Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Getting a malware trojan warning from our local machines for ImageProcessor.dll #162
Well, it can come from pretty much anywhere.
ImageProcessor itself does not contain malicious code (that's a benefit of open source, you can check it out), but we cannot guarantee that the place that you got your DLL from haven't added code on top of it.
You can also already have a virus that infects your PCs.
I think your server is compromised. Here's a scan of the binary from the latest package. https://www.virustotal.com/en/file/96ac35fd1eba8c0414ed8b0a051d679c52d8ea5310e0377a62fe303228016eda/analysis/1430752679/
Right so, as an update...
Our campus-wide malware definitions were updates on the 1st and that's when we started getting the notification (we use MalwareBytes). We get it on any machine using NuGet as our source.
I'm not at all concerned with the source code and since our checksum matches, I'll have to just ignore it for now.
Closing, but thought I'd ask :)
After receiving 3 questions about this in a week, it seems like windows defender is now detecting this as a threat more aggressively than before. This is obviously not a good experience when you try out Umbraco for the first time, and I can't imagine it's a good experience for people checking out ImageProcessor for the first time.
I think we have a few options:
I believe number 1, separating out the post processing is likely the best option as it will also avoid issues with people using IP without Umbraco.
Happy to work on it and provide a pull request after feedback on this!
Microsoft gets their arse in gear and stop detecting perfectly valid software as a virus... Do you have any contacts there because this is just stupid?
The code used to be a split out package but I integrated the it into the main solution so that all the caches could benefit.
I guess it's Hobson's choice... 1 seems to my only option. I should potentially be able to split it back out now that I'm using a stream. I may simply scrap it though. Depending on 3rd party software always seems to cause me problems.
The current virus detection is attributed to one program: PngOut.
I'm not the only one to have problems. madskristensen/WebEssentials2013#1508
OptiPng triggers a similar response also.
That other issue is totally unrelated.
ImageProcessor.Web v4.4.0 intercepts all image requests after I reduced the processing criteria because Umbraco has RAMMFAR enabled by default, why is that the case? As such, the images on that site are being stored temporarily in memory, at full, unprocessed size. Why are they not using ImageProcessor and the built in cropper I wonder?
As regards to that. I'm going to enforce that all image requests require querystring params again. I may even drop storing images in memory at all.
I'm gonna create a new feature branch and take a crack at stripping it all out. I'll give you a shout if I need a hand though I'm hoping it won't take more than an hour or so.
Seems like a sad but essential step, if Mads hasn't been able to get Defender fixed it would seem unlikely anytime soon :(
Two things, firstly with the post processor split out again, will it still work ok with the Azure cache plugin as it does now? Secondly, please don't totally remove the processing of images without querystrings, we have come to rely on it when used in combination with a CloudImageService, at the very least let it be enabled by configuration.
@nul800sebastiaan No worries, It was a bee in my bonnet so I had to get it fixed.
@Jeavon Yeah, this will work with all the cache systems as it now intercepts the stream rather than the old way using the file path. I'll tweak the code to allow the configuration of querystring-less image interception. By default I will probably have it off though.