NASM virus issues.
Tomas Mraz
tmraz at redhat.com
Mon Jun 29 06:41:12 UTC 2020
On Sun, 2020-06-28 at 15:12 +1200, David Harris wrote:
> I normally compile OpenSSL with "no-asm", but this time I thought I'd
> try
> installing NASM and seeing what difference, if any, it actually made.
>
> I downloaded NASM from the official site (which I believe to be
> http://www.nasm.us) and, as I always do with anything I source from
> outside my
> firewall, ran it through virustotal (
> https://www.virustotal.com/gui/home/upload).
>
> It reports 11 different scanners out of 72 finding malware in the
> file
> (nasm-2.15.01-installer-x86.exe). Now, one or two reports from
> Virustotal is
> normal - there are so many scanners out there that there are bound to
> be
> occasional false-positives... But 11 is more than I have ever seen on
> something
> that supposedly wasn't infected. Interestingly, VirusTotal did not
> have cached
> results for this file, meaning that nobody else has tested it in the
> last month or
> so.
>
> Google didn't reveal any insight, and the NASM project doesn't have
> any contact
> options that don't involve registration or mailing lists or I'd
> report this to them.
> There is no mention of anything like this in their forum.
>
> 11 reports is too many for me to feel safe using this product, so for
> now I'll keep
> using no-asm, and hope that it's not going to get more deprecated
> than it
> apparently is at present (based on the comments in INSTALL).
>
> If anyone on the list has a NASM account or knows any of the
> maintainers,
> could they pass this on? They really should be aware of it.
I'd recommend reporting your findings to the NASM bugzilla
http://bugzilla.nasm.us/ or to their forum at
https://forum.nasm.us/
--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]
More information about the openssl-users
mailing list