It is said that my 34.0&34.0.5 is detected virus by some Anti-virus software, so I try to upload every module to virus total to detect.
The results:
File name | Detection ratio | Analysis |
---|---|---|
browsercomps.dll | 0/55 | link |
AccessibleMarshal.dll | 0/55 | link |
firefox.exe | 13/55 | link |
freebl3.dll | 0/55 | link |
gkmedias.dll | 0/55 | link |
icudt52.dll | 0/55 | link |
icuin52.dll | 0/54 | link |
icuuc52.dll | 0/55 | link |
libEGL.dll | 0/55 | link |
libGLESv2.dll | 0/54 | link |
mozalloc.dll | 0/55 | link |
mozglue.dll | 0/55 | link |
mozjs.dll | 0/55 | link |
nss3.dll | 0/55 | link |
nssckbi.dll | 0/55 | link |
nssdbm3.dll | 0/55 | link |
plugin-container.exe | 0/55 | link |
plugin-hang-ui.exe | 0/55 | link |
sandboxbroker.dll | 0/55 | link |
softokn3.dll | 0/55 | link |
tmemutil.dll | 0/55 | link |
webapprt-stub.exe | 0/55 | link |
webapp-uninstaller.exe | 2/55 | link |
xul.dll | 0/55 | link |
So only two files reported virus: firefox.exe and webapp-uninstaller.exe
How is firefox.exe generated, its link command line:
e:/mozilla/34.0/x86/sse2/obju-vc-pgo/_virtualenv/Scripts/python.exe e:/mozilla/34.0/x86/sse2/mozilla-release/config/expandlibs_exec.py --uselist -- link -NOLOGO -OUT:firefox.exe -PDB:firefox.pdb -ENTRY:wmainCRTStartup -SUBSYSTEM:WINDOWS,5.01 -LARGEADDRESSAWARE -NXCOMPAT -RELEASE -DYNAMICBASE -SAFESEH -DEBUG -DEBUGTYPE:CV -DEBUG -OPT:REF -LTCG:PGUPDATE -DELAYLOAD:mozglue.dll /HEAP:0x40000 -opt:ref,icf -LARGEADDRESSAWARE e:/mozilla/mylib.lib nsBrowserApp.obj ./module.res ../../xpcom/glue/standalone/staticruntime/xpcomglue_staticruntime.lib ../../mozglue/build/mozglue.lib kernel32.lib user32.lib gdi32.lib winmm.lib wsock32.lib advapi32.lib secur32.lib netapi32.lib delayimp.lib
its related source code is nsBrowserApp.cpp, but I haven’t patched it.
I noticed PGO link: -LTCG:PGUPDATE
, I try to link it using -LTCG
:
e:/mozilla/34.0/x86/sse2/obju-vc-pgo/_virtualenv/Scripts/python.exe e:/mozilla/34.0/x86/sse2/mozilla-release/config/expandlibs_exec.py --uselist -- link -NOLOGO -OUT:firefox.exe -PDB:firefox.pdb -ENTRY:wmainCRTStartup -SUBSYSTEM:WINDOWS,5.01 -LARGEADDRESSAWARE -NXCOMPAT -RELEASE -DYNAMICBASE -SAFESEH -DEBUG -DEBUGTYPE:CV -DEBUG -OPT:REF -LTCG -DELAYLOAD:mozglue.dll /HEAP:0x40000 -opt:ref,icf -LARGEADDRESSAWARE e:/mozilla/mylib.lib nsBrowserApp.obj ./module.res ../../xpcom/glue/standalone/staticruntime/xpcomglue_staticruntime.lib ../../mozglue/build/mozglue.lib kernel32.lib user32.lib gdi32.lib winmm.lib wsock32.lib advapi32.lib secur32.lib netapi32.lib delayimp.lib
And upload firefox.exe to virus total to detect it again, here is the link, oh, no one Anti-virus software report it a virus!
How mad! What do you do for MSVC2013 PGO!
And another module is webapp-uninstaller.exe ( McAfee-GW-Edition and Symantec reported ), which is generated by NSIS ( I can’t do anything for NSIS ), and it is the same with the official edition, but why the Anti-virus software didn’t report official edition’s webapp-uninstaller.exe?
The answer is that official’s webapp-uninstaller.exe is signed. Can the 3rd build sign it? You can if you have bought the expensive signed certificate!
So I try to adopt a hacker method to pass webapp-uninstaller.exe check. From the link, I know a module’s signed certificate is regular, so I can copy official’s signed certificate to my build’s webapp-uninstaller.exe, and this is the patched webapp-uninstaller.exe virus total report. You can see this will pass McAfee-GW-Edition and Symantec, and only AVG reported it as Mozilla Corporation. Of course it is correct, because I only copy the signed certificate and applying signed certificate to another different module can cause certificate signed fault, but passing the Antivirus test is enough.
So I copy two modified modules to my build, package them to 7zip, and the virus total report is here. It’s the same with the words above.
In the end, it is the Anti-virus software false positives. I upload the modified 34.0 x86 edition ( only modified firefox.exe and webapp-uninstaller.exe ) to here. Based on the analysis above, I won’t provide 34.0.5 x86 modified edition.
that’s very high detection rate on all the major players must have a bad signature?
LikeLike
Avira has confirmed it is their fault.
LikeLike
Symantec SEP 11 had a virus definition update this morning and now it says that the firefox.exe is a virus (trojan.gen.2) – only for 34.05 x86 version, x64 is fine. Reported to Symantec already.
LikeLike