Windows Defender causing JOSM problems

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Windows Defender causing JOSM problems

Toby Murray-2
Windows Defender has apparently taken offense to JOSM in the latest
malware signature update. Starting on February 19th mine started
claiming to detect a trojan named Skeeyah.H in 3 different class files
inside of the JOSM JAR. Defender helpfully removed these class files
from the JAR. JOSM is not amused by this and crashes on launch with a
NoClassDefFoundError.

I just double checked on my TV computer that runs nothing but Zwift
(virtual bicycle riding to stay fit in the winter months) and it
detected the same thing so I'm pretty sure it is just a false positive
and not me actually being infected with something :)

I just submitted a false positive report to Microsoft. No clue if that
will get anywhere. But I thought I would say something here in case
anyone else runs into this problem.

Toby

Reply | Threaded
Open this post in threaded view
|

Re: Windows Defender causing JOSM problems

Mike N.
On 2/21/2018 3:46 AM, Toby Murray wrote:
> Windows Defender has apparently taken offense to JOSM in the latest
> malware signature update. Starting on February 19th mine started
> claiming to detect a trojan named Skeeyah.H in 3 different class files
> inside of the JOSM JAR. Defender helpfully removed these class files
> from the JAR. JOSM is not amused by this and crashes on launch with a
> NoClassDefFoundError.

   What version of JOSM was this?   I haven't seen this yet with Windows
Defender and JOSM 13367.

Reply | Threaded
Open this post in threaded view
|

Re: Windows Defender causing JOSM problems

Florian Schäfer-2
Here are some other instances where this issue occurs:

https://intellij-support.jetbrains.com/hc/en-us/community/posts/360000091624-Trojan-Skeeyah-H
https://youtrack.jetbrains.com/issue/IDEA-186808
https://answers.launchpad.net/sikuli/+question/664458

Maybe that could help with finding the cause. There are some mentions of scripting in these links. Do you by chance have the scripting plugin installed?

Am 21. Februar 2018 12:38:21 MEZ schrieb Mike N <[hidden email]>:

>On 2/21/2018 3:46 AM, Toby Murray wrote:
>> Windows Defender has apparently taken offense to JOSM in the latest
>> malware signature update. Starting on February 19th mine started
>> claiming to detect a trojan named Skeeyah.H in 3 different class
>files
>> inside of the JOSM JAR. Defender helpfully removed these class files
>> from the JAR. JOSM is not amused by this and crashes on launch with a
>> NoClassDefFoundError.
>
> What version of JOSM was this?   I haven't seen this yet with Windows
>Defender and JOSM 13367.

--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
Reply | Threaded
Open this post in threaded view
|

Re: Windows Defender causing JOSM problems

Vincent Privat
Ok now I understand those strange bug reports on Windows... thanks for the
insights I'll see what we can do.

Le 21 févr. 2018 12:53 PM, "Florian von der Schäferbande 😉" <
[hidden email]> a écrit :

> Here are some other instances where this issue occurs:
>
> https://intellij-support.jetbrains.com/hc/en-us/
> community/posts/360000091624-Trojan-Skeeyah-H
> https://youtrack.jetbrains.com/issue/IDEA-186808
> https://answers.launchpad.net/sikuli/+question/664458
>
> Maybe that could help with finding the cause. There are some mentions of
> scripting in these links. Do you by chance have the scripting plugin
> installed?
>
> Am 21. Februar 2018 12:38:21 MEZ schrieb Mike N <[hidden email]>:
> >On 2/21/2018 3:46 AM, Toby Murray wrote:
> >> Windows Defender has apparently taken offense to JOSM in the latest
> >> malware signature update. Starting on February 19th mine started
> >> claiming to detect a trojan named Skeeyah.H in 3 different class
> >files
> >> inside of the JOSM JAR. Defender helpfully removed these class files
> >> from the JAR. JOSM is not amused by this and crashes on launch with a
> >> NoClassDefFoundError.
> >
> > What version of JOSM was this?   I haven't seen this yet with Windows
> >Defender and JOSM 13367.
>
> --
> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>
Reply | Threaded
Open this post in threaded view
|

Re: Windows Defender causing JOSM problems

Toby Murray-2
In reply to this post by Florian Schäfer-2
JOSM plugins are not a factor here. Windows is scanning and flagging
the josm-latest.jar file as soon as a browser downloads it. I don't
remember exactly which class files it is flagging. One was an inner
class dealing with XML parsing. Given that the IntelliJ problem seems
to be with a regex related class, I wonder if there is a certain regex
string that is triggering it. I'm all Linux at work so I'll have to
check at home tonight to see if there is something simple in common
between the JOSM classes and the IntelliJ problem.

Toby

On Wed, Feb 21, 2018 at 5:52 AM, Florian von der Schäferbande 😉
<[hidden email]> wrote:

> Here are some other instances where this issue occurs:
>
> https://intellij-support.jetbrains.com/hc/en-us/community/posts/360000091624-Trojan-Skeeyah-H
> https://youtrack.jetbrains.com/issue/IDEA-186808
> https://answers.launchpad.net/sikuli/+question/664458
>
> Maybe that could help with finding the cause. There are some mentions of scripting in these links. Do you by chance have the scripting plugin installed?
>
> Am 21. Februar 2018 12:38:21 MEZ schrieb Mike N <[hidden email]>:
>>On 2/21/2018 3:46 AM, Toby Murray wrote:
>>> Windows Defender has apparently taken offense to JOSM in the latest
>>> malware signature update. Starting on February 19th mine started
>>> claiming to detect a trojan named Skeeyah.H in 3 different class
>>files
>>> inside of the JOSM JAR. Defender helpfully removed these class files
>>> from the JAR. JOSM is not amused by this and crashes on launch with a
>>> NoClassDefFoundError.
>>
>> What version of JOSM was this?   I haven't seen this yet with Windows
>>Defender and JOSM 13367.
>
> --
> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Reply | Threaded
Open this post in threaded view
|

Re: Windows Defender causing JOSM problems

Vincent Privat
Toby, are you still able to reproduce? My Windows Defender has been updated
today and I cannot reproduce, even when downloading JOSM from IE or Edge.
A manual scan doesn't report any warning neither.

2018-02-21 17:34 GMT+01:00 Toby Murray <[hidden email]>:

> JOSM plugins are not a factor here. Windows is scanning and flagging
> the josm-latest.jar file as soon as a browser downloads it. I don't
> remember exactly which class files it is flagging. One was an inner
> class dealing with XML parsing. Given that the IntelliJ problem seems
> to be with a regex related class, I wonder if there is a certain regex
> string that is triggering it. I'm all Linux at work so I'll have to
> check at home tonight to see if there is something simple in common
> between the JOSM classes and the IntelliJ problem.
>
> Toby
>
> On Wed, Feb 21, 2018 at 5:52 AM, Florian von der Schäferbande 😉
> <[hidden email]> wrote:
> > Here are some other instances where this issue occurs:
> >
> > https://intellij-support.jetbrains.com/hc/en-us/
> community/posts/360000091624-Trojan-Skeeyah-H
> > https://youtrack.jetbrains.com/issue/IDEA-186808
> > https://answers.launchpad.net/sikuli/+question/664458
> >
> > Maybe that could help with finding the cause. There are some mentions of
> scripting in these links. Do you by chance have the scripting plugin
> installed?
> >
> > Am 21. Februar 2018 12:38:21 MEZ schrieb Mike N <[hidden email]>:
> >>On 2/21/2018 3:46 AM, Toby Murray wrote:
> >>> Windows Defender has apparently taken offense to JOSM in the latest
> >>> malware signature update. Starting on February 19th mine started
> >>> claiming to detect a trojan named Skeeyah.H in 3 different class
> >>files
> >>> inside of the JOSM JAR. Defender helpfully removed these class files
> >>> from the JAR. JOSM is not amused by this and crashes on launch with a
> >>> NoClassDefFoundError.
> >>
> >> What version of JOSM was this?   I haven't seen this yet with Windows
> >>Defender and JOSM 13367.
> >
> > --
> > Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Windows Defender causing JOSM problems

Toby Murray-2
There was a definition update early this morning that seems to have fixed
this.

For the record, these three classes are the ones that got flagged:
org/openstreetmap/josm/data/validation/tests/OpeningHourTest.class
org/openstreetmap/josm/gui/io/CustomConfigurator$XMLCommandProcessor.class
org/openstreetmap/josm/tools/OverpassTurboQueryWizard.class

I don't see much regex in those files like I was theorizing about earlier.
I do see a lot of calls to an "eval" method which I could see being
flagged. Not because of this method in particular but "eval" functions are
often ways to get arbitrary code execution started.

Toby



On Wed, Feb 21, 2018 at 3:33 PM, Vincent Privat <[hidden email]>
wrote:

> Toby, are you still able to reproduce? My Windows Defender has been
> updated today and I cannot reproduce, even when downloading JOSM from IE or
> Edge.
> A manual scan doesn't report any warning neither.
>
> 2018-02-21 17:34 GMT+01:00 Toby Murray <[hidden email]>:
>
>> JOSM plugins are not a factor here. Windows is scanning and flagging
>> the josm-latest.jar file as soon as a browser downloads it. I don't
>> remember exactly which class files it is flagging. One was an inner
>> class dealing with XML parsing. Given that the IntelliJ problem seems
>> to be with a regex related class, I wonder if there is a certain regex
>> string that is triggering it. I'm all Linux at work so I'll have to
>> check at home tonight to see if there is something simple in common
>> between the JOSM classes and the IntelliJ problem.
>>
>> Toby
>>
>> On Wed, Feb 21, 2018 at 5:52 AM, Florian von der Schäferbande 😉
>> <[hidden email]> wrote:
>> > Here are some other instances where this issue occurs:
>> >
>> > https://intellij-support.jetbrains.com/hc/en-us/community/
>> posts/360000091624-Trojan-Skeeyah-H
>> > https://youtrack.jetbrains.com/issue/IDEA-186808
>> > https://answers.launchpad.net/sikuli/+question/664458
>> >
>> > Maybe that could help with finding the cause. There are some mentions
>> of scripting in these links. Do you by chance have the scripting plugin
>> installed?
>> >
>> > Am 21. Februar 2018 12:38:21 MEZ schrieb Mike N <[hidden email]>:
>> >>On 2/21/2018 3:46 AM, Toby Murray wrote:
>> >>> Windows Defender has apparently taken offense to JOSM in the latest
>> >>> malware signature update. Starting on February 19th mine started
>> >>> claiming to detect a trojan named Skeeyah.H in 3 different class
>> >>files
>> >>> inside of the JOSM JAR. Defender helpfully removed these class files
>> >>> from the JAR. JOSM is not amused by this and crashes on launch with a
>> >>> NoClassDefFoundError.
>> >>
>> >> What version of JOSM was this?   I haven't seen this yet with Windows
>> >>Defender and JOSM 13367.
>> >
>> > --
>> > Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>>
>>
>