Page 1 of 1

IM-6.9.2-7\conftest.exe -> TrojWare.Win32.Ramnit.C@1

Posted: 2015-12-04T13:28:48-07:00
by BrianP007
Hi,

Q: Did comodo's false detection and blocking of conftest.exe invalidate the config process? If so, is there a standard way (short of uninstalling comodo) to prevent it?

Details: ====
I am configuring IM latest source on win7/pro/64 with cygwin.64/mingw and suddenly see a fund raising, scare screen from comodo warning about having just blocked a threat/intrusion. Pay an Expert to clean and "breach check" or try it yourself.

In the log files is ImageMagick-6.9.2-7/conftest.exe -> TrojWare.Win32.Ramnit.C@1; block -> success
But is shows only 1 block. The log file shows many builds of conftest.exe and runnings of it.

I was going to submit it for an online virus scan just to be overly paranoid, but the file does not exist. It is also not in quarantine.
Malwarebytes scan shows no malware

From the config.log file:
./configure CFLAGS=' -ffast-math -m64 -Ofast -fopenmp -march=native -flto ' --prefix=/usr --enable-static --enable-hdri=yes --with-windows-font-dir=C:/Windows/Fonts --without-modules --with-perl=yes

configure:5112: checking for suffix of executables
configure:5119: gcc -o conftest.exe -ffast-math -m64 -Ofast -fopenmp -march=native -flto conftest.c >&5
configure:5123: $? = 0
configure:5145: result: .exe
configure:5167: checking whether we are cross compiling
configure:5175: gcc -o conftest.exe -ffast-math -m64 -Ofast -fopenmp -march=native -flto conftest.c >&5
configure:5179: $? = 0
configure:5186: ./conftest.exe
configure:5190: $? = 0
configure:5205: result: no

It seems to have determined correctly that we are NOT cross compiling. It is also used in myriad other places in the 15,089 line log.

This happened on the 2nd configure with architecture-specific CFLAGS. There was no "detection" the first time.

The 2nd `make` completed without error in ~2 seconds. The first time it took many minutes. `make check` says everything is "up to date" which is not what I expected. Changing the CFLAGS (to target NATIVE arch, 64bit, -Ofast, ...) should rebuild everything.

It passed all of the tests in `make check`. googling the 'trojan' shows only the standard, scam, fast-fix-paid-ads

I am concerned that any config weirdness may turn up as bizarre misbehavior downstream.

==============================================
Why not just use the "standard windoz binary" and not worry about it???

I need to link various low level image creation features from raw data into my C programs. Correct me if I am wrong, but an IM build page shows " ...you must compile all shared library source with the same flag" ... [www _DOT_imagemagick_DOT_org -script - advanced-unix-installation.php].

I do not use msvc (GCC and intel), I don't want i386 "compatibility mode" and I do want to optimize down to the metal (-march, -mtune, -Ofast) as much as possible. Portability is not needed and I can always recompile for that as needed.

Re: IM-6.9.2-7\conftest.exe -> TrojWare.Win32.Ramnit.C@1

Posted: 2015-12-04T13:52:09-07:00
by dlemstra
Is it possible that your machine is infected and creates a corrupted version of conftest.exe?