Analysis of the goport.exe that comes with Couchbase Server in c:\Program Files\Couchbase\Server\bin indicates that it is a piece of Malware.
It is also picked up by Nessus as Malware too:
941F6664D8A36A213922E8EF0D6601DE matches a known malware md5sum.
File path : c:\program files\couchbase\server\bin\goport.exe
Associated PID(s) during check : 28760,34252,35852,36824
The following are some of the tested AntiVirus products that consider this executable to be malware:
Number of AVs reporting malware : 5
Number of AVs tested : 24
For more information visit https://malwaredb.nessus.org/malware/bf1e37cacf87d7e7503497f503fe4fe9
Can anyone explain to me what GOPORT.EXE does as the Information Security department at my company are concerned about having potentially malicious software installed on production servers.
Thanks in advance.
Thanks for letting us know Martin. I’ve filed MB-16874 to track this.
I assume this was with the 4.0 download, correct?
Yes, it is the 4.0 software.
Thanks for the reply.
Can you please confirm which antivirus is used as standard in your company?
Kaspersky labs has confirmed to us that this is a false positive, and will be corrected in their next virus definition update of their product.
Product Management, Couchbase Server
Our AV scan didn’t pick this up but our vulnerability scanner did. I submitted the file to Virus Total for analysis and it gave me 8 products that detected this as Crypto malware.
I have just got the same dection from F-Secure
It identifies goport.exe as Trojan.Generic.15327307, and quarantines the file (breaking couchbase)
I submitted the file goport.exe to F-Secure for analysis.
They found it clean and will update their database.
F-Secure: 00648964 couchbase server bin/goport.exe [ ref:_00Db0JXpV._500b0VI5AN:ref ]
Thank you Oliver for your help to verify it with F-Secure.
I wonder if there is a common place to report it across antivirus scanners. Otherwise, this will be on a case-to-case basis with each scanner product.
PM, Couchbase Server