-----Original Message----- From: Boost [mailto:boost-bounces@lists.boost.org] On Behalf Of Mateusz Loskot via Boost Sent: 24 May 2018 09:14 To: boost@lists.boost.org Cc: Mateusz Loskot Subject: [boost] [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?

Hi,

One user reported via #boost at cpplang.slack.com that Windows Defender reported trojan in the latest Windows binaries. I checked myself and I can confirm the latest up-to-date Windows Defender is detecting Vigorf.A in the installer archive.

Is this false report?

I suspect so - Norton regularly accuses my generated binaries of various infections so that I have had to stop it scanning the partition containing Boost (a good reason why a separate partition is a good idea - rather than stuffing it all in C:/boost/... ). We should get it whitelisted, but I doubt if that is practicable. Paul --- Paul A. Bristow Prizet Farmhouse Kendal UK LA8 8AB +44 (0) 1539 561830

On Thu, May 24, 2018 at 3:14 AM, Mateusz Loskot via Boost < boost@lists.boost.org> wrote:

Hi,

One user reported via #boost at cpplang.slack.com that Windows Defender reported trojan in the latest Windows binaries. I checked myself and I can confirm the latest up-to-date Windows Defender is detecting Vigorf.A in the installer archive.

Is this false report?

Best regards, -- Mateusz Loskot, http://mateusz.loskot.net

Can you check the SHA-256 of the exe matches the one published and signed? I believe it should be: 402d07022fe9671e401efc4e90a1ff25e1bc9e1c23b3d8b1c65e4a2e6799abfc boost_1_67_0-msvc-14.1-64.exe But the real way to check, is to download SHA256SUMS.asc [1], verify the signature (it is signed by myself, "Thomas Kent "), then use the verified SHA-256 checksum to ensure that the file hasn't been modified on the server. I had a pretty good chain of control from when the hash was computed until it was signed, but it is possible some malicious hacker had infected my system and modified the binaries in the few minutes before I ran the has on them....though I find that to be an *extremely* remote possibility. None the less, I think I'll update my build process to generate the hashes on the machine (a clean VM created each time a build is run) that does the build. I just need to get the sha tools onto windows. Tom