XPPro SP3 32bit Event Viewer On installation message from F-Secure: Malicious code found in D:\LibreOffice\program\rebasegui.exe Infection: General VariantKazy.7514 File deleted Program then went on to install. Noted that Extension update check causes LibO to close with no error message. Don't know if due to same file being deleted on installation.
Created attachment 46233 [details] G Data virus LO 3.4 beta 3 Virus. GEN.Varianti.Kazy
Correct me if I'm wrong, but this seems more like a virus software problem than a LO problem.
tor, not sure if this is the same false positive that you checked before or not
Still getting same result with Beta4 so have not opened a new bug report. Submitted file to F-Secure and initial screening seems to confirm the file is as identified by their retail security software. I accept that there is always a chance of a false positive but even if it is then anyone with around 3 or 4 different security suites will not be able to fully use LibO which would be regretable. So either the security firms must change their detection parameters or if it does turn out to be a problem then it may need fixing in LibO. It does seem that this file is not unknown for giving problems - is it one of the hangovers from the MSDOS days? One point does trouble me a bit: The rebasegui.exe file in question is around 40KB (in Beta4). I tried to see if it could be substituted with the same named file from the 3.3 stable Release version. Extension update check no longer closes LibO but does generate an error message. The 3.3 Release file is 31KB but Windows appears to identify it as file version 1.1.1.0 which is exactly the same version as is shown for the 40KB 3.4 Beta4.
I suggest we simply stop including this rebasegui.exe in the installer. It hardly is useful for end-users anyway, I have no idea in what use case it is supposed to be used. And no, I don't have any reason to believe rebasegui.exe would actually contain a virus. Presumably the virus scanner in question is mislead by the fact that the very purpose of rebasegui is to inspect a field in the header of executable files (DLLs in particular), see http://opengrok.libreoffice.org/xref/libs-core/desktop/win32/source/rebase/rebasegui.cxx , which then presumably matches what some malware does. But note that rebasegui.exe opens the DLLs that it opens *read-only*... If somebody tried to spread malware through LibreOffice, why would they put it in an executable that no normal user is ever going to run? Wouldn't it be much useful (from their point of view) to infect some of the EXEs or DLLs actually run when using LibreOffice normally?
Created attachment 46602 [details] confirmation Avira also reports a trojan in the file. (win7, 64bit, beta downloaded as torrent: LibO_3.4.0beta4_Win_x86_install_multi.exe)
Feel free to leave out the rebasegui.exe then, if yuo believe it has a trojan. You won't need it.
Still true for beta5 with Avira Antivirus. Not delivering the file is no solution until we know for what it is used. Anitvirus is nagging several times during the installation, so I think it is not just copied by the installer.
For a writeup on the rebasing crack, see http://lists.freedesktop.org/archives/libreoffice/2011-May/011865.html
I saw exactly the same with Bit Defender and with "LibreOffice 3.4Beta4 – WIN7 Home Premium (64bit) German UI [DEV300m103 (Build:4)]", but only at the second installation on my Laptop. No virus detected during first installation on my Desktop. I agree with Volker, we should check that file, may be someone can contact one of the Antivirus providers?
rebasegui.exe will not be included any longer (and not rebaseoo.exe either) in the installer.
I am not sure that this is a bug, but Norton identified unicodedate.pyd as a supicious file and deleted it from program . . . lib. I had Norton restore it because in my non-Norton machine (McAfee) no red flags were raised. The files downloaded in both place appeared to be the same (e.g., dates, size). I suspect that Norton was being overzealous, but thought that you ought to know. Thanks!
@Rod - what version is that being spit out for? I removed security from the keywords as it's anti virus' being overzealous, not an issue with our product but maybe there is something we can do about it to get them to stop complaining.
Marking as NEEDINFO - let us know what version of LibreOffice you're still getting warnings about and then mark as UNCONFIRMED - we'll see if it's our bug or not Thanks!
I would close this old original issue as RESOLVED NOTABUG. False positives will happen once in a while.