Opened 5 years ago

Closed 5 years ago

#57713 closed defect (invalid)

McAfee virus scanner caught something in 'test-pdb.exe' as 'RDN/Generic.cpt' trojan

Reported by: jakehurst (Justine Akehurst) Owned by:
Priority: High Milestone:
Component: base Version: 2.5.4
Keywords: sierra Cc:
Port: Base

Description

I was running MacPorts 'selfupdate' today to update my ports list, and my virus scanner caught something in '/opt/local/var/macports/build/test-pdb.exe' as something called a 'RDN/Generic.cpt' Trojan.

Virus scanner says it 'cleaned' the file.

Attachments (2)

Screen Shot 2018-12-02 at 1.17.07 PM.png (330.3 KB) - added by jakehurst (Justine Akehurst) 5 years ago.
Screenshot of the dialog that shows that McAfee caught a trojan in MacPorts base.
Screen Shot 2018-12-02 at 1.18.56 PM.png (124.1 KB) - added by jakehurst (Justine Akehurst) 5 years ago.
Another screenshot of McAfee, which seems to show more of an exact location of 'test-pdb.exe'

Download all attachments as: .zip

Change History (7)

Changed 5 years ago by jakehurst (Justine Akehurst)

Attachment: Screen Shot 2018-12-02 at 1.17.07 PM.png added

Screenshot of the dialog that shows that McAfee caught a trojan in MacPorts base.

Changed 5 years ago by jakehurst (Justine Akehurst)

Attachment: Screen Shot 2018-12-02 at 1.18.56 PM.png added

Another screenshot of McAfee, which seems to show more of an exact location of 'test-pdb.exe'

comment:1 Changed 5 years ago by jmroot (Joshua Root)

That file is not part of MacPorts base. Not sure how it got into the top level of the build directory, but this seems relevant? http://lists.llvm.org/pipermail/cfe-users/2017-April/001131.html

comment:2 Changed 5 years ago by jmroot (Joshua Root)

Oh I see, your second screenshot shows that it's not in the top level, it's in a particular port's subdirectory. Unfortunately the middle part that shows which port it belongs to has been abbreviated with an ellipsis. Can you determine the full path?

I would guess it's part of the test suite for one of the llvm ports, but let's make sure.

comment:3 Changed 5 years ago by jakehurst (Justine Akehurst)

OK, googled a little deeper and found this article: http://lists.llvm.org/pipermail/lldb-dev/2016-November/011568.html

The source code is here:

https://llvm.org/svn/llvm-project/lldb/branches/google/testing/unittests/SymbolFile/PDB/Inputs/test-pdb.cpp

And it definitely does nothing. Most of these AV are heuristic, it's probably suspicious about the fact that it's linked with unusual settings (ie /nodefaultlib) which we did in order to minimize the binary size (the pdb is quite large if we don't do this)

On Mon, Nov 7, 2016 at 4:03 PM Jim Ingham via lldb-dev < lldb-dev at lists.llvm.org> wrote:

Over in the Swift GitHub, somebody filed:

https://bugs.swift.org/browse/SR-3147

with the claim that this file contains a trojan? Dunno if this is bogus or not, but it's worth somebody on the Windows side checking it out...

Jim

So, this is benign.

comment:4 Changed 5 years ago by jakehurst (Justine Akehurst)

Feel free to close this ticket.

comment:5 Changed 5 years ago by jmroot (Joshua Root)

Resolution: invalid
Status: newclosed
Note: See TracTickets for help on using tickets.