NASM virus issues.

[David Harris]

I normally compile OpenSSL with "no-asm", but this time I thought I'd try 
installing NASM and seeing what difference, if any, it actually made.

I downloaded NASM from the official site (which I believe to be 
http://www.nasm.us) and, as I always do with anything I source from outside my 
firewall, ran it through virustotal (https://www.virustotal.com/gui/home/upload).

It reports 11 different scanners out of 72 finding malware in the file 
(nasm-2.15.01-installer-x86.exe). Now, one or two reports from Virustotal is 
normal - there are so many scanners out there that there are bound to be 
occasional false-positives... But 11 is more than I have ever seen on something 
that supposedly wasn't infected. Interestingly, VirusTotal did not have cached 
results for this file, meaning that nobody else has tested it in the last month or 
so.

Google didn't reveal any insight, and the NASM project doesn't have any contact 
options that don't involve registration or mailing lists or I'd report this to them. 
There is no mention of anything like this in their forum.

11 reports is too many for me to feel safe using this product, so for now I'll keep 
using no-asm, and hope that it's not going to get more deprecated than it 
apparently is at present (based on the comments in INSTALL).

If anyone on the list has a NASM account or knows any of the maintainers, 
could they pass this on? They really should be aware of it.

Cheers!

-- David --