Vaadin 6.7.0 is detected as a virus by McAfee

Following message in shown when I try to download Vaadin 6.7.0 (I’m behind corporate firewall with McAfee installed):


McAfee Web Gateway Virus Alert
------------------------

McAfee Web Gateway detected a virus!

The transferred file (or attachment) has been replaced by this message.

Virus-Name:      McAfee: Exploit-MS06-006.gen
File name (or Attachment-Name): http://vaadin.com/download/release/6.7/6.7.0/vaadin-6.7.0.jar/VAADIN/widgetsets/com.vaadin.terminal.gwt.DefaultWidgetSet/86BC399036AAB02E0958D3D504E484E3.cache.html
Media type (or Attachment-Type): text/html

generated 05/Oct/2011:13:46:10 +0000 by ccfs-lols-6003
   (McAfee Web Gateway 6.8.6 Build 6257)

Here is the direct download link:

http://vaadin.com/download/release/6.7/6.7.0/vaadin-6.7.0.jar

Time to tell McAfee about the false positive…

André

Same with 6.7.1 here:


McAfee Web Gateway Virus Alert
------------------------

McAfee Web Gateway detected a virus!

The transferred file (or attachment) has been replaced by this message.

Virus-Name:      McAfee: Exploit-MS06-006.gen
File name (or Attachment-Name): http://vaadin.com/download/release/6.7/6.7.1/vaadin-6.7.1.jar/VAADIN/widgetsets/com.vaadin.terminal.gwt.DefaultWidgetSet/77606EA5E0EE1DBFAA670B038A48B8C9.cache.html
Media type (or Attachment-Type): text/html

generated 24/Oct/2011:08:17:48 +0000 by ccfs-lols-6003
   (McAfee Web Gateway 6.8.6 Build 6257)

Is it possible to report false positive to McAfee from Vaadin side?

No.

No idea how / where to do this on the MCAfee site. You will have to search

Any practical ideas on what we could do to make virus scanners lesser problem? As they are just pattern matching some fairly general pattens, they are sometimes confusing users by giving false positives for both downloads (both widget set javascript as well as vaadin.jar). is there anything we could do about it?

When I look at the initial virus report, then this one leads to this link (CVE dates back to 2006, fives years ago):

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0005

So the problem seems to be the <embed src=“…” tag in the .html files generated by the gwt compiler.
The compiler sometimes generates long or/and dynamic generated src content, so this is where the AV scanners false trigger.

There are two parts to this problem:

  • The jar file itself gets unpacked by the av scanners and then download is blocked.
    This could be prevented by packing the jar file in a password protected zip file, so the scanners can’t look inside.
    But the drawback is then, that the users will have to unzip it with a password.
    Perhaps offer a jar and a password protected zip file for download ?

  • The other problem is when the vaadin app is running behind such a scanning firewall
    Here the vaadin JS client running in the web browser requests the xxxx.cache.html files via normal GET requests
    and these then can also trigger the av scanner
    Other than passing all requests by https (so the scanners can’t look inside) I have no idea how we could prevent this

André

Oh. Again the same “virus”. I hope McAfee would finally fix the broken virus definition.

If we would offer encrypted zip side by side with non-encrypted one, no-one would download it.

Maybe there could be a way to work around this particular virus definition as it currently causes some confusion. On the other hand - this fix should be done on GWT compiler level.

You would need to add a comment why this zip is placed there for download…

McAfee is in charge of this, not GWT, since it’s correct code and a bad virus scanner…

I think the only hope for Vaadin.jar would be to find out which component uses <embeded src=… and look if there is way to work arround this.
Or perhaps this is something coming from GWT itself, but then other GWT based downloads should show the same false positives…

After a quick google search it seems like only vaadin is affected.

The McAfee request form is there https://secure.mcafee.com/apps/mcafee-labs/dispute-form.aspx?region=us
I think it should be filled by Vaadin ltd itself