A Trojan in mapillary_tools-win32.exe?

Hi
My Windows Defender reports that the file mapillary_tools-win32.exe is infected by Trojan.Win32/Zpevdo.B
Can anyone confirm? (SO: Win 10 32 bits ) (Tried to re install Mapillary Desktop Uploader today, because it was not working anymore)
RGDS
F

5 Likes

Two days ago the installer 2.0.3 on Virustotal had a score 4, today it is 14 ( VirusTotal ).
:shushing_face: :japanese_ogre:

mapillary_tools-win32.exe [v0.7.3] - score now 28 VirusTotal

2 Likes

I had the same warning from Defender. Can developers elaborate on this issue?

2 Likes

Same here. I’m not able to upload images anymore.

Version 2.0.2 still available at https://tools.mapillary.com/uploader/mapillary-uploader-2.0.2.exe

1 Like

This is definitely a false positive detection.

To allow the uploader to run: open Windows Security, go to Virus & thread protection and check the Protection history. You should be able to see it there and choose “Allow” to run the app. I suggest restarting the Desktop uploader before trying again.

1 Like

Result online escanner for *.exe Kaspersky Threat Intelligence Portal

Is there a way to prevent the automatic update of desktop uploader to the latest (not working) version?

@mapillary @peter @eneerhut I mean no offense but all of this reads apparently like a bad joke. For goodness sake, just get a proper code signing certificate and sign that thing! :man_facepalming: I guess that things could not get even easier for you than probably having free access to the Facebook intermediate CA to get your certificate. Guys please, just get up to speed!

2 Likes

Thanks for reporting. This is a known issue and we’re working on pushing out an update to the Desktop Uploader to address this.

5 Likes

I was having issues today and got the following issue after downloading the latest desktop uploader

Threats found PUA:Win32/Puamson.A!ml

PS - still cant drop images into messages - “Access Denied”

Desktop uploader 2.0.4 is now out and it includes fixes for the antivirus warnings on Windows. Please try it out and let us know if you encounter any more problems

Desktop uploader 2.0.4 is now out and it includes fixes for the antivirus warnings on Windows.

Because this is sort of a public security issue I have taken a peak at it, just out of curiosity. So, I am not sure what you might have possibly done to supposedly “fix antivirus warnings on Windows” but I am pretty sure that this issue is going to resurface sooner or later. In fact, there is only one way to make sure your software package is not going to get flagged by any (sane) antivirus program (and to protect your precious users) is to sign it. And unfortunately, I still have to report here that the Desktop Uploader on Windows has still not been signed. :disappointed: Not signing your code, releasing it to the public, and then expecting mass adoption is really a “no no” in 2021. This is just so unprofessional! Due to your relatively large user base, you are basically creating a massive public safety and security hazard.

3 Likes

What about mapillary_upload_cli-win32? - Result 11 VirusTotal

If you’re curious about the technical details behind the problem I can share more information about it.

As you have probably guessed from the antivirus messages, the Mapillary tools binary that is bundled with the Desktop Uploader was the one that was identified as a potential virus. As you know, Mapillary tools is a Python library and we build each release with Pyinstaller. It’s a known issue that apps packaged with Pyinstaller sometimes are falsely reported as a virus (Issues · pyinstaller/pyinstaller · GitHub) but we never encountered that problem until the version that we used in Desktop Uploader 2.0.3. The fix was relatively straightforward: we built new versions of bootloaders for Pyinstaller so we can build a clean version that doesn’t cause any false-positive detections by antivirus software.

Thanks for raising the issue of code signing. We now also updated how we sign the app and now both Windows and Mac installers from the desktop uploader page are signed with up-to-date certificates and the Mac app is also notarized.

3 Likes

Thank you for sharing some additional information.

You have signed the installer only, the application remains unsigned, which is the crux.

./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/Uninstall Mapillary Uploader.exe
Current PE checksum   : 00000000
Calculated PE checksum: 00028384

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/app-32/vk_swiftshader.dll
Current PE checksum   : 00000000
Calculated PE checksum: 00E45A32

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/app-32/libGLESv2.dll
Current PE checksum   : 00000000
Calculated PE checksum: 0069A7C8

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/app-32/libEGL.dll
Current PE checksum   : 00000000
Calculated PE checksum: 0005B747

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/app-32/ffmpeg.dll
Current PE checksum   : 00000000
Calculated PE checksum: 0021BDA3

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/app-32/d3dcompiler_47.dll
Current PE checksum   : 0038D4A3
Calculated PE checksum: 0038D4A3

Signature Index: 0  (Primary Signature)
Message digest algorithm  : SHA256
Current message digest    : F8A4F1E6120D60E8C8CE7B46F3AB7391B79B8F3F501B87084DDF9BDD6D4667A1
Calculated message digest : F8A4F1E6120D60E8C8CE7B46F3AB7391B79B8F3F501B87084DDF9BDD6D4667A1

Signer's certificate:
	Signer #0:
		Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation
		Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2010
		Serial : 3300000239B2B4E82A2234492F000000000239
		Certificate expiration date:
			notBefore : Jul 12 20:07:51 2018 GMT
			notAfter : Aug  8 20:07:51 2019 GMT

Number of certificates: 2
	Signer #0:
		Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation
		Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2010
		Serial : 3300000239B2B4E82A2234492F000000000239
		Certificate expiration date:
			notBefore : Jul 12 20:07:51 2018 GMT
			notAfter : Aug  8 20:07:51 2019 GMT
	------------------
	Signer #1:
		Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2010
		Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
		Serial : 610C524C000000000003
		Certificate expiration date:
			notBefore : Jul  6 20:40:17 2010 GMT
			notAfter : Jul  6 20:50:17 2025 GMT

The signature is timestamped: Mar 19 00:43:35 2019 GMT
Hash Algorithm: sha256
Timestamp Verified by:
		Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA 2010
		Serial : 33000000F6ACCF762A73749ADA0000000000F6

CAfile: /etc/pki/tls/certs/ca-bundle.crt
TSA's certificates file: /etc/pki/tls/certs/ca-bundle.crt
CRL distribution point: http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl

CMS_verify error
140737333416384:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:crypto/cms/cms_smime.c:252:Verify error:unable to get local issuer certificate
Timestamp Server Signature verification: failed

PKCS7_verify error
140737333416384:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:284:Verify error:unable to get local issuer certificate
Signature verification: failed

Number of verified signatures: 1
Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/app-32/Mapillary Uploader.exe
Current PE checksum   : 00000000
Calculated PE checksum: 05640DFD

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/app-32/swiftshader/libGLESv2.dll
Current PE checksum   : 00000000
Calculated PE checksum: 002E6E4E

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/app-32/swiftshader/libEGL.dll
Current PE checksum   : 00000000
Calculated PE checksum: 0005D701

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/app-32/resources/elevate.exe
Current PE checksum   : 00000000
Calculated PE checksum: 000225BC

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/app-32/resources/static/mapillary_upload_cli-win32.exe
Current PE checksum   : 00807D87
Calculated PE checksum: 00807D86    MISMATCH!!!

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/WinShell.dll
Current PE checksum   : 00000000
Calculated PE checksum: 0000DD27

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/nsis7z.dll
Current PE checksum   : 00000000
Calculated PE checksum: 0007611E

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/nsExec.dll
Current PE checksum   : 00000000
Calculated PE checksum: 0000778C

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/nsProcess.dll
Current PE checksum   : 0000D6D9
Calculated PE checksum: 0000D6D9

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/SpiderBanner.dll
Current PE checksum   : 00000000
Calculated PE checksum: 00011DAB

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/StdUtils.dll
Current PE checksum   : 00022B82
Calculated PE checksum: 00022B82

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw/$PLUGINSDIR/System.dll
Current PE checksum   : 00000000
Calculated PE checksum: 0000E5C7

No signature found

Failed
./An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw.exe
Current PE checksum   : 03E3BC0D
Calculated PE checksum: 03E3BC0D

Signature Index: 0  (Primary Signature)
Message digest algorithm  : SHA1
Current message digest    : B828149C1EA79DABBBE700AFB7C9E0D7D82559F2
Calculated message digest : B828149C1EA79DABBBE700AFB7C9E0D7D82559F2

Signer's certificate:
	Signer #0:
		Subject: /C=SE/ST=Sk\xC3\xA5ne/L=Malm\xC3\xB6/O=Mapillary AB/CN=Mapillary AB
		Issuer : /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
		Serial : B481729251F933B5
		Certificate expiration date:
			notBefore : Nov 19 16:45:01 2018 GMT
			notAfter : Nov 19 16:45:01 2021 GMT

Number of certificates: 2
	Signer #0:
		Subject: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
		Issuer : /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
		Serial : 07
		Certificate expiration date:
			notBefore : May  3 07:00:00 2011 GMT
			notAfter : May  3 07:00:00 2031 GMT
	------------------
	Signer #1:
		Subject: /C=SE/ST=Sk\xC3\xA5ne/L=Malm\xC3\xB6/O=Mapillary AB/CN=Mapillary AB
		Issuer : /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
		Serial : B481729251F933B5
		Certificate expiration date:
			notBefore : Nov 19 16:45:01 2018 GMT
			notAfter : Nov 19 16:45:01 2021 GMT

CAfile: /etc/pki/tls/certs/ca-bundle.crt
TSA's certificates file: /etc/pki/tls/certs/ca-bundle.crt
CRL distribution point: http://crl.godaddy.com/gdig2s5-4.crl

Timestamp is not available

Signature verification: ok

Number of verified signatures: 1
Succeeded

As you can see above, the only file you have signed is the installer package An_la_-H8EtOu5wwOlYqafW0B88tol5u2aN_ameKyXEZUmqNvywDqtPDEj8Am-8uIHv8BE7hJsFsC0uLGMBL0dzgKeVNCzS1zoHplhjNoAaB8RVg88E1Oi8FzBqyeIw.exe—which for itself has a suspicious looking file name. You probably want to better change it to a more reasonable name first. Then, you have to sign all executables, libraries, and depencies in your package as well, otherwise this whole exercise is futile. Although signing your executables only, like Mapillary Uploader.exe and mapillary_upload_cli-win32.exe, should suffice in most cases, it is not recommended because they may launch other unsigned executables. Every time an executable is launched it involves the system’s binary program loader and any antivirus program. So, you usually want your dependency executables to also signal to the OS and antivirus that they can be trusted. The only dependency that is signed here is d3dcompiler_47.dll. You do not need to add your signature to already signed and verified files. You can but you do not need to.

You also want to timestamp your signature so that when any of the code signing certificates in the trust chain expires people are still going to be able to safely use your software package and application. Usually, your CA offers this service for free. If you do not like your CA’s timestamp service you can also use a third party timestamping CA that is trusted by a root CA, often also for free.

Finally, please use SHA256 digests and signatures. If you really want to cater to pre-Windows XP SP 3 users then sign your code and signatures using both SHA1 and SHA256 digest algorithms.

A sane antivirus program computes a threat score per file from various sources. The antivirus program trips a warning or quarantine action when that threat score goes above a certain threshold. So, when your executable or library is signed and the verification process checks out then the initial threat score is going to be either 0 or very low. Even if a verified executable or library purposely or unwillingly misbehaves by for example suspiciously tinkering with system files or folders (I am assuming that this is something pyinstall probably might do on Windows) it will probably not trip the antivirus program because the threat score will remain below the threshold for action.

1 Like

Oh, there is one last thing I should mention. You probably want to migrate your packaging for Windows to MSIX and I would strongly advise you to do so (don’t even try looking into MSI, the Windows Installer because although it is well integrated into Windows, it is a deep rabbit hole). I have been packaging software for many systems for many yeas now, and for Windows even longer. So, imho MSIX is actually great, not perfect but like 99% perfect. I wish Microsoft would have moved to a sane packaging and installer infrastructure years earlier but as they say “better late than never”. MSIX is really easy to use for all stake holders including developers, admins, and users. The only downside to it is that it is only a “first class citizen” since Windows 10. On systems before Windows 10 users or admins have to install the MSIX runtime manually before they can install MSIX packages, and even then the MSIX runtime lacks some features on those systems (but none of which are crucial for the Desktop Uploader). MSIX is basically a superset of appx which is available since Windows 8. You can also create a combined appx and MSIX package and it works fine, so that you should be able to also serve users on older systems since Windows 8 (directly) with just one package. Windows 7 and earlier users would not be left out either but they would have to install the MSIX runtime manually first. If you would like I can setup a skeleton MSIX packaging repository for you so that it should be fairly easy for you to integrate it into your build process.

1 Like

@GITNE,
Thank you, I’m no expert, but from what I picked up over the years this seems to me the first really helpful post in the installer saga.
Met vriendelijke groet, (Dutch for ‘with friendely greeting’),

Thanks for the detailed analysis and advice!

We just released version 2.0.5 which now has all executables double-signed.

For the installer, we are using NSIS as this is supported by our Electron build tools right now. Will make sure to migrate to MSIX as soon as we can.

1 Like

I do not want to be moaning and complaining too much but I would guess that many in the Linux community would like to see and even prefer to use a Flatpak package of the Desktop Uploader over the current AppImage package. Please, do not get me wrong, and I do fully understand the simplicity behind it and the reduced complexity that AppImage provides for you. However, imho AppImage has two huge disadvantages over Flatpak, which are desktop integration and automatic updates. There is basically no elegant way to include these two key features into an AppImage. AppImage’s primary use case and greatest feature (to go for) is when you need to run an application from portable storage/removable media (on different machines and distros). Besides, from an admin’s perspective, I personally find it quite cumbersome to inspect the contents of an AppImage before actually running it.

Flatpak is quite similar in many concepts to MSIX and vice versa. With Flatpak you would be able to cover basically all Linux distros, have desktop integration, automatic updates, and would not even need to manage your private repo if you would host the Desktop Uploader on Flathub.
I must admit that I have been quite reluctant to use Flatpak myself for the past couple of years but I am under the impression that it has finally matured to a point where it is usable and stable enough for everyday use.