java-native/jssc

jssc-2.9.2-javadoc.jar may contain virus Trojan:Java/Tisifi.A

Joe321 opened this issue · 8 comments

Joe321 commented

Windows 10 indicates the 2.9.2 download of jssc-2.9.2-javadoc.jar contains virus Trojan:Java/Tisifi.A. Same for 2.9.1 and 2.9.0.

tresf commented

Which Windows version exactly and which exact virus definitions?

Will close if this information is not provided.

Joe321 commented

Edition Windows 10 Pro
Version 20H2
Installed on ‎7/‎31/‎2020
OS build 19042.685
Experience Windows Feature Experience Pack 120.2212.551.0

Already provided the virus name. Something else you need there?

ian5142 commented

Similar. I run Windows 7 SP1, with Comodo Internet Security Premium. I don't even get it detected. It just won't read it as a javadoc in Netbeans. 2.9.2 -> 2.9.0 all have the same issue.

tresf commented

Already provided the virus name. Something else you need there?

Microsoft lists absolutely no technical details about this "virus", so figuring out what's triggering it will take some time.

Similar. I run Windows 7 SP1, with Comodo Internet Security Premium

I will keep this bug report to Windows Defender only. Not only is Windows 7 EOL, but Comodo is a very intrusive AV solution, one which breaks good FOSS software. I can't in good faith entertain any bug reports against Comodo.

Windows 10 indicates the 2.9.2 download of jssc-2.9.2-javadoc.jar contains virus Trojan:Java/Tisifi.A. Same for 2.9.1 and 2.9.0.

I've reproduced on Windows 10 with Defender, taking a look now to see which parts of the javadoc are triggering it. I have a feeling it has something to do with the JavaScript files that are bundled. I'll update this thread with what I find.

tresf commented

What's peculiar is when I scan this file manually using "Scan with Microsoft Defender", it reports nothing, but when downloading from GitHub, it gets auto-quarantined.

I've also scanned all of the JavaScript files inside this JAR to no avail.

So I'm still a bit puzzled as to where it thinks this virus lives as well as why it's triggered on download only.

tresf commented

I've found about 3 (edit: 11) other bug reports involving javadocs matching Trojan:Java/Tisifi.A/B/C and all are false positives. To confirm this, I ran the file through VirusTotal, which uses many AV engines at once. The report is here and it's clean: https://www.virustotal.com/gui/url/f4d6cd987cc68de0680d08805430c40f75285ae166ea979c5b0de006969080c6/detection

At this time, I recommend you reach out to your AV providers and ask them to whitelist this file due to it being reported as a false-positive. My guess is, something in the javadoc .jar generation closely matches the signature of a known Java exploit, which means this will continue to happen over and over and waste time time of developers like you and I.

If we could gather more information on this virus we may be able to learn what triggers it. For example, the version of Java which created these Java docs may play a part. I've reached out to AdoptOpenJDK community to see if they're aware, some of the maintainers work directly for Microsoft although I don't expect any insight as these detection techniques and definitions may be proprietary information and if Comodo detects it too, it's not limited to Defender definitions.

I'm also not 100% certain that the .jar files are a false-positive, because I have no evidence disproving this, but the behavior of the manual scan combined with the VirusTotal scan is my best effort to investigate, escalate and resolve.

Closing as invalid. Please reopen if you find evidence (or steps to provide evidence) otherwise.

tresf commented

Submitted false-positive to Microsoft. In the future, please take the initiative to do this yourselves! 🍻

  • 👍1