Avast quarantined Bitcoin-QT.exe 0.13.0 binary

[mertliti]

I just upgraded to Bitcoin-QT 0.13.0 on Windows 7 64 bit.
Before anyone asks, yes I verified the download signature against the SHA256SUMS.asc file, whose signature correctly matched that of Wladimir J. van der Laan's PGP key (that I downloaded long ago, before the recent threat announcement).

When I tried to run it for the first time, Avast did a deep scan and quarantined the binary.
Is anyone else having this issue or found a solution?
Could a file that passed signature verification still have an infection?!

[1714697768]

1714697768

[achow101]

This is actually not uncommon. It happens to quite a few people. The antivirus warning is usually a false positive. Of course, you should double check and re-verify the download just to be sure. If the download verifies, then it is extremely unlikely that there is a virus as multiple things (your gpg install, your connection to bitcoin.org, and your checksum utility) would have to be compromised.

[mertliti]

Thanks. I'm getting concerned though...
On this page, there is a message posted and signed by Wladimir:

https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-June/009045.html

Code:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

Starting with 0.11.0rc3, SHA256SUMS.asc will be signed with the following key:

    pub   4096R/36C2E964 2015-06-24 Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj at gmail.com>
    Primary key fingerprint: 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

For gitian and commit signing I will keep using this key.

Wladimir
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJViphCAAoJEHSBCwEjRsmmtRoIALBzJMGXzoj5t9OQSedxjnjP
sxfHuBwQxeuPYXbRlMjY5UZhmabbt0/mLRfVSdscnCzp0YxbMRwD7I6MdHqXyBtd
oS+TUfMNir5lk7Ti2hRStgvxqsAbHUJ08LlqpJXV5dq3QgeJyJwZM76a6yyaGwxP
SwqvKklQZ/qdrKOgjjn6d5HywgsmybJSDzEDR3k+ogkLsfM1jcpqZhwFeRVpk94m
SgZGLLx5zAIKcLHn4I1FaZ+OAmmS0ukYcmotMOUk6NBEjHTDfjEFBrbrlwvL4G7r
kjd1mRxkaJMxX3nJicXiEQClVoeUrMVyJrrsTGyPixSicdQbItuyLWXm37fAfE0=
=4v49
-----END PGP SIGNATURE-----

For some reason, when I try to verify this message with PGP (Symantec Encryption Desktop 10.3.0), using the same key, I signed **years** ago in my PGP keyring, and that still shows as verified, I am getting a mismatch:

Code:

*** PGP SIGNATURE VERIFICATION ***
*** Status:   Bad Signature
*** Alert:    Signature did not verify. Message has been altered.
*** Signer:   Wladimir J. van der Laan <laanwj@gmail.com> (0x2346C9A6)
*** Signed:   6/24/2015 1:45:06 PM
*** Verified: 8/25/2016 4:03:21 AM
*** BEGIN PGP VERIFIED MESSAGE ***

Hello,

Starting with 0.11.0rc3, SHA256SUMS.asc will be signed with the following key:

    pub   4096R/36C2E964 2015-06-24 Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj at gmail.com>
    Primary key fingerprint: 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

For gitian and commit signing I will keep using this key.

Wladimir

*** END PGP VERIFIED MESSAGE ***

The key signature matches! Is there some possible incompatibility between PGP and GPG? Some whitespace / line endings mismatch?
Given, that "state-sponsored" attackers are suspected to be a risk, I'm starting to get paranoid now!!! This is the first time I think I've ever seen verifications fail.

Can anyone else verify the signature on that message with Wladimir's key?

[achow101]

Interesting that that happens. When I pull up the email from Thunderbird, enigmail says that it is a good signature.

It might just be a formatting problem caused by the mailing list archive.

[mertliti]

Could you perhaps do me a favor and share this thread's URL on the mailing list to the devs?
I'm not on the list, but would appreciate getting advice from the devs, as I'm trying to follow the instructions on their notice posted here (https://bitcoin.org/en/alert/2016-08-17-binary-safety), and it says to verify the message at that link above (
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-June/009045.html).

Thanks!

[phantomcircuit]

I just upgraded to Bitcoin-QT 0.13.0 on Windows 7 64 bit.
Before anyone asks, yes I verified the download signature against the SHA256SUMS.asc file, whose signature correctly matched that of Wladimir J. van der Laan's PGP key (that I downloaded long ago, before the recent threat announcement).

When I tried to run it for the first time, Avast did a deep scan and quarantined the binary.
Is anyone else having this issue or found a solution?
Could a file that passed signature verification still have an infection?!

You're running into an issue with whitespace and HTML.

Try again http://pastebin.com/raw/PWcYtqi3

[mertliti]

Hey thanks!
No, it wasn't whitespace but it was email obfuscation formatting that was done on that first page!

<laanwj@gmail.com>  BECAME    <laanwj at gmail.com>

Well, it seems like a bad link for the security notice to be asking people to verify, because it's NOT going to verify!
Hope someone can share this with the devs still. They should provide better, working instructions for verification if people are going to be able to fend off potential attacks.

With the "raw" URL you sent, the verification is now working:

Code:

*** PGP SIGNATURE VERIFICATION ***
*** Status:   Good Signature
*** Signer:   Wladimir J. van der Laan <laanwj@gmail.com> (0x2346C9A6)
*** Signed:   6/24/2015 1:45:06 PM
*** Verified: 8/25/2016 4:56:28 AM
*** BEGIN PGP VERIFIED MESSAGE ***

Hello,

Starting with 0.11.0rc3, SHA256SUMS.asc will be signed with the following key:

    pub   4096R/36C2E964 2015-06-24 Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>
    Primary key fingerprint: 01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

For gitian and commit signing I will keep using this key.

Wladimir

*** END PGP VERIFIED MESSAGE ***

[Shiroslullaby]

For someone that is concerned with verifying file checksums, state sponsored attacks, etc... 
I'm surprised you are using Avast! Good antivirus, but I had to remove it when they started snooping on users encrypted traffic. 
(MITM traffic interception using pre-installed certificates)

Heres a good write-up for anyone interested: 
http://www.thesafemac.com/avasts-man-in-the-middle/

[mertliti]

For someone that is concerned with verifying file checksums, state sponsored attacks, etc... 
I'm surprised you are using Avast! Good antivirus, but I had to remove it when they started snooping on users encrypted traffic. 
(MITM traffic interception using pre-installed certificates)

Heres a good write-up for anyone interested: 
http://www.thesafemac.com/avasts-man-in-the-middle/

OT maybe, but interesting nonetheless!
I just verified my Google SSL certificates in Chrome are signed by GeoTrust Global (not Avast), and BofA by VeriSign.
And Avast is blocking https://revoked.grc.com/ (revoked certificate test mentioned in that article).

On Firefox, it is blocking the revoked certificate, but it *is* using its own certificate on google.com! Just disabled HTTPS scanning. Bad Avast!

Thanks

[Cereberus]

I downloaded it in my second partition where I have windows just to try and Avira says nothing about it so I think is safe and your antivirus warning is just a false positive. Its not recommended keeping sensitive data , like storing your bitcoins in a windows system. I have all the desktop wallets installed in Linux Mint latest. Bitcoin core, Electrum and Multibit HD.

[PremiumCodeX]

For me that detection seems to be false positive. I too have experienced similar some months ago and I handled it as false positive. I did not experience any suspicious activity within my system that could be connected to that so I think I was right. I, however, disagree with the advice that you should not use Windows. Windows could be very secure if you know what you are doing and Linux could be easily vulnerable too if you do not. As a general advice I suggest separating the system that you daily use from the one where you store your wallet and choose a system for your wallet that you are comfortable with and aware of how to build a powerful security with it.