Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

Ryan Schmidt ryandesign at macports.org
Fri Sep 4 17:51:22 PDT 2015


On Sep 4, 2015, at 5:27 PM, Brandon Allbery wrote:

> Others have reported this. Unfortunately, there is no guarantee that some random chunk of code or data won't hash to the same value as a virus; it's statistically unlikely, but over time the probability of a false positive will tend toward unity. And in fact false positives are rare but known to happen, as one would expect.

The whole point of hash algorithms is to provide something very close to that guarantee. Some hash algorithms are broken, so they can no longer provide that guarantee; md5 is an example of a broken hash algorithm. Tools exist to let you craft two different files that hash to the same md5 sum. But newer algorithms like sha256 and rmd160 are not yet broken and still provide sufficiently strong assurances that if the hash of a file is the expected value, then the contents of the file are the expected contents as well. That's why we use sha256 and rmd160 checksums to verify the integrity of the files MacPorts ports download.

I assume the Sophos claim of iPh/WireLurk-G in zlib is a false positive and refer concerned users to Sophos.



More information about the macports-users mailing list