ISE 13.1防病毒标记librdi_contraints.dll

我们最近将校园中的防病毒软件包更改为更现代的防病毒软件，执行代码分析而不是使用病毒定义。
默认情况下，它会阻止它认为可疑的所有内容，我们必须明确列出白名单。
我们的一位教授有ISE 13.1而且AV已经获得了一个DLL，特别是C： Xilinx  13.1  ISE_DS  PlanAhead  lib  win32.o  librdi_constraints.dll
它为我们提供了标记此文件的原因列表。
基本上它检测到DLL能够执行恶意软件可能使用的某些行为。
这些是FPGA开发IDE中DLL的合理行为，但是我们必须执行尽职调查并验证该文件确实应该具备这些行为，并且我们系统上的文件的SHA256哈希与已知的好处相匹配
该文件的哈希值，以确保我们的文件没有受到损害。
是否有Xilinx在此主板上的存在，以便为我提供这些问题的答案，以便我可以让我们的IT部门将文件列入白名单？
以下是AV软件关于该文件的报告：
C：赛灵思 13.1  ISE_DS 的PlanAhead  LIB  win32.o  librdi_constraints.dll
此对象是具有非平凡（关键）入口点的DLL。
入口点在DLL中很常见，但恶意DLL可能会使用其入口点将自身置于进程中。
入口点是控制从操作系统进入程序的位置，此时程序被执行。
此对象导入用于收集有关当前操作系统的信息的函数。
恶意软件使用它来更好地定制进一步的攻击（利用操作系统漏洞利用）并将信息报告给控制器。
此对象导入可用于确定有关处理器（CPU）的详细信息的函数。
恶意软件使用此信息来定制攻击并将收集的数据发送到公共命令和控制（C＆amp; C）基础结构（exfiltrate数据）。
处理器信息的一个示例是CPU是否支持64位操作系统;
64位操作系统提供比32位版本更多的安全措施。
这个对象似乎在寻找常见的保护系统（如防病毒或反恶意软件程序）。
恶意软件执行此操作以启动针对安装在设备上的保护系统定制的防保护操作。
该对象导入的函数允许它像调试程序（调试器）一样工作。
调试器用于测试其他软件程序中的问题，包括停止正在测试的程序并改变其运行方式。
但是，这些相同的功能也可用于恶意目的，例如从系统上运行的其他进程读取敏感信息，或篡改软件（如软件破解工具以逃避版权保护）。
此对象导入可用于停止正在运行的进程的函数。
恶意软件使用此方法尝试删除保护系统，或者对正在运行的系统造成损害。
此对象包含一个被编译为隐身的OpenSSL版本。
OpenSSL是一个加密库，用于安全通信，通常用于Web服务器。
恶意软件将这样做包括crytopgraphy功能，而不会出现可疑。



以下为原文

We recently changed our antivirus package on campus to a more modern type of antivirus that performs code analysis instead of using virus definitions. By default it will block everything that it thinks looks suspicious and we have to explicitly white list.

One of our professors has ISE 13.1 and the AV has picked up on a DLL, specifically  C:Xilinx13.1ISE_DSPlanAheadlibwin32.olibrdi_constraints.dll

It gives us a list of reasons why it flagged this file. Basically it detected that the DLL is capable of certain behaviors that COULD be used by malware. These are reasonable behaviors for a DLL in an FPGA development IDE, but we have to perform due diligence and verify that this file indeed is supposed to be capable of those behaviors, and that the SHA256 hash of the file on our system matches a known good hash for that file to ensure that our file was not compromised. Is there a Xilinx presence on this board to give me the answers to those questions so that I can get our IT department to white list the file?

Below is the report from the AV software about the file:

C:Xilinx13.1ISE_DSPlanAheadlibwin32.olibrdi_constraints.dll

This object is a DLL with a nontrivial (critical) entry point. Entry points are common among DLLs, but a malicious DLL may use its entry point to place itself inside a process. An entry point is where control goes from the operating system to the program, at which point the program is executed.

This object imports functions that are used to gather information about the current operating system. Malware uses this to better tailor further attacks (to take advantage of OS exploits) and to report information back to a controller.
This object imports functions that can be used to determine details about the processor (CPU). Malware uses this information to tailor attacks and send data collected to a common Command and Control (C&C) infrastructure (exfiltrate data). An example of processor information is whether or not the CPU supports 64-bit operating systems; 64-bit operating systems provide more security measures than 32-bit versions.
This object seems to be looking for common protection systems (like anti-virus or anti-malware programs). Malware does this to initiate anti-protection actions tailored to the protection system installed on the device.
This object imports functions that would allow it to act like a debugging program (debugger). A debugger is used to test other software for problems in the program, which include stopping the program being tested and changing the way it operates. However, these same functions can also to be used for malicious purposes, like reading sensitive information from other processes running on the system, or tampering with software (as in the case of a software cracking tool to evade copyright protection).

This object imports functions that can be used to stop a running process. Malware uses this to attempt to remove protection systems, or to cause damage to a running system.

This object contains a version of OpenSSL that is compiled to be stealthy. OpenSSL is a cryptographic library and is used for secure communication, typically with web servers. Malware will do this to include crytopgraphy functionality without appearing suspicious.