<div dir="ltr">This wouldn't be the first time some program that uses heuristic execution patterns to detect malware decided it didn't like the STG.</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 28, 2017 at 4:15 PM, Matthew Lamari <span dir="ltr"><<a href="mailto:matt.lamari@gmail.com" target="_blank">matt.lamari@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    <p><br>
    </p>
    <p>The site gave me the 5ffdaa sha256 you have below for touchy.exe.</p>
    <p>That said, I still have the 2 builds yield different results from
      Hitman Pro on the clean boxes. And Bitdefender, on my machine,
      (albeit being obtuse) chucks a fit over it. It doesn't detect the
      EXE files; but detects secondary consequences of them running.</p>
    <p><br>
    </p>
    <p><b>I really think something is afoot here.</b><br>
    </p><div><div class="h5">
    <p><br>
    </p>
    <p><br>
    </p>
    <br>
    <div class="m_-6212924050585215219moz-cite-prefix">On 12/28/2017 3:00 PM,
      <a class="m_-6212924050585215219moz-txt-link-abbreviated" href="mailto:lonetiger@gmail.com" target="_blank">lonetiger@gmail.com</a> wrote:<br>
    </div>
    <blockquote type="cite">
      
      
      
      <div class="m_-6212924050585215219WordSection1">
        <p class="MsoNormal">Upload one of the binaries it flagged to <a href="https://www.virustotal.com/en/" target="_blank">https://www.virustotal.com/en/</a>
          and send the link.</p>
        <p class="MsoNormal"><u></u> <u></u></p>
        <p class="MsoNormal">As far as I can tell, they’re all clean</p>
        <p class="MsoNormal"><u></u> <u></u></p>
        <p class="MsoNormal"><a href="https://www.virustotal.com/en/file/9cc2a6032dde8d8ab572f9491041242ab4c76d2b7d36eea5283c82cf9bf9fd69/analysis/" target="_blank">https://www.virustotal.com/en/<wbr>file/<wbr>9cc2a6032dde8d8ab572f949104124<wbr>2ab4c76d2b7d36eea5283c82cf9bf9<wbr>fd69/analysis/</a></p>
        <p class="MsoNormal"><a class="m_-6212924050585215219moz-txt-link-freetext" href="https://www.virustotal.com/en/file/5ffdaa7da4381637ab2a0ec327118cd933398a477430e2f5d94e9d53c53f2782/analysis/" target="_blank">https://www.virustotal.com/en/<wbr>file/<wbr>5ffdaa7da4381637ab2a0ec327118c<wbr>d933398a477430e2f5d94e9d53c53f<wbr>2782/analysis/</a></p>
        <p class="MsoNormal"><u></u> <u></u></p>
        <div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
          <p class="MsoNormal" style="border:none;padding:0in"><b>From:
            </b><a href="mailto:matt.lamari@gmail.com" target="_blank">Matthew Lamari</a><br>
            <b>Sent: </b>Thursday, December 28, 2017 20:29<br>
            <b>To: </b><a href="mailto:ghc-devs@haskell.org" target="_blank">ghc-devs@haskell.org</a><br>
            <b>Subject: </b>Haskell Platform 8.2.2 - virus?</p>
        </div>
        <p class="MsoNormal"><u></u> <u></u></p>
        <p class="MsoNormal"><u></u> <u></u></p>
        <p class="MsoNormal">New Haskell install was tripping my
          Bitdefender like crazy and in weird</p>
        <p class="MsoNormal">ways - not new as that's how bitdefender
          rolls. However, I retested in a</p>
        <p class="MsoNormal"> clean test, with (free) Hitman Pro</p>
        <p class="MsoNormal"><u></u> <u></u></p>
        <p class="MsoNormal">I started from a base case with 2 clean
          windows 8 VMs.</p>
        <p class="MsoNormal"><u></u> <u></u></p>
        <p class="MsoNormal">New 8.2.2 install - has virus</p>
        <p class="MsoNormal">Old 8.0.2 Jan 2017 - no virus</p>
        <p class="MsoNormal"><u></u> <u></u></p>
        <p class="MsoNormal"><u></u> <u></u></p>
        <p class="MsoNormal">According to Hitman Pro, touchy.exe,
          haddock-8.2.2, ghc-8.2.2.exe, and</p>
        <p class="MsoNormal">unlit.exe have some problem post-install. I
          went no further on the VMs.</p>
        <p class="MsoNormal"><u></u> <u></u></p>
        <p class="MsoNormal">"Detection Names</p>
        <p class="MsoNormal">Kaspersky          
          Trojan-Downloader.Win32.Paph.<wbr>fsv</p>
        <p class="MsoNormal">"</p>
        <p class="MsoNormal"><u></u> <u></u></p>
        <p class="MsoNormal">Bitdefender didn't get it on install but
          would lock the whole thing down</p>
        <p class="MsoNormal">on the first run of "Cabal".</p>
        <p class="MsoNormal"><u></u> <u></u></p>
        <p class="MsoNormal">______________________________<wbr>_________________</p>
        <p class="MsoNormal">ghc-devs mailing list</p>
        <p class="MsoNormal"><a class="m_-6212924050585215219moz-txt-link-abbreviated" href="mailto:ghc-devs@haskell.org" target="_blank">ghc-devs@haskell.org</a></p>
        <p class="MsoNormal"><a class="m_-6212924050585215219moz-txt-link-freetext" href="http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs" target="_blank">http://mail.haskell.org/cgi-<wbr>bin/mailman/listinfo/ghc-devs</a></p>
        <p class="MsoNormal"><u></u> <u></u></p>
      </div>
    </blockquote>
    <br>
  </div></div></div>

<br>______________________________<wbr>_________________<br>
ghc-devs mailing list<br>
<a href="mailto:ghc-devs@haskell.org">ghc-devs@haskell.org</a><br>
<a href="http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs" rel="noreferrer" target="_blank">http://mail.haskell.org/cgi-<wbr>bin/mailman/listinfo/ghc-devs</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>brandon s allbery kf8nh                               sine nomine associates</div><div><a href="mailto:allbery.b@gmail.com" target="_blank">allbery.b@gmail.com</a>                                  <a href="mailto:ballbery@sinenomine.net" target="_blank">ballbery@sinenomine.net</a></div><div>unix, openafs, kerberos, infrastructure, xmonad        <a href="http://sinenomine.net" target="_blank">http://sinenomine.net</a></div></div></div>
</div>