Antivirus warning (Gen.Variant.Kazy) with TBB 2.3.25-4

I downloaded the lastest version from tor bundle Version 2.3.25-4 and now experiencing difficulties. By extracting the files my AV pops up telling me that a virus is detected (Gen.Variant.Kazy.31094). Access on firefox-tbb was denied. The file is taken in quarantine for cleansing.

Would you please get this issue solved? I'd appreciate. thx

Trac:
Username: helpinghand

changed milestone to %TorBrowserBundle 2.3.x-stable

added component::applications/tor bundles/installation milestone::TorBrowserBundle 2.3.x-stable needs-triage owner::erinn parent::8401 priority::medium reporter::helpinghand resolution::fixed status::closed type::defect version::tor 0.2.3.25 virus labels

I am having the same problem.

Ad-aware Total Security with the the most recent definitions flags tbb-firefox.exe as Gen:variant: Kazy.31094

In the problem described above is on a windows XP machine.

On a Win 7 laptop, also using version 2.3.25-4, Ad-aware Total Security did not find any problems. Neither does AVG.

See also https://www.torproject.org/docs/faq#VirusFalsePositives

That's not to say that it's for sure a false positive. But the wide diversity of antivirus software out there sure seems unable to handle a new binary without one of them screaming. I don't know how you Windows people deal with it. :)

Trac:
Priority: major to normal

I ran a full malware and virus scan (~9h long) on the build machine and it didn't find anything at all. I tried rebuilding and resubmitting the file to see if things would change, but it seems that virustotal will not take new versions of the same file? Does anyone know if there is a way to re-submit? I also sent tbb-firefox.exe to Emsisoft's false positive detection/evaluation website (http://www.emsisoft.de/en/support/submit/) so that they could evaluate it and hopefully determine that it is in fact a false positive.

If it is an FP I would like to figure out why, and what triggers it. The obfsproxy folks determined that some Python build tools reliably cause FPs with Windows exes, and we are using pymake for our Firefox builds. This is also the same "virus" that we had in tbb-firefox.exe last year (Kazy) that ended up being an FP. The only thing the two releases have in common is a jump in the major Firefox version (10.0.x -> 17.0.x here, 11.0 -> 12.0 there). Do we know anyone who knows things about AV heuristics? Because even though I feel reasonably confident that this is another FP, I'm really uncomfortable about it.

O.K. seems to alright now. Must have been indeed a false positive. I downloaded and ran tor once again on my system and my virus scanner is not triggered anymore. My definition database is updated hourly so that was probably a wrong detection or anything was fixed meanwhile. That's really odd. It doesn't occur to me really often with a stable tor bundle version. Last report I made for the same matter was April, 29th 2012.

Is anybody else still experiencing issues?

Trac:
Username: helpinghand

Trac:
Parent: N/A to #8401 (moved)
Summary: Security issue on tor bundle Version 2.3.25-4 to Antivirus warning (Gen.Variant.Kazy) with TBB 2.3.25-4

A user has reported that Roboscan AV is detecting the TBB as GEN: Variant.Kazy.31300. I have requested further information from the user, will comment again if we hear back.

Trac:
Keywords: N/A deleted, needs-triage added

Trac:
Resolution: N/A to fixed
Status: new to closed

closed