Trojan in trinity.dll
Diaaz opened this issue · 14 comments
Your prebuilt trinity.dll in the lib folder and our own built trinity.dll both contain a trojan according to Trendmicro. You can try this yourself in an online scanner like https://virusscan.jotti.org or on your local machine using https://www.trendmicro.com/en_nl/forHome/products/housecall.html.
One of our customers raised an issue at Trendmicro and this is their response:
We have analyzed the following file and verified this to be malicious. We will be retaining its current detection as:
Trinity.dll (SHA1:89587d26164ecab114233cf5873b1c2f044ba2de) as Trojan.Win64.BAZALOADER.SMYAAJ-A
The detection pattern is already included in the latest Smart Scan pattern in the Conventional Enterprise OPR (18.535.00).
Do you have any idea how to fix this?
Kind regards,
Jeroen
Hi. I am running local security scans now on two of my dev and build machines. I, like you, have applications deployed to users for a few years now and we have never seen this problem. I perform local builds and do update the lib folder contents. We perform a scan before we ship all of our apps we have never run into this problem. I'll get back to you shortly.
Okay, I have scanned two machines now and these files in particular the machines are clean. I use the built-in Windows 11 Defender (complete scan) and Malwarebytes (most rigorous) for Teams 4.5.32; I will now run an offline scan as well.
Thanks for checking. Only Trendmicro detects it as a trojan, but that is exactly the scanner some of our customers are using. This is the output of jotty.org on trinity.dll (from your lib folder).
I am also testing using TotalAV and it does not report the file to contain a Trojan. I will check with one other party; my guess is that this maybe a false positive. I will check with another objective party that tracks Trojan signatures.
Thanks! If it is a false positive, do you know how to work around that? TrendMicro says it is a trojan, but can recompiling trinity in some other way work around that? The problem is we cannot deploy to some customers now, because they use trendmicro.
@Diaaz I think you have answered this question already; have you tried to build the trinity.dll yourself? As you know the trinity.dll is written in C++; I will review the compile process as well as the libraries use in the build process. I will get vack to you shortly. What time zone are you in?
Yes, we have built it ourselves and that does not solve the problem. Still a 'trojan'. I am in Central European Time
I will run this past the Microsoft C++ Security runtime group. I don't see the problem on my build machines. I am building with the Specter Intel fix. I will also see if the Microsoft Research team has any time ideas. I have never encountered a problem like this.
@Diaaz I found the code that represents what looks to be a Trojan, and I can almost guarantee you that it is not. I just need to verify what I found with the Microsoft Graph Engine team lead; what you see in the DLL is the SHA-512 encoding of the word, TRINITY. :-)
Do you know why the previous version is found 'clean'? Is this sha-512 encoding added in the last version?
Following this topic for interests.
@Diaaz There is absolutely no Trojan in the prebuilt binary. Since all the source code can be found in this public repository, everyone can inspect it. It is possible that a certain binary sequence triggered the false alarm. I have recently updated the dependencies and rebuilt the binary files in the "lib" folder using the latest source code in the repo. I believe this issue has been resolved with the updated files. Here are the scanning results using the URL mentioned in your post:
I believe the issue has been resolved, so I will be closing this issue. Feel free to reopen it if you have any further questions.