Following message in shown when I try to download Vaadin 6.7.0 (I’m behind corporate firewall with McAfee installed):
McAfee Web Gateway Virus Alert
------------------------
McAfee Web Gateway detected a virus!
The transferred file (or attachment) has been replaced by this message.
Virus-Name: McAfee: Exploit-MS06-006.gen
File name (or Attachment-Name): http://vaadin.com/download/release/6.7/6.7.0/vaadin-6.7.0.jar/VAADIN/widgetsets/com.vaadin.terminal.gwt.DefaultWidgetSet/86BC399036AAB02E0958D3D504E484E3.cache.html
Media type (or Attachment-Type): text/html
generated 05/Oct/2011:13:46:10 +0000 by ccfs-lols-6003
(McAfee Web Gateway 6.8.6 Build 6257)
McAfee Web Gateway Virus Alert
------------------------
McAfee Web Gateway detected a virus!
The transferred file (or attachment) has been replaced by this message.
Virus-Name: McAfee: Exploit-MS06-006.gen
File name (or Attachment-Name): http://vaadin.com/download/release/6.7/6.7.1/vaadin-6.7.1.jar/VAADIN/widgetsets/com.vaadin.terminal.gwt.DefaultWidgetSet/77606EA5E0EE1DBFAA670B038A48B8C9.cache.html
Media type (or Attachment-Type): text/html
generated 24/Oct/2011:08:17:48 +0000 by ccfs-lols-6003
(McAfee Web Gateway 6.8.6 Build 6257)
Is it possible to report false positive to McAfee from Vaadin side?
Any practical ideas on what we could do to make virus scanners lesser problem? As they are just pattern matching some fairly general pattens, they are sometimes confusing users by giving false positives for both downloads (both widget set javascript as well as vaadin.jar). is there anything we could do about it?
So the problem seems to be the <embed src=“…” tag in the .html files generated by the gwt compiler.
The compiler sometimes generates long or/and dynamic generated src content, so this is where the AV scanners false trigger.
There are two parts to this problem:
The jar file itself gets unpacked by the av scanners and then download is blocked.
This could be prevented by packing the jar file in a password protected zip file, so the scanners can’t look inside.
But the drawback is then, that the users will have to unzip it with a password.
Perhaps offer a jar and a password protected zip file for download ?
The other problem is when the vaadin app is running behind such a scanning firewall
Here the vaadin JS client running in the web browser requests the xxxx.cache.html files via normal GET requests
and these then can also trigger the av scanner
Other than passing all requests by https (so the scanners can’t look inside) I have no idea how we could prevent this
Oh. Again the same “virus”. I hope McAfee would finally fix the broken virus definition.
If we would offer encrypted zip side by side with non-encrypted one, no-one would download it.
Maybe there could be a way to work around this particular virus definition as it currently causes some confusion. On the other hand - this fix should be done on GWT compiler level.
You would need to add a comment why this zip is placed there for download…
McAfee is in charge of this, not GWT, since it’s correct code and a bad virus scanner…
I think the only hope for Vaadin.jar would be to find out which component uses <embeded src=… and look if there is way to work arround this.
Or perhaps this is something coming from GWT itself, but then other GWT based downloads should show the same false positives…