09-11-2018 06:11 AM
We recently changed our antivirus package on campus to a more modern type of antivirus that performs code analysis instead of using virus definitions. By default it will block everything that it thinks looks suspicious and we have to explicitly white list.
One of our professors has ISE 13.1 and the AV has picked up on a DLL, specifically C:\Xilinx\13.1\ISE_DS\PlanAhead\lib\win32.o\librdi_constraints.dll
It gives us a list of reasons why it flagged this file. Basically it detected that the DLL is capable of certain behaviors that COULD be used by malware. These are reasonable behaviors for a DLL in an FPGA development IDE, but we have to perform due diligence and verify that this file indeed is supposed to be capable of those behaviors, and that the SHA256 hash of the file on our system matches a known good hash for that file to ensure that our file was not compromised. Is there a Xilinx presence on this board to give me the answers to those questions so that I can get our IT department to white list the file?
Below is the report from the AV software about the file:
This object is a DLL with a nontrivial (critical) entry point. Entry points are common among DLLs, but a malicious DLL may use its entry point to place itself inside a process. An entry point is where control goes from the operating system to the program, at which point the program is executed.
This object imports functions that are used to gather information about the current operating system. Malware uses this to better tailor further attacks (to take advantage of OS exploits) and to report information back to a controller.
This object imports functions that can be used to determine details about the processor (CPU). Malware uses this information to tailor attacks and send data collected to a common Command and Control (C&C) infrastructure (exfiltrate data). An example of processor information is whether or not the CPU supports 64-bit operating systems; 64-bit operating systems provide more security measures than 32-bit versions.
This object seems to be looking for common protection systems (like anti-virus or anti-malware programs). Malware does this to initiate anti-protection actions tailored to the protection system installed on the device.
This object imports functions that would allow it to act like a debugging program (debugger). A debugger is used to test other software for problems in the program, which include stopping the program being tested and changing the way it operates. However, these same functions can also to be used for malicious purposes, like reading sensitive information from other processes running on the system, or tampering with software (as in the case of a software cracking tool to evade copyright protection).
This object imports functions that can be used to stop a running process. Malware uses this to attempt to remove protection systems, or to cause damage to a running system.
This object contains a version of OpenSSL that is compiled to be stealthy. OpenSSL is a cryptographic library and is used for secure communication, typically with web servers. Malware will do this to include crytopgraphy functionality without appearing suspicious.
09-14-2018 01:21 AM
Back then with ISE 13.x we had something similar reported where a couple files from the installer was being reported as Malware. Back then we worked with AV and other antivirus providers to get this/these files into the safe list.
Therefore, since the ISE13.1 is an older version of ISE that is no longer suppported, can you please try using our latest ISE supported version 14.7 and then see if AV reports/detects the same file as Malware?
09-24-2018 05:35 AM
I checked with the faculty member that uses ISE and she does need specifically 13.1 in order to ensure compatibility with the researchers at another site that refuse to upgrade.
I am working with my IT department and the AV provider to get the file added to the safe list. Knowing how to add it to the safe list isn't the issue. Before they add it to the safe list, they want verification from Xilinx of the proper SHA256 hash for a known, non-corrupted version of the file so that we know the file hasn't been corrupted or altered. Our AV software will check against that hash.
The reason they want this is because the AV is flagging that files a "PUP-Corrupt" which has been a rare flag indicating that the AV thinks this file was modified in some way. The install on this machine was fresh from a download from your website.
Can you send me the SHA256 hash for a copy of that file that you know for sure is good?