Trojan in Calibre portable 4.91?

[BetterRed]

Quote:

Originally Posted by stumped

I would ( still) like to see a reasoned explanation of why 16 different engines find something suspicious once the program has installed.

My reading of that issue is that the detection occurred when calibre portable 4.9.1 was installed over the top of an existing install (XXXX). When it was installed into an empty directory (YYYY) it was OK, but when the install from YYYY was copied over the previous version in XXXX, Bitdefender and VT found malware.

That suggests to me there is something in that XXXX directory that shouldn't be there. Maybe the old exe got infected on that computer after it was installed with a payload that's smart enough to attach itself to the replacement. I would have moved the library to YYYY and nuked XXXX

BR

[stumped]

Quote:

Originally Posted by BetterRed

My reading of that issue is that the detection occurred when calibre portable 4.9.1 was installed over the top of an existing install (XXXX). When it was installed into an empty directory (YYYY) it was OK, but when the install from YYYY was copied over the previous version in XXXX, Bitdefender and VT found malware.

That suggests to me there is something in that XXXX directory that shouldn't be there. Maybe the old exe got infected with a payload that's smart enough to attach itself to the replacement.

BR

ok i missed that subtlety. its a plausible theory which is what I was hoping for.
if the thread is still alive when 4.9.2 or later gets released, I will try installing over my current install and re-test

[kovidgoyal]

ugh you are asking us to explain why opaque closed source programs that constantly change their behavior silently with auto-updates int he background behave the way they do. We dont have crystal balls. Why dont you try asking the manufactirers of said software to explain their behavior .

[BetterRed]

@stumped - I checked it with MWB Pro too, same result.

BTW I tweaked my previous post

BR

[DiapDealer]

In my opinion, it's all down to the heuristics used. When a virus program changes its heuristics, suddenly a file (the exact same file) that has been clean for years is a "problem." What's easier to believe: that an exe that has been perfectly well-behaved for four years has suddenly gone rogue? Or that the heuristic tweak on the part of said antivirus program wasn't all that well thought out?

Has the exe been dangerous all this time (without actually infecting anything), or has it magically become dangerous (without actually infecting anything)?

Open-source software is about trust in this day and age (actually it always has been). Especially on Windows and Macs. Because when all is said and done both of those platforms are doing everything in their power to scare the average user away from installing anything that didn't come their own software stores (or from those companies who have paid enough money to be added to a "trusted' publisher list).

Use your head. "Suspicious behavior" isn't something that's black/white, good/bad. It's not even something that's objectively definitive when it comes to software. "Suspicious behavior" can still perform perfectly benign tasks. Trust the people/places you've been getting your open-source software from for years, or don't. And if you trust them, use the signatures and checksums provided to make sure you're downloading the exact same thing they uploaded and move on. Exempt them from the overly-aggressive, heuristic scare-mongering programs and move on.

[gbm]

Speaking of bad anti-virus behaviour:

Leaked Documents Expose the Secretive Market for Your Web Browsing Data

Quote:

An Avast antivirus subsidiary sells 'Every search. Every click. Every buy. On every site.' Its clients have included Home Depot, Google, Microsoft, Pepsi, and McKinsey.

An antivirus program used by hundreds of millions of people around the world is selling highly sensitive web browsing data to many of the world's biggest companies, a joint investigation by Motherboard and PCMag has found. ...

bernie

[stumped]

Quote:

Originally Posted by kovidgoyal

ugh you are asking us to explain why opaque closed source programs that constantly change their behavior silently with auto-updates int he background behave the way they do.. .

No, I am asking for a better explanation than "let's all shoot the messenger", all 16 of them

16 presumably independent, companies have scanning engines which say this specific program looks suspicious , but thousands of other programs are fine . Surely it's better to delve into what is it they find suspicious than to call them all rubbish products which should always be disbelieved.
AV there to warn us. If we don't look into the warnings when given, why bother to ever use them ?


And if you are being serious, not rhetorical, when you say "why don't you ask them for an explanation " then surely the program author is best placed to initiate that dialog. Not someone like me who can only say to each of the 16: " your AV finds nothing wrong with my install but there are these guys on a message board who say different"

Look, if just one or maybe two AV were reporting this I would think false positives, again, shut up and move on. But 16 is different.

[JSWolf]

Quote:

Originally Posted by stumped

small update. a little test of my own, as no one else seemed to have tried malwarebytes pro( which I trust a lot)
I downloaded & installed portable then scanned the install folder:
[ also scanned the downloaded .exe which was clean)

Speaking of Malwarebytes, I was looking up how good Windows Security is and it was recommended to run Malwarebytes along side and that would be one of the top AV/Trojan protection and it doesn't hook itself into the OS or web browsers. It is said that some of these web browser add-ons can make the web browser less secure.

[stumped]

Quote:

Originally Posted by JSWolf

Speaking of Malwarebytes, I was looking up how good Windows Security is and it was recommended to run Malwarebytes along side and that would be one of the top AV/Trojan protection and it doesn't hook itself into the OS or web browsers. It is said that some of these web browser add-ons can make the web browser less secure.

I agree. MB plus a regular AV of your choice is a great pairing.
Fyi. The reason I use panda free, not Windows defender, ito complement malwarebytes is that defender used to regularly get stuck trying to update itself and would mess up the whole automated windows update thing.
Maybe that is all fixed now but after having to intervene and fix database updates a few times I ditched it.
I picked panda because at the time both avg and Avira free were getting bad press. I wanted an unobtrusive ,free , install and forget about it product to complement malwarebytes pro. I was lucky enough to buy a lifetime key for MB before they switched to a subscription model.

[DiapDealer]

Quote:

Originally Posted by stumped

If we don't look into the warnings when given, why bother to ever use them ?

Good question. I, for one, don't (other than Defender on Windows). Haven't for many, many years.

[JSWolf]

Quote:

Originally Posted by stumped

I agree. MB plus a regular AV of your choice is a great pairing.
Fyi. The reason I use panda free, not Windows defender, ito complement malwarebytes is that defender used to regularly get stuck trying to update itself and would mess up the whole automated windows update thing.
Maybe that is all fixed now but after having to intervene and fix database updates a few times I ditched it.
I picked panda because at the time both avg and Avira free were getting bad press. I wanted an unobtrusive ,free , install and forget about it product to complement malwarebytes pro. I was lucky enough to buy a lifetime key for MB before they switched to a subscription model.

I have not had a single problem updating/installing the definitions since installing Windows 10 on four different computers.

[DNSB]

Quote:

Originally Posted by BetterRed

:yawn:

Does anyone have any irrefutable evidence or firmly held beliaf that calibre is infested with malware

BR

Nope. Oddly enough, I reported the detection as a false positive to BitDefender and according to them, this was the first false positive report received for that file. A claim which I take cum grano salis.

[DNSB]

Quote:

Originally Posted by BetterRed

My reading of that issue is that the detection occurred when calibre portable 4.9.1 was installed over the top of an existing install (XXXX). When it was installed into an empty directory (YYYY) it was OK, but when the install from YYYY was copied over the previous version in XXXX, Bitdefender and VT found malware.

That suggests to me there is something in that XXXX directory that shouldn't be there. Maybe the old exe got infected on that computer after it was installed with a payload that's smart enough to attach itself to the replacement. I would have moved the library to YYYY and nuked XXXX

BR

I don't normally run calibre portable so it was a clean install. To quote Thomas Huxley: The great tragedy of science - the slaying of a beautiful hypothesis by an ugly fact—Biogenesis and Abiogenesis (1870)

[BetterRed]

Quote:

Originally Posted by JSWolf

I have not had a single problem updating/installing the [Defender] definitions since installing Windows 10 on four different computers.

I've not had any since installing Windows 7 on a couple of computers soon after it's release. One of the pleasures of getting rid of XP was ditching 3rd party AVs.

@DNSB - for reference purposes I have had calibre portable installed on a real computer since 2013. It has no installed plugins or customisations and the library is what got installed at the first install. It gets updated by installing new versions over the top of what's already there. It's lived through a change of PC and a Win7->Win 10 upgrade.

In the seven years its been installed it's been updated hundreds of times. There has never been any signs of malware in it, or in dozens of copies thereof.

I'm done here - going over here ==>> https://www.mobileread.com/forums/sh...10#post3946410

BR

[Sirtel]

Quote:

Originally Posted by DiapDealer

Good question. I, for one, don't (other than Defender on Windows). Haven't for many, many years.

Me neither. Once in a while I run a Malwarebytes scan, but MB is switched off most of the time. Defender is sufficient for me.