░░░░░░░░█
                            █░░░░░░░░░░░░░█
                            █░░░░░░░░░░░░░█
                            █░░░░░░░░░░░░░█
                            █░░░░░░░░░░░░░█
                            █░░░░░░░░░░░░░█
                            █░░░░░░░░░░░░░█
                            █░░░░░░░░░░░░░█
                            █░░░░░░░░░░░░░█
                            ██████▀▀▀██████
                             ▀████▄▄▄▄████▀
  APPSTORE
PremiumCodeX
Hero Member
*****
Offline Offline

Activity: 1204
Merit: 531


Metaverse 👾 Cyberweapons


View Profile
September 01, 2016, 09:26:39 AM
 #11

For me that detection seems to be false positive. I too have experienced similar some months ago and I handled it as false positive. I did not experience any suspicious activity within my system that could be connected to that so I think I was right. I, however, disagree with the advice that you should not use Windows. Windows could be very secure if you know what you are doing and Linux could be easily vulnerable too if you do not. As a general advice I suggest separating the system that you daily use from the one where you store your wallet and choose a system for your wallet that you are comfortable with and aware of how to build a powerful security with it.

[TUTORIAL] How to steal $350 000?
Best OS for recovering stolen BTCs.
Visit our FREE Bitcointalk thread.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!