3

I recently downloaded the latest Firebird JDBC driver (Jaybird 3.0.4 for Java 8) from the Firebird.org website. Windows Defender has quarantined the download saying it is infected with the Trojan:Java/Tisifi.C virus. The same thing happens with the driver for Java 7.

I think it highly unlikely that the file is infected, but can't be sure. Is this a false positive or a true threat? If a false positive, how can I get the file out of quarantine?

FYI, I am running Windows 10 Pro.

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
Terry Thompson
  • 489
  • 2
  • 15

1 Answers1

3

Jaybird does not have a virus in it. I also downloaded the files from https://www.firebirdsql.org/en/jdbc-driver/ but don't get any warning from Windows Defender.

It seems to me that it is either a false positive, or your machine is already infected with something that modifies files on download/open. Consider comparing the hashes shown below with the one of your download.

You can get the (SHA256) hash using PowerShell as:

Get-FileHash Jaybird-3.0.4-JDK_1.8.zip

Output on my machine for both:

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          FDBE76C72C21001520BAE8E926F9FDAA227F1B7918660A71283D5D9B0E4E463F       D:\install\Jaybird-3.0.4-JDK_1.7.zip
SHA256          86D2C6BB28DE93A8D239A3EC49BF1ED9A29082AC17C899FD801A063C270ADD2A       D:\install\Jaybird-3.0.4-JDK_1.8.zip

As Windows Defender on my machine reports no problems, make sure you are using the latest version (I just updated the definitions to 1.267.1375.0 of today).

I also submitted the downloads to https://virusdesk.kaspersky.com/ without anything found:

File Jay​b​i​r​d​-​3​.​0​.​4​-​J​D​K​_​1​.​7​.​zip is safe.

The file is safe to keep, use and send.

Scan result
File is safe
File size 9.56 MB
File type ARC/ZIP
Scan date May 15 2018 11:18:31
Databases release date May 15 2018 08:37:28 UTC
MD5 e18897cf9d2fac831879d3d1e49b26be
SHA1 15a53c3408954dd8b9ca976e5fe5f9adaf2e5dfa
SHA256 fdbe76c72c21001520bae8e926f9fdaa227f1b7918660a71283d5d9b0e4e463f

and

File Jay​b​i​r​d​-​3​.​0​.​4​-​J​D​K​_​1​.​8​.​zip is safe.

The file is safe to keep, use and send.

Scan result
File is safe
File size 9.84 MB
File type ARC/ZIP
Scan date May 15 2018 11:22:06
Databases release date May 15 2018 08:37:28 UTC
MD5 3f2dd2328e20d83fcf862e78a02eab43
SHA1 cfd6b93175758c7b282af6e5eddf8e7d88ba4ae1
SHA256 86d2c6bb28de93a8d239a3ec49bf1ed9a29082ac17c899fd801a063c270add2a

I also submitted the files to https://virusscan.jotti.org (as suggested by Arioch'The) and none of the 16 scanners used by that site reported problems, see this scan report.

Disclaimer: I maintain Jaybird and created the build.

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
  • one can also easily check hashes with https://github.com/gurnec/HashCheck - just a text search :-D – Arioch 'The May 15 '18 at 12:50
  • Mark, thanks for the feedback. I believe you are correct and the problem is with my computers. I had the initial trouble with a home desktop I rarely use. The interesting thing is that I just tried the download again this morning on my laptop which is also running windows 10 and the download was quarantined. I then went to a couple of different work computers, one running Windows 7 and the other running Windows 10 and both downloaded without a hitch. I am not sure what is causing the false positive on my two computers. My virus definitions are up to date at version 1.267.1375.0. – Terry Thompson May 15 '18 at 15:55
  • I attempted to run gethash as recommended and gethash could not find the file. I don't know where on my computer the file is quarantined or how to get it out. Any suggestions? – Terry Thompson May 15 '18 at 15:59
  • I just attempted to download the driver on yet another home computer and the driver was quarantined. The only thing the three computers have in common besides having Win 10 Pro installed is that they have a WSE 2012 R2 remote connector installed. Also, I am missing restore and remove buttons in Windows Defender on each , so I can restore the files. – Terry Thompson May 15 '18 at 23:53
  • I'm not sure what could be causing this. You may have to contact Microsoft about this. Regarding the question about getting the file out of quarantine, that is probably something you need to ask on https://superuser.com/ – Mark Rotteveel May 16 '18 at 07:59
  • I ended up downloading the zip file to a different computer, extracting the files and copying them to my laptop. Does the JDBC driver require any configuration, such as pointing it to fbclient.dll? – Terry Thompson May 16 '18 at 12:15
  • @joeb545 No, unless you explicitly want to use native connections or even Firebird embedded. The default is a pure java implementation, which doesn't need fbclient. – Mark Rotteveel May 16 '18 at 12:52
  • I had this problem, disabled the quarantine via Windows Defender and verified the hash against this post (assuming Mark isn't trying to infect us with malware ;) and it seems to be all good. I've also found other posts around the net about Windows Defender false positives, specifically relating to Tisifi.c in addition to other malware. – Seth Jun 21 '18 at 03:16
  • You also might be able to bypass the virus scan by downloading using curl and piping it in and out of a base64 encoder or something similarly moronic :D – Seth Jun 21 '18 at 03:17
  • @Seth I'm curious why this is happening though, I'm using Windows Defender myself, and I don't have this problem. – Mark Rotteveel Jun 21 '18 at 07:51
  • Yea, it's making me a little worried about defender - I really don't want to go back to the bad old days of AV. You're in good company though - things like IntelliJ IDEA have been marked as trojans as well :D – Seth Jun 24 '18 at 06:01
  • I have submitted jaybird-3.0.5-jdk_1.8.zip with Incorrect detection subject to windows defender team so with new latest malware definitions should be ok (you can also submit the previous version if there are still issues with jaybird zip file) – Mariuz Oct 15 '18 at 12:48