bitcoin: SAV reported bitcoind infected w Silly.218, crashed bitcoind (likely false positive)

OS: Win 7 x64 Bitcoin core: 0.9.1

While running bitcoind.exe --reindex:

c:\Program Files\Bitcoin\daemon>bitcoind.exe --reindex Error: System error: Database I/O error

Symantec Anti Virus detected Silly.218 in chainstate\052878.sst directory (other names under which the malware is known: Virus.DOS.Dutch_Tiny.163.a (Kaspersky), Silly.218 (Symantec), Tiny-Family #3 (Avira)). Hash of the pattern detected: E272F4FF4AD99D1C48C4888990893FC6193DB1CB9849C69B1710069BBD047E0D

As the file was automatically quarantined and deleted (I can’t change SAV default settings), that crashed bitcoind and corrupted the bitcoin DB.

Internet search on this yielded no results. This looks like a false positive.

About this issue

  • Original URL
  • State: closed
  • Created 10 years ago
  • Comments: 87 (64 by maintainers)

Most upvoted comments

Please think about what a virus is: Executable code. There are only 3 ways in which data in a file can be executable on any operating system:

  • The file contains a program header. Notice that the file extension is not a program header. The header is contained inside of the file. On Windows its typically a PE-Header (http://en.wikipedia.org/wiki/Portable_Executable). The trick for executing .TXT files likely only works if they contain such a header. [But then it is not even an exploit, if I recall it correctly you are for example free to use the regular Windows CreateProcess() API to execute files without EXE extension.]. So as our SST files do not contain a program header, this case does not match.
  • The file does not contain a program header but the operating system still executes its content automatically due to exploitable bugs. This has been used in viruses for sure. But it is again not our problem, the bug in the OS is to blame and to be fixed.
  • The file does not contain a program header but there is a different file, commonly called a “loader”, on the computer which does contain a program header, thereby gets executed, and contains code to load the non-executable SST file into its own address space and execute it. This is the only case which in theory could match here. But there is no reason for a loader-program on a computer to randomly pick up our SST files and load the very particular area which contains the virus for execution. This would have to be done intentionally, you don’t just execute random file content. So the loader is the malicious root of execution. And as long as the virus scanner detects and deletes the loader, the non-executable SST file is completely harmless. There is no reason for the virus scanner to care about the non-executable file. So even in this only matching case, there still would be a large indication that the virus scanner is just wrong here, it is a false positive.

Conclusion: You are wasting your time discussing this. Contact Symantec to fix the false positive. They are obliged to do so: After all a virus scanner divides the world into “good” and “bad” software, which is a really judgmental thing to do, and someone who is that judgmental has a moral obligation to only judge against something which is really malicious, which Bitcoin isn’t in any way. It is their job to fix this.

+1
leo-bogert on Apr 23, 2014
Read more comments on GitHub
← bitcoin: salvagewallet fails verification
bitcoin: scheduler: crash after releasing wallet →