Trojan in trinity.dll about graphengine HOT 14 CLOSED

I believe the issue has been resolved, so I will be closing this issue. Feel free to reopen it if you have any further questions.

from graphengine.

@Diaaz I found the code that represents what looks to be a Trojan, and I can almost guarantee you that it is not. I just need to verify what I found with the Microsoft Graph Engine team lead; what you see in the DLL is the SHA-512 encoding of the word, TRINITY. :-)

from graphengine.

@Diaaz I think you have answered this question already; have you tried to build the trinity.dll yourself? As you know the trinity.dll is written in C++; I will review the compile process as well as the libraries use in the build process. I will get vack to you shortly. What time zone are you in?

from graphengine.

Hi. I am running local security scans now on two of my dev and build machines. I, like you, have applications deployed to users for a few years now and we have never seen this problem. I perform local builds and do update the lib folder contents. We perform a scan before we ship all of our apps we have never run into this problem. I'll get back to you shortly.

from graphengine.

Okay, I have scanned two machines now and these files in particular the machines are clean. I use the built-in Windows 11 Defender (complete scan) and Malwarebytes (most rigorous) for Teams 4.5.32; I will now run an offline scan as well.

from graphengine.

Thanks for checking. Only Trendmicro detects it as a trojan, but that is exactly the scanner some of our customers are using. This is the output of jotty.org on trinity.dll (from your lib folder).

from graphengine.

I am also testing using TotalAV and it does not report the file to contain a Trojan. I will check with one other party; my guess is that this maybe a false positive. I will check with another objective party that tracks Trojan signatures.

from graphengine.

Thanks! If it is a false positive, do you know how to work around that? TrendMicro says it is a trojan, but can recompiling trinity in some other way work around that? The problem is we cannot deploy to some customers now, because they use trendmicro.

from graphengine.

Yes, we have built it ourselves and that does not solve the problem. Still a 'trojan'. I am in Central European Time

from graphengine.

I will run this past the Microsoft C++ Security runtime group. I don't see the problem on my build machines. I am building with the Specter Intel fix. I will also see if the Microsoft Research team has any time ideas. I have never encountered a problem like this.

from graphengine.

Do you know why the previous version is found 'clean'? Is this sha-512 encoding added in the last version?

from graphengine.

Following this topic for interests.

from graphengine.

@Diaaz There is absolutely no Trojan in the prebuilt binary. Since all the source code can be found in this public repository, everyone can inspect it. It is possible that a certain binary sequence triggered the false alarm. I have recently updated the dependencies and rebuilt the binary files in the "lib" folder using the latest source code in the repo. I believe this issue has been resolved with the updated files. Here are the scanning results using the URL mentioned in your post:

from graphengine.

@shaobin Thanks! Problem solved.

from graphengine.