|
mastahofdesastah (OP)
|
 |
April 04, 2014, 04:28:21 PM |
|
Hi Folks I think its a false positive, but to be sure... Since yesterday 01.20 GMT+1 my AV goes crazy. Multiple times per minute it reports viruses on my sst files from QT client. I deletet all the files manually, and now its downloading the blockchain files again. Paranoia? Or some Dropper/Downloader are downloading viruses on these files, and maybe another programm is trying to execute it? After Bolckchain reset seems ok, but still downloading... first 5 min Log, after the viruses changed: Dakuma.Trojan, PRSC1024, Spoiler, Intruder.1319
04.04.2014 01:21 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224097.sst'
wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
Ausgeführte Aktion: Zugriff verweigern
04.04.2014 01:21 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224092.sst'
wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
Ausgeführte Aktion: Zugriff verweigern
04.04.2014 01:21 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224087.sst'
wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
Ausgeführte Aktion: Zugriff verweigern
04.04.2014 01:21 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224082.sst'
wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
Ausgeführte Aktion: Zugriff verweigern
04.04.2014 01:21 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224077.sst'
wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
Ausgeführte Aktion: Zugriff verweigern
04.04.2014 01:21 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224072.sst'
wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
Ausgeführte Aktion: Zugriff verweigern
04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224067.sst'
wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
Ausgeführte Aktion: Zugriff verweigern
04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224062.sst'
wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
Ausgeführte Aktion: Zugriff verweigern
04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224057.sst'
wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
Ausgeführte Aktion: Zugriff verweigern
04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224052.sst'
wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
Ausgeführte Aktion: Zugriff verweigern
04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224047.sst'
wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
Ausgeführte Aktion: Zugriff verweigern
04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224042.sst'
wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
Ausgeführte Aktion: Zugriff verweigern
04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224037.sst'
wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
Ausgeführte Aktion: Zugriff verweigern
04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224032.sst'
wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
Ausgeführte Aktion: Zugriff verweigern
04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224027.sst'
wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
Ausgeführte Aktion: Zugriff verweigern
04.04.2014 01:20 [Echtzeit-Scanner] Malware gefunden
In der Datei 'C:\Users\unknow\AppData\Roaming\Bitcoin\chainstate\1224022.sst'
wurde ein Virus oder unerwünschtes Programm '7thSon-B' [virus] gefunden.
Ausgeführte Aktion: Zugriff verweigern
|
|
|
|
|
|
aceat64
|
|
April 04, 2014, 10:12:04 PM |
|
This is likely a false positive, I imagine someone is having a laugh by loading virus signatures into the blockchain after reading this thread: https://bitcointalk.org/index.php?topic=554738.0Also of note, this type of post should go to the Technical Support board, not Dev. |
|
|
|
|
|
mastahofdesastah (OP)
|
|
April 04, 2014, 10:21:06 PM |
|
aahh i thought some kiddies  i delete the thread in a few min, when mods didn't place it right. Thank you |
|
|
|
|
gmaxwell
Moderator
Legendary
 Offline
Activity: 4270
Merit: 8805
|
|
April 04, 2014, 11:00:21 PM |
|
Since yesterday 01.20 GMT+1 my AV goes crazy. Multiple times per minute it reports viruses on my sst files from QT client.
I deletet all the files manually, and now its downloading the blockchain files again.
What AV is this? (as an aside, have you reported the false positives?) Anything that is actively scanning the leveldb files in real time is going to be very bad for performance. |
|
|
|
|
|
mastahofdesastah (OP)
|
|
April 04, 2014, 11:31:24 PM |
|
Avira free AV
Good idea, i will report it tomorrow.
I added the chainstate folder to scan exceptions, but thats not the solution for everyone...
|
|
|
|
|
|
sebastian
|
|
April 05, 2014, 12:45:15 AM
Last edit: April 05, 2014, 01:02:26 AM by sebastian |
|
The Little problem with classifying these as FP is that they aren't false positives. It is actually a virus loaded into the blockchain, but in such a way the virus cannot be used or executed.
This means that the AV Company have 2 choices:
Either leave the issue as it, and keep the detection, thus catching both the real virus and the blockchain.
Or remove the signature altogheter, but that would give the real virus a exception and no detection on the real virus.
So basically, theres 2 types of a "nuisance detection":
A false positive. A false positive is defined as when the antivirus detects a file thats not intended to be detected. For example: A AV detects the genuine bitcoind as a bitcoin-stealing trojan, because the real trojan had bitcoind embedded. That can be easily solved by extending the signature so it requires something more, this "more" being the difference between the fake bitcoind and the real bitcoind.
A correct positive, that still is a nuisance detection: For example this case, detecting viruses in blockchain. Same with detections that occur because people post loveletter source code in forums and such, and the AV attacks the cache of the web browser. Thats not really a false positive, rather its a nuisance detection that still is a detection for a correct virus. Only solution here is to remove the signature altogheter, leaving the real virus free time.
Its really not possible for the AV to "whitelist" the location of the QT SST files carelessly, since if a non-BTC (or a user that does not use the QT client but a Another client) user then gets the virus, then the virus can hide in the QT SST files location (since the real client do not occupy the location) to go under the radar.
Thus BTC users must itself whitelist the location.
Hashing or signing "accepted" SST files must be done on BTC's end, not AV end, and AV programs needs to in some way to "learn to read and verify these signatures", since the SST files depend on the time on which blocks arrived at client, and thus each SST file is unique. (SST files are according to documentation, not stored in block order, rather in block receive order, which means block can appear to be "out of order" in the file).
Since thats not gonna happen (AV companies are not going to learn Another file signature protocol, nor they will give out API for signing files to get them excepted, for obvious security reasons, especially not to open source software developers, because then the virus makers can simply "sign" their viruses), better idea is:
Its really a hard dilemma, and thats why I said that we need to encode the blocks in ways that clients cannot predict. (and thus cannot encode adresses or transaction that would in encoded state match a antivirus signature)
|
|
|
|
|
gmaxwell
Moderator
Legendary
Offline
Activity: 4270
Merit: 8805
|
|
April 05, 2014, 03:16:57 AM |
|
The Little problem with classifying these as FP is that they aren't false positives. That isn't true. It's being triggered by little 16 byte sequences (for example), no virus itself is 16 bytes long. You may also note that it doesn't actually report _anything_ against the actual blockchain, only the leveldb SST files. It's not a really hard dilemma at all: Obfuscating the block files was a suggestion made back in 2010 or 2011, it's a relatively trivial change but I'm not eager to do it if its not absolutely necessary as doing so will break armory and any other tool that processes the blocks, and still won't provide complete confidence against broken AV software because they're being triggered by obscenely short strings... In your extended diatribe above it would have been nice if you'd explain why the report here is against the sst files only and not the actual blockchain. |
|
|
|
|
alemur
Newbie
Offline
Activity: 2
Merit: 0
|
|
April 05, 2014, 09:57:08 AM |
|
Same thing with another AV, it shows one sst file has 'Dutch (Sequence)' malware. Even after adding to exceptions, bitcoin-qt stops with fatal error EXCEPTION: 13leveldb_error, Database I/O error
...\bitcoin-qt.exe in Runaway exception Reinstallation of the bt client doesn't help. WTF, any ideas? Should have probably made the copy of the Blockchain... ( |
|
|
|
|
|
mastahofdesastah (OP)
|
|
April 05, 2014, 10:02:32 AM |
|
i added the hole chainstate folder to exceptions. Since then the AV are happy. Some of the "Viruses" seems over 20 years old |
|
|
|
|
alemur
Newbie
Offline
Activity: 2
Merit: 0
|
|
April 05, 2014, 10:40:01 AM |
|
mastahofdesastah, thanx for the hint, now it's OK. Although it's a scary thing to do ) The folder's quite sensitive isn't it?
|
|
|
|
|
Sukrim
Legendary
Offline
Activity: 2618
Merit: 1007
|
|
April 05, 2014, 11:02:45 AM |
|
http://en.wikipedia.org/wiki/EICAR_test_file is ~70 bytes but might be worth a try if you want to mess with virus scanners... (calling them "anti virus" programs is a bit too flattering imho).
|
|
|
|
michagogo
Member
Offline
Activity: 80
Merit: 10
|
|
April 06, 2014, 06:57:43 PM |
|
IIRC the test string doesn't trigger in the middle of another file, so that won't do anything. |
|
|
|
|
Sukrim
Legendary
Offline
Activity: 2618
Merit: 1007
|
|
April 06, 2014, 07:07:55 PM |
|
Yeah, just tried it - neither works in the middle, end nor beginning of a file if there is any other data beyond just the EICAR test string.
|
|
|
|
gmaxwell
Moderator
Legendary
Offline
Activity: 4270
Merit: 8805
|
|
April 07, 2014, 03:37:32 PM |
|
https://people.xiph.org/~greg/m.sst is a 16 byte sequence that appears to trigger anywhere in the file for clamav, so long as the file is under 32 MBytes in size.
|
|
|
|
|
|
dentldir
|
|
April 12, 2014, 02:51:31 AM |
|
For whatever its worth, I had Microsoft Security Essentials report a similar thing on my recently installed 0.9.1 on Windows x64.
Detected Item
Virus:BAT/Dakuma.1935
Alert level
Severe
Category: Virus
Description: This program is dangerous and replicates by infecting other files.
Recommended action: Remove this software immediately.
Items:
file:C:\Users\*\AppData\Roaming\Bitcoin\chainstate\313280.sst
Get more information about this item online.
|
1DentLdiRMv3dpmpmqWsQev8BUaty9vN3v
|
|
|
LightRider
Legendary
Offline
Activity: 1500
Merit: 1022
I advocate the Zeitgeist Movement & Venus Project.
|
|
April 12, 2014, 03:39:44 AM |
|
Got this in MSE: Virus:DOS/Stoned
Category: Virus
Description: This program is dangerous and replicates by infecting other files.
Recommended action: Remove this software immediately.
Items:
file:C:\Users\xxxxx\AppData\Roaming\Bitcoin\chainstate\162057.sst |
|
|
|
laflaflaf
Member
Offline
Activity: 94
Merit: 10
|
|
April 13, 2014, 10:52:09 AM |
|
What AV is this
|
TheSmurfsCoin:Tn5HRXnMmbVQoDjsz3rgSZwZwQyz5JNXr2
ShareCoin:SfE8LN2MLVV5XHmKLizjZonAHYPMFS1muN
FootballCoin:Fe6JUNh9j9CB5pagUxWwifoSsNyLeU3md5
|
|
|
dimirfu
Newbie
Offline
Activity: 14
Merit: 0
|
|
April 13, 2014, 04:09:12 PM |
|
a good idea ! sound like a generation of revolution
|
|
|
|
|
|
drummerjdb666
|
|
April 14, 2014, 02:14:52 AM |
|
Just noticed something similar after doing a full scan with avast. I used a couple other scanners as well but avast was the only one that picked these up. And reading the earlier reply it seems like if I re-download the blockchain these will still appear because they aren't actually on my pc and can't affect me? (at least that's how I understand it?) Any ideas?  |
|
|
|
|
|
Klestin
|
|
April 17, 2014, 02:37:23 AM |
|
1) Set virus scanner to scan only executables/scriptables
2) No more false positives
3) Faster PC
4) Profit
|
|
|
|
|
|
