Strange Anti-virus reports

It is said that my 34.0&34.0.5 is detected virus by some Anti-virus software, so I try to upload every module to virus total to detect.
The results:

File name Detection ratio Analysis
browsercomps.dll 0/55 link
AccessibleMarshal.dll 0/55 link
firefox.exe 13/55 link
freebl3.dll 0/55 link
gkmedias.dll 0/55 link
icudt52.dll 0/55 link
icuin52.dll 0/54 link
icuuc52.dll 0/55 link
libEGL.dll 0/55 link
libGLESv2.dll 0/54 link
mozalloc.dll 0/55 link
mozglue.dll 0/55 link
mozjs.dll 0/55 link
nss3.dll 0/55 link
nssckbi.dll 0/55 link
nssdbm3.dll 0/55 link
plugin-container.exe 0/55 link
plugin-hang-ui.exe 0/55 link
sandboxbroker.dll 0/55 link
softokn3.dll 0/55 link
tmemutil.dll 0/55 link
webapprt-stub.exe 0/55 link
webapp-uninstaller.exe 2/55 link
xul.dll 0/55 link

So only two files reported virus: firefox.exe and webapp-uninstaller.exe

How is firefox.exe generated, its link command line:

e:/mozilla/34.0/x86/sse2/obju-vc-pgo/_virtualenv/Scripts/python.exe e:/mozilla/34.0/x86/sse2/mozilla-release/config/expandlibs_exec.py --uselist -- link -NOLOGO -OUT:firefox.exe -PDB:firefox.pdb -ENTRY:wmainCRTStartup -SUBSYSTEM:WINDOWS,5.01 -LARGEADDRESSAWARE -NXCOMPAT -RELEASE -DYNAMICBASE -SAFESEH  -DEBUG -DEBUGTYPE:CV -DEBUG -OPT:REF -LTCG:PGUPDATE -DELAYLOAD:mozglue.dll /HEAP:0x40000  -opt:ref,icf -LARGEADDRESSAWARE e:/mozilla/mylib.lib  nsBrowserApp.obj ./module.res ../../xpcom/glue/standalone/staticruntime/xpcomglue_staticruntime.lib ../../mozglue/build/mozglue.lib  kernel32.lib user32.lib gdi32.lib winmm.lib wsock32.lib advapi32.lib secur32.lib netapi32.lib delayimp.lib

its related source code is nsBrowserApp.cpp, but I haven’t patched it.

I noticed PGO link: -LTCG:PGUPDATE, I try to link it using -LTCG:

e:/mozilla/34.0/x86/sse2/obju-vc-pgo/_virtualenv/Scripts/python.exe e:/mozilla/34.0/x86/sse2/mozilla-release/config/expandlibs_exec.py --uselist -- link -NOLOGO -OUT:firefox.exe -PDB:firefox.pdb -ENTRY:wmainCRTStartup -SUBSYSTEM:WINDOWS,5.01 -LARGEADDRESSAWARE -NXCOMPAT -RELEASE -DYNAMICBASE -SAFESEH  -DEBUG -DEBUGTYPE:CV -DEBUG -OPT:REF -LTCG -DELAYLOAD:mozglue.dll /HEAP:0x40000  -opt:ref,icf -LARGEADDRESSAWARE e:/mozilla/mylib.lib  nsBrowserApp.obj ./module.res ../../xpcom/glue/standalone/staticruntime/xpcomglue_staticruntime.lib ../../mozglue/build/mozglue.lib  kernel32.lib user32.lib gdi32.lib winmm.lib wsock32.lib advapi32.lib secur32.lib netapi32.lib delayimp.lib

And upload firefox.exe to virus total to detect it again, here is the link, oh, no one Anti-virus software report it a virus!
How mad! What do you do for MSVC2013 PGO!

And another module is webapp-uninstaller.exe ( McAfee-GW-Edition and Symantec reported ), which is generated by NSIS ( I can’t do anything for NSIS ), and it is the same with the official edition, but why the Anti-virus software didn’t report official edition’s webapp-uninstaller.exe?
The answer is that official’s webapp-uninstaller.exe is signed. Can the 3rd build sign it? You can if you have bought the expensive signed certificate!
So I try to adopt a hacker method to pass webapp-uninstaller.exe check. From the link, I know a module’s signed certificate is regular, so I can copy official’s signed certificate to my build’s webapp-uninstaller.exe, and this is the patched webapp-uninstaller.exe virus total report. You can see this will pass McAfee-GW-Edition and Symantec, and only AVG reported it as Mozilla Corporation. Of course it is correct, because I only copy the signed certificate and applying signed certificate to another different module can cause certificate signed fault, but passing the Antivirus test is enough.

So I copy two modified modules to my build, package them to 7zip, and the virus total report is here. It’s the same with the words above.

In the end, it is the Anti-virus software false positives. I upload the modified 34.0 x86 edition ( only modified firefox.exe and webapp-uninstaller.exe ) to here. Based on the analysis above, I won’t provide 34.0.5 x86 modified edition.

Advertisements

3 comments on “Strange Anti-virus reports

  1. waltp says:

    that’s very high detection rate on all the major players must have a bad signature?

    Like

  2. lczlcz says:

    Symantec SEP 11 had a virus definition update this morning and now it says that the firefox.exe is a virus (trojan.gen.2) – only for 34.05 x86 version, x64 is fine. Reported to Symantec already.

    Like

Comments are closed.