TrendMicro OfficeScan reports a false positive Trojan for Drupal 6.x

The Drupal security team receives reports of all sorts all the time.

Some of them are false positives by security scanning software.

Today we got a report about a Trojan being detected in Drupal 6.10 and 6.13 by TrendMicro OfficeScan version 10, in the following files:

modules/color/color.install - BQDR_IRCBOT.BZQ
modules/profile/profile-wrapper.tpl.php - TROJ_SWIZZOR.KXV
modules/translation/translation.module - TROJ_FRAUDLO.LL

These files are plain text and valid PHP files.

Long time security team member Bart Jansens was able to verify that indeed the same software does generate those false positives.

Other visitors to Drupal.org have also reported the same issue. One of them has notified TrendMicro of the issue.

We hope that TrendMicro soon issues an update that fixes this false positive.

Contents: 

Comments

Trend Micro

The scanner reports some more false positives these days. It also reports a Trojan in the latest Adobe Shockwave / Flash player downloads and caused IE7 to crash on our companies website although there is no flashin use.

Fixed

Fixed, thanks.

No false report for color.install in Drupal 5 files

Hi, I don't think that all message are false reports.
I've received virus messages as well for all color.install files on my computer. I had a various versions of Drupal installation files stored in my hard drive. Every single color.install returned a virus message.
Here's the thing: the color.install files were NOT plain text anymore, when trying to open them in Dreamweaver they showed just cryptic signs.
At the SAME time that TrendMicro had reported the virus, Spydoctor found 2 trojans in my system that I've been trying hard to get rid of (Backdoor.Ciadoor!sd5 and Delf!ct).
I don't think that this is a false report, but should be taken seriously.

I just checked

I just downloaded both Drupal 5.19 and 6.13 and checked the color.install. It is a plain text file with valid PHP in it. So, the tarballs that are on drupal.org are clean.

If these files are infected by some other malware on your PC, Drupal has nothing to do with it. Its files are victims, not the source.

Today I receive a new alert.

Yesterday I receive an alert on the same files reported in http://drupal.org/node/514448

Today I receive a new alert.

File: modules/book/book.admin.inc
Virus: TROJ_SWIZZOR.KVR

File: modules/poll/poll-results.tpl.php
Virus: TROJ_SWIZZOR.KVC

File: modules/upload/upload.module
Virus: TSPY_MMORPG.NP

Drupal version: 6.13 (latest)

Trend Micro

I've posted these files to Trend Micro Support a few days Ago
I got a mail from them that with CPR 6.278.02 and above, the problem was fixed I've tested it today and it looks OK for now.

Fake alert

I received a message in from office scan regarding trojan malware. However performing a scan with "malwarebytes anti-malwares" it says no malware is detected. do you think the message from office scan is a fake alert?