Description: Bitdefender caught file name pyono.pyd infected with Gen:Variant.Ulise.257598. See screenshot. I will uninstall this download and wait for a later iteration of the dev cut to see if this happens again. This has never happened before. Not sure if it's related, but I did install (in the dev version) an extension (a pallet) which neither worked and was so badly malformed that LO could not remove it, forcing me to wipe out the user profile and use a back up of it: https://extensions.libreoffice.org/en/extensions/show/hsv-color-palette Steps to Reproduce: 1. In MS Windows, install 2021.10.31 download of Libreoffice dev. 2. Scan with Bitdefender Actual Results: Virus detected Expected Results: No virus should be detected. Reproducible: Always User Profile Reset: No Additional Info: Version: 7.3.0.0.alpha1+ (x64) / LibreOffice Community Build ID: c6af59b234e8eb8182dc7f686290524feafd6ed6 CPU threads: 8; OS: Windows 10.0 Build 19043; UI render: Skia/Vulkan; VCL: win Locale: en-US (en_US); UI: en-US Calc: CL
Created attachment 176059 [details] bitdefender message
(In reply to xordevoreaux from comment #0) > 1. In MS Windows, install 2021.10.31 download of Libreoffice dev. Please mention where you downloaded it from, exactly.
Problem is with the scripting protection .. see the following from MalwareBytes. I would like to welcome you to Malwarebytes Customer Support, My name is xxxxx and I will be assisting you with your ticket # 3613653. Very sorry to hear about the trouble you are having with Anti-Exploit protection blocking your program. If you are 100% sure this is a false positive then you can do the following and see if it fixes the issue for you. Open Malwarebytes by double-clicking the Malwarebytes icon on the desktop..Click the Settings icon in the top right.Click the "Security" tab.Scroll all the way down to "Exploit Protection" and click "Advanced Settings".Select the "Application Behavior Protection" tab.Look for the "Office scripting abuse prevention" row.Remove the checkmark under "MS Office".Click "Apply". To ensure the changes take effect: Exit Malwarebytes by right-clicking the system tray icon and select "Quit Malwarebytes"Wait about a minute and re-launch Malwarebytes via the Desktop icon.
(In reply to Mike Kaganski from comment #2) > (In reply to xordevoreaux from comment #0) > > 1. In MS Windows, install 2021.10.31 download of Libreoffice dev. > > Please mention where you downloaded it from, exactly. https://dev-builds.libreoffice.org/daily/master/current.html
(In reply to Richard George from comment #3) > Problem is with the scripting protection .. see the following from > MalwareBytes. > > I would like to welcome you to Malwarebytes Customer Support, > My name is xxxxx and I will be assisting you with your ticket # 3613653. > > Very sorry to hear about the trouble you are having with Anti-Exploit > protection blocking your program. > > If you are 100% sure this is a false positive then you can do the following > and see if it fixes the issue for you. > > > Open Malwarebytes by double-clicking the Malwarebytes icon on the > desktop..Click the Settings icon in the top right.Click the "Security" > tab.Scroll all the way down to "Exploit Protection" and click "Advanced > Settings".Select the "Application Behavior Protection" tab.Look for the > "Office scripting abuse prevention" row.Remove the checkmark under "MS > Office".Click "Apply". > > To ensure the changes take effect: > > Exit Malwarebytes by right-clicking the system tray icon and select "Quit > Malwarebytes"Wait about a minute and re-launch Malwarebytes via the Desktop > icon. I already checked those options, and the idea of turning off protection for MS Office exploits -- one of the most widely-targeted software suites on this planet -- to avoid Malware Bytes shutting another product (LO) is asinine. Won't be doing it.
(In reply to xordevoreaux from comment #5) > the idea of turning off protection for > MS Office exploits -- one of the most widely-targeted software suites on > this planet -- to avoid Malware Bytes shutting another product (LO) is > asinine. Won't be doing it. (In reply to xordevoreaux from bug 144158 comment #0) > Whatever LO is doing now as opposed to in the past needs to be undone so > this doesn't happen. I've had MWB installed a long time and this never > happened before. (In reply to xordevoreaux from bug 144158 comment #10) > If someone introduced a kluge in the LibreOffice code to provide the list of > available Java virtual machines in the Advanced window, and that kluge trips > 3rd-party warning systems that LO is attempting to manipulate the operating > system in a way identical to that of dangerously exploitative software, the > burden is on the LO developers to fix, not something to be foisted on > individual users to chase down exceptions in their anti-virus and > anti-malware programs, which, in the case of MWB with this particular > problem, cannot be excepted, I tried. (In reply to xordevoreaux from bug 144158 comment #14) > Declare it not your bug if you want but it means I'm skipping using parts of > LO affected by it. It looks counter-productive to tell something to a person who declares something to be a problem of LibreOffice just because it didn't happen before; then, after being informed that this *was* indeed something newly introduced in the antivirus software, they keep insisting that the burden to guess what specifically a closed proprietary program chose to use as a marker of a malware. Of course, telling LibreOffice from MS Office is a rocket science, which can't be reasonably done by a commercial software (which the user *pays* for), so indeed, volunteers must do that - especially since the commercial vendor who took your money doesn't respond, "I tried". Of course, making antivirus able to apply exceptions per process, not disabling it as a whole, is also something that MalwareBytes are incapable to do. And in the end, declaring a honest attempt to help as "asinine" is topping all this excellence. Just brilliant. I am marking my answer as off-topic, sure.
Please report it to Bitdefender. Consensus has been building for years that antivirus software these days is useless and sometimes actually harmful: https://www.cbc.ca/news/science/antivirus-software-1.3668746
.
I can promise you if I wind up reloading Windows because I virus from LO took out my operating system, you're going to hear about it, and no, I won't be removing either anti-virus product, and will keep reporting issues. The one day you guys dismiss a potential problem is the day it bites the rest of us in the butt.
Another interesting detail -- why did Bitdefender only identify a virus in LO Dev, but not in LO 7.2.2, which I also have installed?
(In reply to xordevoreaux from comment #10) > Another interesting detail -- why did Bitdefender only identify a virus in > LO Dev, but not in LO 7.2.2, which I also have installed? That's exactly the problem that *you* try to put on *us*. The code didn't change; but *the build* is different - e.g., containing debug symbols, etc - and the antivirus uses its imperfect (it is never perfect!) heuristics and "detects" some pattern in these bytes, generated from the same code with different compiler settings. Antivirus heuristics always have *some* level of false positives - it is known fact to everyone, antivirus authors included. Only you seem to not understand that fact, trying to blame something you don't understand.
(In reply to Mike Kaganski from comment #11) Or maybe the antivirus vendor is smart enough to detect LibreOffice, recognizing the *released* versions like 7.2.2, not scaring users with the false positives; but indeed, it would not detect a debug daily build, and then clueless users that for some unknown reason using alpha-stage dailies would again blame something that don't understand. Or many other reasons ... and the aggression that some users show in their reports shows that not everyone can be reasonable.
(In reply to Mike Kaganski from comment #12) > (In reply to Mike Kaganski from comment #11) > > Or maybe the antivirus vendor is smart enough to detect LibreOffice, > recognizing the *released* versions like 7.2.2, not scaring users with the > false positives; but indeed, it would not detect a debug daily build, and > then clueless users that for some unknown reason using alpha-stage dailies > would again blame something that don't understand. Or many other reasons ... > and the aggression that some users show in their reports shows that not > everyone can be reasonable. Doesn't explain why, for the dozens if not more daily dev downloads over the years that I've volunteered my time to test to help out the Document Foundation make LibreOffice a better product, that this was the first time Bitdefender ever flagged a cut with a virus, and it's the first time that I had ever tried to install that palette extension, also mentioned in this bug.
(In reply to xordevoreaux from comment #13) > (In reply to Mike Kaganski from comment #12) > > (In reply to Mike Kaganski from comment #11) > > > > Or maybe the antivirus vendor is smart enough to detect LibreOffice, > > recognizing the *released* versions like 7.2.2, not scaring users with the > > false positives; but indeed, it would not detect a debug daily build, and > > then clueless users that for some unknown reason using alpha-stage dailies > > would again blame something that don't understand. Or many other reasons ... > > and the aggression that some users show in their reports shows that not > > everyone can be reasonable. > > Doesn't explain why, for the dozens if not more daily dev downloads over the > years that I've volunteered my time to test to help out the Document > Foundation make LibreOffice a better product, that this was the first time > Bitdefender ever flagged a cut with a virus, and it's the first time that I > had ever tried to install that palette extension, also mentioned in this bug. It does explain it in a general way. Only the developers of Bitdefender could explain the specific "why". Closed-source heuristics are a black box to us.
(In reply to xordevoreaux from comment #13) > Doesn't explain why, ... Sure. To explain, one needs to invest much time in this brainless project of analyzing a paid closed-source antivirus for the patterns it catches, by trying to modify the binary in different ways, and see what triggers the detection, then analyze the compilation flags used on a specific build bot, its compiler version, its libraries, and finally see that the next version of this antivirus changed its detection, but finds something in another pattern, or another antivirus does equally confusing things. You report something detected by an antivirus. This is a valid report; thanks. It turns out to be a false positive (the file on server is the same that was initially generated, and the binary in it is indeed flagged e.g. testing on virustotal). The case is closed at this stage (because, again, for such cases the question is if the file was actually infected or not, and it was not). Your options are either trust this analysis (and maybe file something to the antivirus vendor, so that they have a chance to improve their detection), or not - and then it's your decision what to do next; it's *not* something to do in LibreOffice project.