Bitcoin Forum
December 01, 2022, 05:30:57 PM *
News: Latest Bitcoin Core release: 23.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Av reports viruses in sst file  (Read 4760 times)
mastahofdesastah (OP)
Full Member
***
Offline Offline

Activity: 163
Merit: 100


View Profile
April 04, 2014, 04:28:21 PM
 #1

Hi Folks

I think its a false positive, but to be sure...

Since yesterday 01.20 GMT+1 my AV goes crazy. Multiple times per minute it reports viruses on my sst files from QT client.
I deletet all the files manually, and now its downloading the blockchain files again.

Paranoia? Or some Dropper/Downloader are downloading viruses on these files, and maybe another programm is trying to execute it?

After Bolckchain reset seems ok, but still downloading...
first 5 min Log, after the viruses changed: Dakuma.Trojan, PRSC1024, Spoiler, Intruder.1319

Code:

04.04.2014 01:21 [Echtzeit-Scanner] Malware gefunden
      In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224097.sst'
      wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

04.04.2014 01:21 [Echtzeit-Scanner] Malware gefunden
      In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224092.sst'
      wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

04.04.2014 01:21 [Echtzeit-Scanner] Malware gefunden
      In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224087.sst'
      wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

04.04.2014 01:21 [Echtzeit-Scanner] Malware gefunden
      In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224082.sst'
      wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

04.04.2014 01:21 [Echtzeit-Scanner] Malware gefunden
      In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224077.sst'
      wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

04.04.2014 01:21 [Echtzeit-Scanner] Malware gefunden
      In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224072.sst'
      wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
      In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224067.sst'
      wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
      In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224062.sst'
      wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
      In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224057.sst'
      wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
      In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224052.sst'
      wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
      In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224047.sst'
      wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
      In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224042.sst'
      wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
      In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224037.sst'
      wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
      In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224032.sst'
      wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
      In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224027.sst'
      wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
      In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224022.sst'
      wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

Even in the event that an attacker gains more than 50% of the network's computational power, only transactions sent by the attacker could be reversed or double-spent. The network would not be destroyed.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1669915857
Hero Member
*
Offline Offline

Posts: 1669915857

View Profile Personal Message (Offline)

Ignore
1669915857
Reply with quote  #2

1669915857
Report to moderator
1669915857
Hero Member
*
Offline Offline

Posts: 1669915857

View Profile Personal Message (Offline)

Ignore
1669915857
Reply with quote  #2

1669915857
Report to moderator
1669915857
Hero Member
*
Offline Offline

Posts: 1669915857

View Profile Personal Message (Offline)

Ignore
1669915857
Reply with quote  #2

1669915857
Report to moderator
aceat64
Full Member
***
Offline Offline

Activity: 307
Merit: 102



View Profile
April 04, 2014, 10:12:04 PM
 #2

This is likely a false positive, I imagine someone is having a laugh by loading virus signatures into the blockchain after reading this thread:

https://bitcointalk.org/index.php?topic=554738.0

Also of note, this type of post should go to the Technical Support board, not Dev.
mastahofdesastah (OP)
Full Member
***
Offline Offline

Activity: 163
Merit: 100


View Profile
April 04, 2014, 10:21:06 PM
 #3

aahh i thought some kiddies Smiley

i delete the thread in a few min, when mods didn't place it right.

Thank you
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 3822
Merit: 7210



View Profile
April 04, 2014, 11:00:21 PM
 #4

Since yesterday 01.20 GMT+1 my AV goes crazy. Multiple times per minute it reports viruses on my sst files from QT client.
I deletet all the files manually, and now its downloading the blockchain files again.
What AV is this? (as an aside, have you reported the false positives?)

Anything that is actively scanning the leveldb files in real time is going to be very bad for performance.
mastahofdesastah (OP)
Full Member
***
Offline Offline

Activity: 163
Merit: 100


View Profile
April 04, 2014, 11:31:24 PM
 #5

Avira free AV

Good idea, i will report it tomorrow.

I added the chainstate folder to scan exceptions, but thats not the solution for everyone...
sebastian
Full Member
***
Offline Offline

Activity: 129
Merit: 118


View Profile
April 05, 2014, 12:45:15 AM
Last edit: April 05, 2014, 01:02:26 AM by sebastian
 #6

The Little problem with classifying these as FP is that they aren't false positives. It is actually a virus loaded into the blockchain, but in such a way the virus cannot be used or executed.
This means that the AV Company have 2 choices:
Either leave the issue as it, and keep the detection, thus catching both the real virus and the blockchain.
Or remove the signature altogheter, but that would give the real virus a exception and no detection on the real virus.

So basically, theres 2 types of a "nuisance detection":
A false positive. A false positive is defined as when the antivirus detects a file thats not intended to be detected. For example: A AV detects the genuine bitcoind as a bitcoin-stealing trojan, because the real trojan had bitcoind embedded. That can be easily solved by extending the signature so it requires something more, this "more" being the difference between the fake bitcoind and the real bitcoind.
A correct positive, that still is a nuisance detection: For example this case, detecting viruses in blockchain. Same with detections that occur because people post loveletter source code in forums and such, and the AV attacks the cache of the web browser. Thats not really a false positive, rather its a nuisance detection that still is a detection for a correct virus. Only solution here is to remove the signature altogheter, leaving the real virus free time.

Its really not possible for the AV to "whitelist" the location of the QT SST files carelessly, since if a non-BTC (or a user that does not use the QT client but a Another client) user then gets the virus, then the virus can hide in the QT SST files location (since the real client do not occupy the location) to go under the radar.
Thus BTC users must itself whitelist the location.

Hashing or signing "accepted" SST files must be done on BTC's end, not AV end, and AV programs needs to in some way to "learn to read and verify these signatures", since the SST files depend on the time on which blocks arrived at client, and thus each SST file is unique. (SST files are according to documentation, not stored in block order, rather in block receive order, which means block can appear to be "out of order" in the file).

Since thats not gonna happen (AV companies are not going to learn Another file signature protocol, nor they will give out API for signing files to get them excepted, for obvious security reasons, especially not to open source software developers, because then the virus makers can simply "sign" their viruses), better idea is:
Its really a hard dilemma, and thats why I said that we need to encode the blocks in ways that clients cannot predict. (and thus cannot encode adresses or transaction that would in encoded state match a antivirus signature)
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 3822
Merit: 7210



View Profile
April 05, 2014, 03:16:57 AM
 #7

Quote
The Little problem with classifying these as FP is that they aren't false positives.
That isn't true. It's being triggered by little 16 byte sequences (for example), no virus itself is 16 bytes long. You may also note that it doesn't actually report _anything_ against the actual blockchain, only the leveldb SST files.

It's not a really hard dilemma at all: Obfuscating the block files was a suggestion made back in 2010 or 2011, it's a relatively trivial change but I'm not eager to do it if its not absolutely necessary as doing so will break armory and any other tool that processes the blocks, and still won't provide complete confidence against broken AV software because they're being triggered by obscenely short strings...

In your extended diatribe above it would have been nice if you'd explain why the report here is against the sst files only and not the actual blockchain.
alemur
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
April 05, 2014, 09:57:08 AM
 #8

Same thing with another AV, it shows one sst file has 'Dutch (Sequence)' malware. Even after adding to exceptions, bitcoin-qt stops with fatal error
Code:
EXCEPTION: 13leveldb_error, Database I/O error
...\bitcoin-qt.exe in Runaway exception

Reinstallation of the bt client doesn't help. WTF, any ideas? Should have probably made the copy of the Blockchain... (
mastahofdesastah (OP)
Full Member
***
Offline Offline

Activity: 163
Merit: 100


View Profile
April 05, 2014, 10:02:32 AM
 #9

i added the hole chainstate folder to exceptions. Since then the AV are happy.

Some of the "Viruses" seems over 20 years old Smiley
alemur
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
April 05, 2014, 10:40:01 AM
 #10

mastahofdesastah, thanx for the hint, now it's OK. Although it's a scary thing to do ) The folder's quite sensitive isn't it?
Sukrim
Legendary
*
Offline Offline

Activity: 2618
Merit: 1006


View Profile
April 05, 2014, 11:02:45 AM
 #11

http://en.wikipedia.org/wiki/EICAR_test_file is ~70 bytes but might be worth a try if you want to mess with virus scanners... (calling them "anti virus" programs is a bit too flattering imho).

https://www.coinlend.org <-- automated lending at various exchanges.
https://www.bitfinex.com <-- Trade BTC for other currencies and vice versa.
michagogo
Member
**
Offline Offline

Activity: 80
Merit: 10


View Profile
April 06, 2014, 06:57:43 PM
 #12

http://en.wikipedia.org/wiki/EICAR_test_file is ~70 bytes but might be worth a try if you want to mess with virus scanners... (calling them "anti virus" programs is a bit too flattering imho).

IIRC the test string doesn't trigger in the middle of another file, so that won't do anything.
Sukrim
Legendary
*
Offline Offline

Activity: 2618
Merit: 1006


View Profile
April 06, 2014, 07:07:55 PM
 #13

Yeah, just tried it - neither works in the middle, end nor beginning of a file if there is any other data beyond just the EICAR test string.

https://www.coinlend.org <-- automated lending at various exchanges.
https://www.bitfinex.com <-- Trade BTC for other currencies and vice versa.
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 3822
Merit: 7210



View Profile
April 07, 2014, 03:37:32 PM
 #14

https://people.xiph.org/~greg/m.sst  is a 16 byte sequence that appears to trigger anywhere in the file for clamav, so long as the file is under 32 MBytes in size.
dentldir
Sr. Member
****
Offline Offline

Activity: 333
Merit: 250



View Profile
April 12, 2014, 02:51:31 AM
 #15

For whatever its worth, I had Microsoft Security Essentials report a similar thing on my recently installed 0.9.1 on Windows x64.

Detected Item
Virus:BAT/Dakuma.1935

Alert level
Severe

Category: Virus

Description: This program is dangerous and replicates by infecting other files.

Recommended action: Remove this software immediately.

Items:
file:C:\Users\*\AppData\Roaming\Bitcoin\chainstate\313280.sst

Get more information about this item online.


1DentLdiRMv3dpmpmqWsQev8BUaty9vN3v
LightRider
Legendary
*
Offline Offline

Activity: 1500
Merit: 1021


I advocate the Zeitgeist Movement & Venus Project.


View Profile WWW
April 12, 2014, 03:39:44 AM
 #16

Got this in MSE:

Quote
Virus:DOS/Stoned

Category: Virus

Description: This program is dangerous and replicates by infecting other files.

Recommended action: Remove this software immediately.

Items:
file:C:\Users\xxxxx\AppData\Roaming\Bitcoin\chainstate\162057.sst

Bitcoin combines money, the wrongest thing in the world, with software, the easiest thing in the world to get wrong.
Visit www.thevenusproject.com and www.theZeitgeistMovement.com.
laflaflaf
Member
**
Offline Offline

Activity: 94
Merit: 10


View Profile
April 13, 2014, 10:52:09 AM
 #17

What AV is this

TheSmurfsCoin:Tn5HRXnMmbVQoDjsz3rgSZwZwQyz5JNXr2
ShareCoin:SfE8LN2MLVV5XHmKLizjZonAHYPMFS1muN
FootballCoin:Fe6JUNh9j9CB5pagUxWwifoSsNyLeU3md5
dimirfu
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
April 13, 2014, 04:09:12 PM
 #18

a  good idea ! sound  like  a  generation of  revolution
drummerjdb666
Full Member
***
Offline Offline

Activity: 244
Merit: 101



View Profile
April 14, 2014, 02:14:52 AM
 #19

Just noticed something similar after doing a full scan with avast.  I used a couple other scanners as well but avast was the only one that picked these up.   And reading the earlier reply it seems like if I re-download the blockchain these will still appear because they aren't actually on my pc and can't affect me?  (at least that's how I understand it?)  Any ideas?


Klestin
Hero Member
*****
Offline Offline

Activity: 493
Merit: 500


View Profile
April 17, 2014, 02:37:23 AM
 #20

1) Set virus scanner to scan only executables/scriptables
2) No more false positives
3) Faster PC
4) Profit

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!