Upgrade to 3.x - Hydra nuget package has virus

Scott_Carter · 1 October 2015 16:10

http://docs.octopusdeploy.com/pages/viewpage.action?pageId=3048133

When I try to download:
https://s3-eu-west-1.amazonaws.com/octopus-downloads/hydra/OctopusDeploy.Hydra.3.0.10.268.nupkg

My virus program lets me know this is no good, and contains a virus:
Realtime scan result:
time: 10/01/15 10:06:15, virus found: W32/Eldorado.6D29!tr, action: Failed to quarantine, c:\downloads\octopusdeploy.hydra.3.0.10.268.nupkg.crdownload

Damian_Brady · 2 October 2015 00:53

Hi Scott,

Thanks for getting in touch!

Can you let me know what virus program you’re using? It might help me search for some more information.

We haven’t had any other reports of this, but for obviously reasons I definitely want to look into it!

Damo

Scott_Carter · 2 October 2015 14:38

Using FortiClient
Version 5.0.9.347

Engine:
AntiVirus:
5.220
Signatures:
28.104

Damian_Brady · 6 October 2015 04:22

Hi Scott,

Thanks for this information.

I’m not sure what to tell you here. We haven’t had any other reports of a similar virus flag, and I haven’t been able to reproduce this with a virus scanner here. I’ve checked the file as much as I’m able to, and haven’t found anything wrong.

I’m fairly confident FortiClient may be identifying the file as a virus based on a heuristic check. The Hydra package contains an executable that will automatically install an MSI, optionally via a delayed Windows Scheduled Task. I can only guess that FortiClient interprets this as suspicious and has flagged it as such.

Whether you are happy to accept this scan as a false positive will be a decision for you and your security team, however I can say we’re confident there’s no risk in this file.

If you want to flag the package as a false positive, instructions to do so are here.

I hope this helps,
Damo

Scott_Carter · 6 October 2015 14:51

Thanks for responding. I just manually installed the upgrade, glad it checks out.

Cheers.

fxprogrm · 22 December 2015 21:59

It would probably help for Octopus Deploy to provide hashes of all downloadable packages so users can verify from a known good source.

Vanessa_Love · 4 January 2016 06:19

Hi,

We think this is an excellent idea and sometime very soon the website will have the hashes available for all downloads.
I can’t link you to an issue because its not part of our public issues list … but sometimes soon it will just magically appear

Vanessa