Re: anybody else also infected

Re: anybody else also infected

[Jerry Boonstra]

I have the same problem.  NAV update 2/13/02 rev 6 reports that
the cygz.dll file succumbs to the Backdoor.EggHead virus.  I'm
using OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL
0x0090603f.

Is this a valid issue?  Is there a workaround, like backing out
to an older version?

j e r r y

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: anybody else also infected

[Gary R. Van Sickle]

> Thank you, Mr. Norton!
> 
> cgf
>
 
Number of times I've lost data to a virus: 0.
Number of times I've been alerted to a real virus by a virus scanner: 0.
Number of times I've lost data to a virus scanner: 2.

Norton, McCaffee, they all go in the same hopper as far as I'm concerned.

(Figured I'd better get in on this thread before it dies out ;-))

-- 
Gary R. Van Sickle
Brewer.  Patriot. 



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[Christopher Faylor]

On Thu, Feb 14, 2002 at 10:54:43AM -0500, Larry Hall (RFK Partners, Inc) wrote:
>>My opinion is that common-sense practices don't belong in the FAQ.
>
>I have to say I agree.  However, common sense seems to be loosely
>interpreted on this list.  I guess the question is how much of a
>substitute for common sense should the FAQ be?  ;-)
>
>For those that need the added support, I think the altered wording that
>David suggests (i.e.  don't bother the list with virus alerts if you
>can't confirm them yourself) is worthwhile, considering that we already
>have a couple of virus entries.  Of course, I have no delusions that
>having FAQ entries or changed wording will eliminate virus postings to
>this list.  I personally would just like to be able to point to the
>entry in response and have that end the thread.  OK, I know, I'm still
>living close to my utopia.  ;-)

Ok.  You don't live that far from me.  I'll drive over and visit your utopia
for a while.  :-)

I agree that some additional words like that will at least give us the
satisfaction of saying "Did you read the FAQ?" when they are inevitably
ignored.

That's the best we can hope for here, I think.

FWIW, I've now gotten two internal-to-redhat queries about this "problem".

Thank you, Mr. Norton!

cgf

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[Larry Hall (RFK Partners, Inc)]

At 10:37 AM 2/14/2002, you wrote:
>On Thu, Feb 14, 2002 at 03:31:22PM +0000, David Starks-Browning wrote:
> >On Thursday 14 Feb 02, Peter Buckley writes:
> >> I agree about the healthy skepticism- this was obviously a false 
> >> positive from the very start, but I don't think the faq addresses this 
> >> type of false positive.
> >
> >Addressing virus alerts in the FAQ has always been a dilemma for me.
> >I do not like to give the advice "disable your antivirus software" or
> >"turn off checking for C:\cygwin".  It seems to me that such action
> >could be exploited.
> >
> >Should the FAQ say something like "do not bother the list with virus
> >alerts unless you have independently verified that it is not a false
> >positive"?  This would apply to all Cygwin software, package archives,
> >DLLs, ...
> >
> >There was a special problem with Cygwin Setup because NAI/McAfee would
> >hang the system when opening tar.gz archives.  Maybe this is not a
> >problem anymore, and can be removed from the FAQ.  Or the advice could
> >be simplified to be "update your antivirus software or replace it with
> >another vendor's product".  Of course not everyone can do that, but
> >that's not our problem.
> >
> >Thanks for your opinions.
>
>My opinion is that common-sense practices don't belong in the FAQ.


I have to say I agree.  However, common sense seems to be loosely interpreted
on this list.  I guess the question is how much of a substitute for common
sense should the FAQ be? ;-)

For those that need the added support, I think the altered wording that
David suggests (i.e. don't bother the list with virus alerts if you can't
confirm them yourself) is worthwhile, considering that we already have a
couple of virus entries.  Of course, I have no delusions that having FAQ
entries or changed wording will eliminate virus postings to this list.  I
personally would just like to be able to point to the entry in response and
have that end the thread. OK, I know, I'm still living close to my utopia. ;-)




Larry Hall                              lhall@rfk.com
RFK Partners, Inc.                      http://www.rfk.com
838 Washington Street                   (508) 893-9779 - RFK Office
Holliston, MA 01746                     (508) 893-9889 - FAX


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[Larry Hall (RFK Partners, Inc)]

At 10:31 AM 2/14/2002, David Starks-Browning wrote:
>On Thursday 14 Feb 02, Peter Buckley writes:
> > I agree about the healthy skepticism- this was obviously a false 
> > positive from the very start, but I don't think the faq addresses this 
> > type of false positive.
>
>Addressing virus alerts in the FAQ has always been a dilemma for me.
>I do not like to give the advice "disable your antivirus software" or
>"turn off checking for C:\cygwin".  It seems to me that such action
>could be exploited.


Right.  I don't think it's good practice for us to recommend that.  NAV
has the ability to list things that should be excluded skipped.  I 
suppose we could suggest that, although I don't know if this is a common
feature and it still has some risks, though I think it's reasonable.  
Certainly it's the option that one must use if one finds a confirmed false
positive if one doesn't want to be annoyed by the repeated complaints 
until the virus vendor can provide an update (assuming that the virus
software can't "cure" the virus).  In that respect, I personally have no
problems with suggesting that as an option in this case.


>Should the FAQ say something like "do not bother the list with virus
>alerts unless you have independently verified that it is not a false
>positive"?  This would apply to all Cygwin software, package archives,
>DLLs, ...


IMO, absolutely!


>There was a special problem with Cygwin Setup because NAI/McAfee would
>hang the system when opening tar.gz archives.  Maybe this is not a
>problem anymore, and can be removed from the FAQ.  Or the advice could
>be simplified to be "update your antivirus software or replace it with
>another vendor's product".  Of course not everyone can do that, but
>that's not our problem.


I guess this one could be debatable.  I have no firm stance.  I guess 
without any additional data to indicate that this FAQ is no longer 
relevant, leave it to be safe.



Larry Hall                              lhall@rfk.com
RFK Partners, Inc.                      http://www.rfk.com
838 Washington Street                   (508) 893-9779 - RFK Office
Holliston, MA 01746                     (508) 893-9889 - FAX


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[Christopher Faylor]

On Thu, Feb 14, 2002 at 03:31:22PM +0000, David Starks-Browning wrote:
>On Thursday 14 Feb 02, Peter Buckley writes:
>> I agree about the healthy skepticism- this was obviously a false 
>> positive from the very start, but I don't think the faq addresses this 
>> type of false positive.
>
>Addressing virus alerts in the FAQ has always been a dilemma for me.
>I do not like to give the advice "disable your antivirus software" or
>"turn off checking for C:\cygwin".  It seems to me that such action
>could be exploited.
>
>Should the FAQ say something like "do not bother the list with virus
>alerts unless you have independently verified that it is not a false
>positive"?  This would apply to all Cygwin software, package archives,
>DLLs, ...
>
>There was a special problem with Cygwin Setup because NAI/McAfee would
>hang the system when opening tar.gz archives.  Maybe this is not a
>problem anymore, and can be removed from the FAQ.  Or the advice could
>be simplified to be "update your antivirus software or replace it with
>another vendor's product".  Of course not everyone can do that, but
>that's not our problem.
>
>Thanks for your opinions.

My opinion is that common-sense practices don't belong in the FAQ.

cgf

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[Christopher Faylor]

On Thu, Feb 14, 2002 at 09:35:33AM -0500, Peter Buckley wrote:
>I don't think that faq would have avoided or truncated this thread.  It
>seems related, but it is in fact different.
>
>If someone followed the instructions in the faq, they would have had a
>false positive reported on cygz.dll.  Whenever the cygz.dll file was
>called (say, by invoking cygcheck), the real-time scanning of NAV
>popped up with "cygz.dll is infected with backdoor.egghead, and has
>been quarantined".

Yes, but the original message that started this long thread actually had
an assurance from Symantec indicating that the DLL *was not infected*.

I would have thought that would have been enough to convince people that
this was just a false positive.  But, instead, we have a 14 (and
growing) message thread.

>Maybe an addition to that faq needs to be made, that some antivirus
>programs (specifically symantec) have had false positives on cygwin
>dlls.

This is a fact of life.  It's not a cygwin-specific issue.

cgf

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[David Starks-Browning]

On Thursday 14 Feb 02, Peter Buckley writes:
> I agree about the healthy skepticism- this was obviously a false 
> positive from the very start, but I don't think the faq addresses this 
> type of false positive.

Addressing virus alerts in the FAQ has always been a dilemma for me.
I do not like to give the advice "disable your antivirus software" or
"turn off checking for C:\cygwin".  It seems to me that such action
could be exploited.

Should the FAQ say something like "do not bother the list with virus
alerts unless you have independently verified that it is not a false
positive"?  This would apply to all Cygwin software, package archives,
DLLs, ...

There was a special problem with Cygwin Setup because NAI/McAfee would
hang the system when opening tar.gz archives.  Maybe this is not a
problem anymore, and can be removed from the FAQ.  Or the advice could
be simplified to be "update your antivirus software or replace it with
another vendor's product".  Of course not everyone can do that, but
that's not our problem.

Thanks for your opinions.

David
(Cygwin FAQ maintainer)



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[Larry Hall (RFK Partners, Inc)]

OK, David (Starks-Browning), would you be willing to accommodate Peter's 
request with an FAQ entry or rewording?

Larry Hall                              lhall@rfk.com
RFK Partners, Inc.                      http://www.rfk.com
838 Washington Street                   (508) 893-9779 - RFK Office
Holliston, MA 01746                     (508) 893-9889 - FAX


At 10:12 AM 2/14/2002, Peter Buckley wrote:
>I think we do read the faq differently- when it says "antivirus programs have been known to report false positives when extracting compressed tar archives" and "consider disabling your anti-virus software when running SETUP", I don't associate that with getting a false positive when *not* running setup, or when *not* extracting compressed tar archives.
>
>The directions in the next questions "My computer hangs when I try to run setup.exe" would not have avoided this type of false positive- namely when the realtime scanning pops up and quarantines a dll whenever it is run. I am in favor of a more general faq in light of this *new* development and *new* type of false positive- I don't know what the chances are of this happening in the future, but I would put it in the faq as a note, "NAV has had false positives in the past on cygwin dlls, please remain calm with your seatbelts fastened".
>
>I agree about the healthy skepticism- this was obviously a false positive from the very start, but I don't think the faq addresses this type of false positive.
>
>-Peter
>
>
>Larry Hall (RFK Partners, Inc) wrote:
>
>>OK, perhaps you and I read the FAQ differently.  I read it to indicate that
>>you should assume that any reported infection from Cygwin files are false until you can determine otherwise.  To me, it's worthwhile to inform the
>>list of viruses in any Cygwin related software if the virus is real.  However,
>>allot of posts about the potential of a virus isn't really helpful to anyone
>>and can lead newbies to panic, adding to the list volume.  Personally, I've
>>never seen a single confirmed virus in any Cygwin software in the more than
>>6 years I've been using it, though I've seen many a report of viruses (hence the FAQ entry about them).  So I view all Cygwin virus reports on this list
>>with a bit of healthy skepticism, unless there is evidence to support doing
>>otherwise.  I'm just suggesting that others take that message to heart and
>>do their homework before posting.
>>Now back to my own little utopia where everything is done right. ;-)
>>Larry Hall                              lhall@rfk.com
>>RFK Partners, Inc.                      http://www.rfk.com
>>838 Washington Street                   (508) 893-9779 - RFK Office
>>Holliston, MA 01746                     (508) 893-9889 - FAX
>>
>>At 09:35 AM 2/14/2002, Peter Buckley wrote:
>>
>>>I don't think that faq would have avoided or truncated this thread. It seems related, but it is in fact different.
>>>
>>>If someone followed the instructions in the faq, they would have had a false positive reported on cygz.dll. Whenever the cygz.dll file was called (say, by invoking cygcheck), the real-time scanning of NAV popped up with "cygz.dll is infected with backdoor.egghead, and has been quarantined".
>>>
>>>Maybe an addition to that faq needs to be made, that some antivirus programs (specifically symantec) have had false positives on cygwin dlls.
>>>
>>>Just as an FYI, this same false positive for backdoor.egghead was seen on the cygwin1.dll from the 1.3.2-1 distribution.
>>>
>>>-Peter
>>>
>>>Larry Hall (RFK Partners, Inc) wrote:
>>>
>>>
>>>>Hm, it seems like this entire thread could have been avoided or at least
>>>>truncated by a simple visit to the FAQ:
>>>>Is setup.exe, or one of the packages, infected with a virus?
>>>>http://cygwin.com/faq/faq_2.html#SEC11
>>>>Larry Hall                              lhall@rfk.com
>>>>RFK Partners, Inc.                      http://www.rfk.com
>>>>838 Washington Street                   (508) 893-9779 - RFK Office
>>>>Holliston, MA 01746                     (508) 893-9889 - FAX
>>>>
>>>>At 08:39 AM 2/14/2002, hongxun lee wrote:
>>>>
>>>>
>>>>>Sorry for the panic...My bet is all you can do is to update the package zlib
>>>>>...
>>>>>NAV this morning had released its new vir-definition..Thanks
>>>>>
>>>>>----- Original Message -----
>>>>>From: "KAMDAR,NILESH (A-Sonoma,ex1)" <nilesh_kamdar2@agilent.com>
>>>>>To: <lee.1801@osu.edu>
>>>>>Sent: Wednesday, February 13, 2002 10:58 PM
>>>>>Subject: anybody else also infected
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Hello  Hongxun Lee,
>>>>>>
>>>>>>(I am not on the mailing list of cygwin so I am emailing directly to you)
>>>>>>
>>>>>>I have the same problem. My cygwin1.dll and cygz.dll file are in
>>>>>quarantine.
>>>>>
>>>>>
>>>>>>NAV claims that they are infected with the BAckdoor.Egghead virus but I
>>>>>dont
>>>>>
>>>>>
>>>>>>see any other signs besides the above 2 files. I Think NAV definitions are
>>>>>>wrong!!!!
>>>>>>
>>>>>>I actually have SEVERAL customers who are going to complain about this
>>>>>>tomorrow. So I am trying to find a quick resolution. I have also posted my
>>>>>>question to Symantec.
>>>>>>
>>>>>>I am hoping that Symantec sends out newer update virus definitions which
>>>>>DO
>>>>>
>>>>>
>>>>>>NOT cause this error.
>>>>>>
>>>>>>Let me know if you get any updates from them.
>>>>>>
>>>>>>Thanks.
>>>>>>--Nilesh Kamdar
>>>>>>
>>>>>--
>>>>>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>>>>Bug reporting:         http://cygwin.com/bugs.html
>>>>>Documentation:         http://cygwin.com/docs.html
>>>>>FAQ:                   http://cygwin.com/faq/
>>>>--
>>>>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>>>Bug reporting:         http://cygwin.com/bugs.html
>>>>Documentation:         http://cygwin.com/docs.html
>>>>FAQ:                   http://cygwin.com/faq/
>>>
>>>-- 1 Timothy 4:12 (NIV)- Don't let anyone look down on you because you are young, but set an example for the believers
>>>in speech, in life, in love, in faith, and in purity.
>>>
>>>
>>>--
>>>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>>Bug reporting:         http://cygwin.com/bugs.html
>>>Documentation:         http://cygwin.com/docs.html
>>>FAQ:                   http://cygwin.com/faq/
>
>
>-- 
>1 Timothy 4:12 (NIV)- Don't let anyone look down on you because you are young, but set an example for the believers
>in speech, in life, in love, in faith, and in purity.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[Peter Buckley]

I think we do read the faq differently- when it says "antivirus programs 
have been known to report false positives when extracting compressed tar 
archives" and "consider disabling your anti-virus software when running 
SETUP", I don't associate that with getting a false positive when *not* 
running setup, or when *not* extracting compressed tar archives.

The directions in the next questions "My computer hangs when I try to 
run setup.exe" would not have avoided this type of false positive- 
namely when the realtime scanning pops up and quarantines a dll whenever 
it is run. I am in favor of a more general faq in light of this *new* 
development and *new* type of false positive- I don't know what the 
chances are of this happening in the future, but I would put it in the 
faq as a note, "NAV has had false positives in the past on cygwin dlls, 
please remain calm with your seatbelts fastened".

I agree about the healthy skepticism- this was obviously a false 
positive from the very start, but I don't think the faq addresses this 
type of false positive.

-Peter


Larry Hall (RFK Partners, Inc) wrote:

> OK, perhaps you and I read the FAQ differently.  I read it to indicate that
> you should assume that any reported infection from Cygwin files are false 
> until you can determine otherwise.  To me, it's worthwhile to inform the
> list of viruses in any Cygwin related software if the virus is real.  However,
> allot of posts about the potential of a virus isn't really helpful to anyone
> and can lead newbies to panic, adding to the list volume.  Personally, I've
> never seen a single confirmed virus in any Cygwin software in the more than
> 6 years I've been using it, though I've seen many a report of viruses (hence 
> the FAQ entry about them).  So I view all Cygwin virus reports on this list
> with a bit of healthy skepticism, unless there is evidence to support doing
> otherwise.  I'm just suggesting that others take that message to heart and
> do their homework before posting.
> 
> Now back to my own little utopia where everything is done right. ;-)
> 
> Larry Hall                              lhall@rfk.com
> RFK Partners, Inc.                      http://www.rfk.com
> 838 Washington Street                   (508) 893-9779 - RFK Office
> Holliston, MA 01746                     (508) 893-9889 - FAX
> 
> 
> 
> At 09:35 AM 2/14/2002, Peter Buckley wrote:
> 
>>I don't think that faq would have avoided or truncated this thread. It seems related, but it is in fact different.
>>
>>If someone followed the instructions in the faq, they would have had a false positive reported on cygz.dll. Whenever the cygz.dll file was called (say, by invoking cygcheck), the real-time scanning of NAV popped up with "cygz.dll is infected with backdoor.egghead, and has been quarantined".
>>
>>Maybe an addition to that faq needs to be made, that some antivirus programs (specifically symantec) have had false positives on cygwin dlls.
>>
>>Just as an FYI, this same false positive for backdoor.egghead was seen on the cygwin1.dll from the 1.3.2-1 distribution.
>>
>>-Peter
>>
>>Larry Hall (RFK Partners, Inc) wrote:
>>
>>
>>>Hm, it seems like this entire thread could have been avoided or at least
>>>truncated by a simple visit to the FAQ:
>>>Is setup.exe, or one of the packages, infected with a virus?
>>>http://cygwin.com/faq/faq_2.html#SEC11
>>>Larry Hall                              lhall@rfk.com
>>>RFK Partners, Inc.                      http://www.rfk.com
>>>838 Washington Street                   (508) 893-9779 - RFK Office
>>>Holliston, MA 01746                     (508) 893-9889 - FAX
>>>
>>>At 08:39 AM 2/14/2002, hongxun lee wrote:
>>>
>>>
>>>>Sorry for the panic...My bet is all you can do is to update the package zlib
>>>>...
>>>>NAV this morning had released its new vir-definition..Thanks
>>>>
>>>>----- Original Message -----
>>>>From: "KAMDAR,NILESH (A-Sonoma,ex1)" <nilesh_kamdar2@agilent.com>
>>>>To: <lee.1801@osu.edu>
>>>>Sent: Wednesday, February 13, 2002 10:58 PM
>>>>Subject: anybody else also infected
>>>>
>>>>
>>>>
>>>>
>>>>>Hello  Hongxun Lee,
>>>>>
>>>>>(I am not on the mailing list of cygwin so I am emailing directly to you)
>>>>>
>>>>>I have the same problem. My cygwin1.dll and cygz.dll file are in
>>>>>
>>>>quarantine.
>>>>
>>>>
>>>>>NAV claims that they are infected with the BAckdoor.Egghead virus but I
>>>>>
>>>>dont
>>>>
>>>>
>>>>>see any other signs besides the above 2 files. I Think NAV definitions are
>>>>>wrong!!!!
>>>>>
>>>>>I actually have SEVERAL customers who are going to complain about this
>>>>>tomorrow. So I am trying to find a quick resolution. I have also posted my
>>>>>question to Symantec.
>>>>>
>>>>>I am hoping that Symantec sends out newer update virus definitions which
>>>>>
>>>>DO
>>>>
>>>>
>>>>>NOT cause this error.
>>>>>
>>>>>Let me know if you get any updates from them.
>>>>>
>>>>>Thanks.
>>>>>--Nilesh Kamdar
>>>>>
>>>>>
>>>>--
>>>>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>>>Bug reporting:         http://cygwin.com/bugs.html
>>>>Documentation:         http://cygwin.com/docs.html
>>>>FAQ:                   http://cygwin.com/faq/
>>>>
>>>--
>>>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>>Bug reporting:         http://cygwin.com/bugs.html
>>>Documentation:         http://cygwin.com/docs.html
>>>FAQ:                   http://cygwin.com/faq/
>>>
>>
>>-- 
>>1 Timothy 4:12 (NIV)- Don't let anyone look down on you because you are young, but set an example for the believers
>>in speech, in life, in love, in faith, and in purity.
>>
>>
>>--
>>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>Bug reporting:         http://cygwin.com/bugs.html
>>Documentation:         http://cygwin.com/docs.html
>>FAQ:                   http://cygwin.com/faq/
>>
> 


-- 
1 Timothy 4:12 (NIV)- Don't let anyone look down on you because you are 
young, but set an example for the believers
in speech, in life, in love, in faith, and in purity.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[Larry Hall (RFK Partners, Inc)]

OK, perhaps you and I read the FAQ differently.  I read it to indicate that
you should assume that any reported infection from Cygwin files are false 
until you can determine otherwise.  To me, it's worthwhile to inform the
list of viruses in any Cygwin related software if the virus is real.  However,
allot of posts about the potential of a virus isn't really helpful to anyone
and can lead newbies to panic, adding to the list volume.  Personally, I've
never seen a single confirmed virus in any Cygwin software in the more than
6 years I've been using it, though I've seen many a report of viruses (hence 
the FAQ entry about them).  So I view all Cygwin virus reports on this list
with a bit of healthy skepticism, unless there is evidence to support doing
otherwise.  I'm just suggesting that others take that message to heart and
do their homework before posting.

Now back to my own little utopia where everything is done right. ;-)

Larry Hall                              lhall@rfk.com
RFK Partners, Inc.                      http://www.rfk.com
838 Washington Street                   (508) 893-9779 - RFK Office
Holliston, MA 01746                     (508) 893-9889 - FAX



At 09:35 AM 2/14/2002, Peter Buckley wrote:
>I don't think that faq would have avoided or truncated this thread. It seems related, but it is in fact different.
>
>If someone followed the instructions in the faq, they would have had a false positive reported on cygz.dll. Whenever the cygz.dll file was called (say, by invoking cygcheck), the real-time scanning of NAV popped up with "cygz.dll is infected with backdoor.egghead, and has been quarantined".
>
>Maybe an addition to that faq needs to be made, that some antivirus programs (specifically symantec) have had false positives on cygwin dlls.
>
>Just as an FYI, this same false positive for backdoor.egghead was seen on the cygwin1.dll from the 1.3.2-1 distribution.
>
>-Peter
>
>Larry Hall (RFK Partners, Inc) wrote:
>
>>Hm, it seems like this entire thread could have been avoided or at least
>>truncated by a simple visit to the FAQ:
>>Is setup.exe, or one of the packages, infected with a virus?
>>http://cygwin.com/faq/faq_2.html#SEC11
>>Larry Hall                              lhall@rfk.com
>>RFK Partners, Inc.                      http://www.rfk.com
>>838 Washington Street                   (508) 893-9779 - RFK Office
>>Holliston, MA 01746                     (508) 893-9889 - FAX
>>
>>At 08:39 AM 2/14/2002, hongxun lee wrote:
>>
>>>Sorry for the panic...My bet is all you can do is to update the package zlib
>>>...
>>>NAV this morning had released its new vir-definition..Thanks
>>>
>>>----- Original Message -----
>>>From: "KAMDAR,NILESH (A-Sonoma,ex1)" <nilesh_kamdar2@agilent.com>
>>>To: <lee.1801@osu.edu>
>>>Sent: Wednesday, February 13, 2002 10:58 PM
>>>Subject: anybody else also infected
>>>
>>>
>>>
>>>>Hello  Hongxun Lee,
>>>>
>>>>(I am not on the mailing list of cygwin so I am emailing directly to you)
>>>>
>>>>I have the same problem. My cygwin1.dll and cygz.dll file are in
>>>quarantine.
>>>
>>>>NAV claims that they are infected with the BAckdoor.Egghead virus but I
>>>dont
>>>
>>>>see any other signs besides the above 2 files. I Think NAV definitions are
>>>>wrong!!!!
>>>>
>>>>I actually have SEVERAL customers who are going to complain about this
>>>>tomorrow. So I am trying to find a quick resolution. I have also posted my
>>>>question to Symantec.
>>>>
>>>>I am hoping that Symantec sends out newer update virus definitions which
>>>DO
>>>
>>>>NOT cause this error.
>>>>
>>>>Let me know if you get any updates from them.
>>>>
>>>>Thanks.
>>>>--Nilesh Kamdar
>>>>
>>>
>>>--
>>>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>>Bug reporting:         http://cygwin.com/bugs.html
>>>Documentation:         http://cygwin.com/docs.html
>>>FAQ:                   http://cygwin.com/faq/
>>
>>--
>>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>Bug reporting:         http://cygwin.com/bugs.html
>>Documentation:         http://cygwin.com/docs.html
>>FAQ:                   http://cygwin.com/faq/
>
>
>-- 
>1 Timothy 4:12 (NIV)- Don't let anyone look down on you because you are young, but set an example for the believers
>in speech, in life, in love, in faith, and in purity.
>
>
>--
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>Bug reporting:         http://cygwin.com/bugs.html
>Documentation:         http://cygwin.com/docs.html
>FAQ:                   http://cygwin.com/faq/


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[Peter Buckley]

I don't think that faq would have avoided or truncated this thread. It 
seems related, but it is in fact different.

If someone followed the instructions in the faq, they would have had a 
false positive reported on cygz.dll. Whenever the cygz.dll file was 
called (say, by invoking cygcheck), the real-time scanning of NAV popped 
up with "cygz.dll is infected with backdoor.egghead, and has been 
quarantined".

Maybe an addition to that faq needs to be made, that some antivirus 
programs (specifically symantec) have had false positives on cygwin dlls.

Just as an FYI, this same false positive for backdoor.egghead was seen 
on the cygwin1.dll from the 1.3.2-1 distribution.

-Peter

Larry Hall (RFK Partners, Inc) wrote:

> Hm, it seems like this entire thread could have been avoided or at least
> truncated by a simple visit to the FAQ:
> 
> Is setup.exe, or one of the packages, infected with a virus?
> http://cygwin.com/faq/faq_2.html#SEC11
> 
> Larry Hall                              lhall@rfk.com
> RFK Partners, Inc.                      http://www.rfk.com
> 838 Washington Street                   (508) 893-9779 - RFK Office
> Holliston, MA 01746                     (508) 893-9889 - FAX
> 
> 
> At 08:39 AM 2/14/2002, hongxun lee wrote:
> 
>>Sorry for the panic...My bet is all you can do is to update the package zlib
>>...
>>NAV this morning had released its new vir-definition..Thanks
>>
>>----- Original Message -----
>>From: "KAMDAR,NILESH (A-Sonoma,ex1)" <nilesh_kamdar2@agilent.com>
>>To: <lee.1801@osu.edu>
>>Sent: Wednesday, February 13, 2002 10:58 PM
>>Subject: anybody else also infected
>>
>>
>>
>>>Hello  Hongxun Lee,
>>>
>>>(I am not on the mailing list of cygwin so I am emailing directly to you)
>>>
>>>I have the same problem. My cygwin1.dll and cygz.dll file are in
>>>
>>quarantine.
>>
>>>NAV claims that they are infected with the BAckdoor.Egghead virus but I
>>>
>>dont
>>
>>>see any other signs besides the above 2 files. I Think NAV definitions are
>>>wrong!!!!
>>>
>>>I actually have SEVERAL customers who are going to complain about this
>>>tomorrow. So I am trying to find a quick resolution. I have also posted my
>>>question to Symantec.
>>>
>>>I am hoping that Symantec sends out newer update virus definitions which
>>>
>>DO
>>
>>>NOT cause this error.
>>>
>>>Let me know if you get any updates from them.
>>>
>>>Thanks.
>>>--Nilesh Kamdar
>>>
>>>
>>
>>--
>>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>Bug reporting:         http://cygwin.com/bugs.html
>>Documentation:         http://cygwin.com/docs.html
>>FAQ:                   http://cygwin.com/faq/
>>
> 
> 
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Bug reporting:         http://cygwin.com/bugs.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
> 
> 


-- 
1 Timothy 4:12 (NIV)- Don't let anyone look down on you because you are 
young, but set an example for the believers
in speech, in life, in love, in faith, and in purity.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[Larry Hall (RFK Partners, Inc)]

Hm, it seems like this entire thread could have been avoided or at least
truncated by a simple visit to the FAQ:

Is setup.exe, or one of the packages, infected with a virus?
http://cygwin.com/faq/faq_2.html#SEC11

Larry Hall                              lhall@rfk.com
RFK Partners, Inc.                      http://www.rfk.com
838 Washington Street                   (508) 893-9779 - RFK Office
Holliston, MA 01746                     (508) 893-9889 - FAX


At 08:39 AM 2/14/2002, hongxun lee wrote:
>Sorry for the panic...My bet is all you can do is to update the package zlib
>...
>NAV this morning had released its new vir-definition..Thanks
>
>----- Original Message -----
>From: "KAMDAR,NILESH (A-Sonoma,ex1)" <nilesh_kamdar2@agilent.com>
>To: <lee.1801@osu.edu>
>Sent: Wednesday, February 13, 2002 10:58 PM
>Subject: anybody else also infected
>
>
> > Hello  Hongxun Lee,
> >
> > (I am not on the mailing list of cygwin so I am emailing directly to you)
> >
> > I have the same problem. My cygwin1.dll and cygz.dll file are in
>quarantine.
> > NAV claims that they are infected with the BAckdoor.Egghead virus but I
>dont
> > see any other signs besides the above 2 files. I Think NAV definitions are
> > wrong!!!!
> >
> > I actually have SEVERAL customers who are going to complain about this
> > tomorrow. So I am trying to find a quick resolution. I have also posted my
> > question to Symantec.
> >
> > I am hoping that Symantec sends out newer update virus definitions which
>DO
> > NOT cause this error.
> >
> > Let me know if you get any updates from them.
> >
> > Thanks.
> > --Nilesh Kamdar
> >
>
>
>--
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>Bug reporting:         http://cygwin.com/bugs.html
>Documentation:         http://cygwin.com/docs.html
>FAQ:                   http://cygwin.com/faq/


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[hongxun lee]

Sorry for the panic...My bet is all you can do is to update the package zlib
...
NAV this morning had released its new vir-definition..Thanks

----- Original Message -----
From: "KAMDAR,NILESH (A-Sonoma,ex1)" <nilesh_kamdar2@agilent.com>
To: <lee.1801@osu.edu>
Sent: Wednesday, February 13, 2002 10:58 PM
Subject: anybody else also infected


> Hello  Hongxun Lee,
>
> (I am not on the mailing list of cygwin so I am emailing directly to you)
>
> I have the same problem. My cygwin1.dll and cygz.dll file are in
quarantine.
> NAV claims that they are infected with the BAckdoor.Egghead virus but I
dont
> see any other signs besides the above 2 files. I Think NAV definitions are
> wrong!!!!
>
> I actually have SEVERAL customers who are going to complain about this
> tomorrow. So I am trying to find a quick resolution. I have also posted my
> question to Symantec.
>
> I am hoping that Symantec sends out newer update virus definitions which
DO
> NOT cause this error.
>
> Let me know if you get any updates from them.
>
> Thanks.
> --Nilesh Kamdar
>


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[Michael A Chase]

----- Original Message -----
From: "Randall R Schulz" <rrschulz@cris.com>
To: "Michael A Chase" <mchase@ix.netcom.com>; <cygwin@cygwin.com>
Sent: Wednesday, February 13, 2002 20:18
Subject: Re: anybody else also infected


> My NAV does not detect any virus in /bin/cygz.dll from the 1.1.3-6 package
> archive in my download directory.
>
> Any idea why? When was the last time you updated your NAV virus
> descriptions? I updated mine this AM.
>
> At 19:27 2002-02-13, you wrote:
> >Update to zlib-1.1.3-7.  NAV thinks it detects the virus in the 1.1.3-6
> >version of the file, but not in the 1.1.3-7 version.
> >
> >Since you reported the false positive to SARC, the next release of the
NAV
> >data files may have it fixed as well.

I ran LiveUpdate manually just before the last time I tested the files.  I
scanned the files both in the archive and after extracting.  The cygz.dll in
1.1.3-6 is tagged, the copy in 1.1.3.7 isn't.

WinXP Pro 5.1 Build 2600
Virus definitions: 2002/02/13 (2002/02/11 before LiveUpdate)
Norton SystemWorks: 5.0.1 aka 2002.05 Build 59
NAV: 8.00.58B

--
Mac :})
** I normally forward private questions to the appropriate mail list. **
Ask Smarter: http://www.tuxedo.org/~esr/faqs/smart-questions.htm
Give a hobbit a fish and he eats fish for a day.
Give a hobbit a ring and he eats fish for an age.



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[Randall R Schulz]

Michael,

My NAV does not detect any virus in /bin/cygz.dll from the 1.1.3-6 package 
archive in my download directory.

Any idea why? When was the last time you updated your NAV virus 
descriptions? I updated mine this AM.

Randall Schulz
Mountain View, CA USA


At 19:27 2002-02-13, you wrote:
>Update to zlib-1.1.3-7.  NAV thinks it detects the virus in the 1.1.3-6 
>version of the file, but not in the 1.1.3-7 version.
>
>Since you reported the false positive to SARC, the next release of the NAV 
>data files may have it fixed as well.
>--
>Mac


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[Michael A Chase]

Update to zlib-1.1.3-7.  NAV thinks it detects the virus in the 1.1.3-6
version of the file, but not in the 1.1.3-7 version.

Since you reported the false positive to SARC, the next release of the NAV
data files may have it fixed as well.
--
Mac :})
** I normally forward private questions to the appropriate mail list. **
Ask Smarter: http://www.tuxedo.org/~esr/faqs/smart-questions.htm
Give a hobbit a fish and he eats fish for a day.
Give a hobbit a ring and he eats fish for an age.
----- Original Message -----
From: "hongxun lee" <lee.1801@osu.edu>
To: "cygwin mailing list" <cygwin@cygwin.com>
Sent: Wednesday, February 13, 2002 18:23
Subject: Re: anybody else also infected


> Thanks..but i have no ides what's wrong there. My vir-definition is
updated
> within half an hour..my cygwin is now dead.Would you pls send to me a copy
> of that file for i hate to reinstall..Thanks again
>
> ----- Original Message -----
> From: "Randall R Schulz" <rrschulz@cris.com>
> To: "hongxun lee" <lee.1801@osu.edu>; <cygwin@cygwin.com>
> Sent: Wednesday, February 13, 2002 9:18 PM
> Subject: Re: anybody else also infected
>
> > I scanned my copy of cygz.dll (/bin/cygz.dll) with Norton AntiVirus
(with
> > the weekly updates downloaded and installed earlier today). It found no
> > problem with that file.




--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[hongxun lee]

Thanks..but i have no ides what's wrong there. My vir-definition is updated
within half an hour..my cygwin is now dead.Would you pls send to me a copy
of that file for i hate to reinstall..Thanks again

----- Original Message -----
From: "Randall R Schulz" <rrschulz@cris.com>
To: "hongxun lee" <lee.1801@osu.edu>; <cygwin@cygwin.com>
Sent: Wednesday, February 13, 2002 9:18 PM
Subject: Re: anybody else also infected


> Hong Xun,
>
> I scanned my copy of cygz.dll (/bin/cygz.dll) with Norton AntiVirus (with
> the weekly updates downloaded and installed earlier today). It found no
> problem with that file.
>
> For the record:
>
> % cygcheck -v cygz.dll
> Found: D:\cygwin\bin\cygz.dll
> D:\cygwin\bin\cygz.dll - os=4.0 img=1.0 sys=4.0
>    "cygz.dll" v0.0 ts=2002/1/20 11:41
>    D:\cygwin\bin\cygwin1.dll - os=4.0 img=1.0 sys=4.0
>      "cygwin1.dll" v0.0 ts=2002/1/21 9:48
>      D:\WINNT\System32\KERNEL32.dll - os=5.0 img=5.0 sys=4.0
>        "KERNEL32.dll" v0.0 ts=2001/8/31 15:42
>        D:\WINNT\System32\NTDLL.DLL - os=5.0 img=5.0 sys=4.0
>          "ntdll.dll" v0.0 ts=2000/11/21 22:32
>    D:\WINNT\System32\KERNEL32.dll (already done)
>
> % sum /bin/cygz.dll
> 19649    50
>
> Randall Schulz
> Mountain View, CA USA
>
>
> At 18:05 2002-02-13, hongxun lee wrote:
> >Norton AntiVir complains that the file was infected by eggHead virus..but
> >couldnt repair it.. below is the reply from Symantec for my submission.
> >Anyone has the same experience?
> >thanks
> >
> >----- Original Message -----
> >From: <SecurityResponse@symantec.com>
> >To: <lee.1801@osu.edu>
> >Sent: Wednesday, February 13, 2002 8:42 PM
> >Subject: SARC Automation: Tracking #1254298
> >
> >
> > > filename: C:\cygwin\bin\cygz.dll
> > > machine: ALLELUJA
> > > result: This file is clean
> > >
> > > We have determined that no virus exists on the samples provided.
> > >
> > > Developer notes:
> > > C:\cygwin\bin\cygz.dll is a clean file.<BR>
> > >
> > > Should you have any questions about your submission, please contact
> > > technical support at the appropriate number listed below and give them
> > > the tracking number in the subject of this message.
> > >
> >
> -----------------------------------------------------------------------
> > > This message was generated by SARC automation.
> > >
> > > For USA:
> > > For electronic support options, Symantec provides On-Line Services at
> > > http://www.symantec.com/techsupp.
> > > Knowledge Base, FAQ's, Support Genie, and Ask a Tech are all free
> > > services. "Chat Now!" does have charges associated with the service.
Virus
> > > information and definitions are available at
> > > http://www.symantec.com/avcenter/index.html.
>
>
>


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: anybody else also infected

[Randall R Schulz]

Hong Xun,

I scanned my copy of cygz.dll (/bin/cygz.dll) with Norton AntiVirus (with 
the weekly updates downloaded and installed earlier today). It found no 
problem with that file.

For the record:

% cygcheck -v cygz.dll
Found: D:\cygwin\bin\cygz.dll
D:\cygwin\bin\cygz.dll - os=4.0 img=1.0 sys=4.0
   "cygz.dll" v0.0 ts=2002/1/20 11:41
   D:\cygwin\bin\cygwin1.dll - os=4.0 img=1.0 sys=4.0
     "cygwin1.dll" v0.0 ts=2002/1/21 9:48
     D:\WINNT\System32\KERNEL32.dll - os=5.0 img=5.0 sys=4.0
       "KERNEL32.dll" v0.0 ts=2001/8/31 15:42
       D:\WINNT\System32\NTDLL.DLL - os=5.0 img=5.0 sys=4.0
         "ntdll.dll" v0.0 ts=2000/11/21 22:32
   D:\WINNT\System32\KERNEL32.dll (already done)

% sum /bin/cygz.dll
19649    50

Randall Schulz
Mountain View, CA USA


At 18:05 2002-02-13, hongxun lee wrote:
>Norton AntiVir complains that the file was infected by eggHead virus..but 
>couldnt repair it.. below is the reply from Symantec for my submission. 
>Anyone has the same experience?
>thanks
>
>----- Original Message -----
>From: <SecurityResponse@symantec.com>
>To: <lee.1801@osu.edu>
>Sent: Wednesday, February 13, 2002 8:42 PM
>Subject: SARC Automation: Tracking #1254298
>
>
> > filename: C:\cygwin\bin\cygz.dll
> > machine: ALLELUJA
> > result: This file is clean
> >
> > We have determined that no virus exists on the samples provided.
> >
> > Developer notes:
> > C:\cygwin\bin\cygz.dll is a clean file.<BR>
> >
> > Should you have any questions about your submission, please contact
> > technical support at the appropriate number listed below and give them
> > the tracking number in the subject of this message.
> >
> > -----------------------------------------------------------------------
> > This message was generated by SARC automation.
> >
> > For USA:
> > For electronic support options, Symantec provides On-Line Services at
> > http://www.symantec.com/techsupp.
> > Knowledge Base, FAQ's, Support Genie, and Ask a Tech are all free
> > services. "Chat Now!" does have charges associated with the service. Virus
> > information and definitions are available at
> > http://www.symantec.com/avcenter/index.html.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

anybody else also infected

[hongxun lee]

Norton AntiVir complains that the file was infected by eggHead virus..but
couldnt repair it..
below is the reply from Symantec for my submission. Anyone has the same
experience?
thanks

----- Original Message -----
From: <SecurityResponse@symantec.com>
To: <lee.1801@osu.edu>
Sent: Wednesday, February 13, 2002 8:42 PM
Subject: SARC Automation: Tracking #1254298


> filename: C:\cygwin\bin\cygz.dll
> machine: ALLELUJA
> result: This file is clean
>
> We have determined that no virus exists on the samples provided.
>
> Developer notes:
> C:\cygwin\bin\cygz.dll is a clean file.<BR>
>
> Should you have any questions about your submission, please contact
> technical support at the appropriate number listed below and give them
> the tracking number in the subject of this message.
>
> -----------------------------------------------------------------------
> This message was generated by SARC automation.
>
> For USA:
> For electronic support options, Symantec provides On-Line Services at
> http://www.symantec.com/techsupp.
> Knowledge Base, FAQ's, Support Genie, and Ask a Tech are all free
> services. "Chat Now!" does have charges associated with the service. Virus
> information and definitions are available at
> http://www.symantec.com/avcenter/index.html.
>

>


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/