Spigot: is it safe?

Discussion in 'Spigot Help' started by jeabine, Apr 17, 2017.


Is Spigot safe?

  1. Yes.

  2. No!

Results are only viewable after voting.
  1. Good morning/afternoon,

    I was using Spigot for a long time ago, and I noticed a huge performance optimization (Thanks, SpigotMC!). But everytime I run a malware scan, I find viruses (as well as malwares) in the server's folder.

    The Spigot.jar file is completely secure, but I think that the malwares come from installed plugins! (If they're not, tell me in a reply)

    So, can you guys give me some tips on how to avoid malicious plugins (Or something else), and thanks a lot!

    Note: I may did some language errors in my thread, that's because I often speak French not English, so please understand.
  2. I highly doubt any scanner is going to be able to scan a java program, let alone find any real security risks in them. It is probably a garbage antivirus making false positives.
    If you use reputable plugins, there is no threat.
    • Like Like x 1
    • Agree Agree x 1
  3. What plugins do you have? As @FlyingLlama said, java is too high on the ring to be scanned successfully, that's Why Java Drivebys used be so effective. Probably false positives and anyway, there are almost no malicious plugins out there
  4. Well first, what is your antivirus/malware program?
  5. New York Police Department? :p
    • Agree Agree x 1
  6. TheJavaHacker


    Inb4 the Answer is Norton360 lmao
    (Norton is Shite for those who don't know)
    • Agree Agree x 1
  7. I use too many plugins, and I always try to verify the source.
    Thanks, @DotRar and @FlyingLlama!

    Kaspersky as an Anti-virus and Malwarebytes Anti-Malware as a malware removal software.

    After reading your posts, I think that I will stop scanning the Spigot folder.
  8. As long as you can your plugins from dev.bukkit.org or spigotmc.org you'll be fine. Kaspersky and MalwareBytes are 2 of the best AV/AM so they're probably just seeing a load of .jar files that they can't scan and freaking out
  9. Okay, I'll try to not download any plugins unless it is from those two. One last question: Is Curse safe to download plugins from?

    Thanks for your help ! ;)
  10. TheJavaHacker


    To your last Question, 1. Curse is now Owned by Twitch and 2. Yes, yes it is, they just tend to be iffy when working
  11. As a note, only premium and well-known plugins are checked for malicious code (by the devs/whoever is in charge of premium resources, and the community, respectively).
    If you have any suspicions about another plugin, just ask the local nerd herd to decompile it and prod it with a spork repeatedly.
  12. Even mine does that and I have WebRoot, one of the best rated AV (Well it was at the beginning of the year :p) and it picks up any jar files and pokes at me saying "Hey there might be something dangerous about this", that is because some anti-virus programs categorize them as ZIP files, I have no idea why, but they do.
  13. Because a jar is a zip file with the extension changed to ".jar" instead of ".zip". There is absolutely no difference, and you could name it ".corn" just as easily.
  14. Then so it would probably be because they have the ability to contain/function as viruses? That's another reason possibly, Panda picked up most of my .JAR, .ZIP, and .EXE when ever I had them.
  15. McAfee has scanned and quarantined .jar files for years. Such malicious .jar files usually use exploits in the Java runtime. Here's an example:
    https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=3378808 (Click on "Virus Characteristics")
    • Informative Informative x 1