[FALSE ALARM] Kaspersky Alarming Virus Warning

Post your bug reports here. Include information that helps us to understand and reproduce the bug.
ben8238723
Posts: 8
Joined: Wed Nov 30, 2016 11:46 pm

[FALSE ALARM] Kaspersky Alarming Virus Warning

Post by ben8238723 »

I installed 10.1 update with no problem yesterday afternoon but this morning woke up to these virus notices and a locked down computer which demanded disinfection from:

FCOutDrw.dll Trojan-Banker.Win32.Banbra.vdfk
FontCreatorSetup.exe/data0083 Trojan-Banker.Win32.Banbra.vdfk
FontCreatorSetup.exe UDS:DangerousObjectMulti.Generic

You can see how it's reported in VirusTotal here:
https://www.virustotal.com/en/file/f2b5 ... 480601892/

I hope and presume this is a false alarm, but obviously for Kaspersky users this is a problem.
Bhikkhu Pesala
Top Typographer
Top Typographer
Posts: 9873
Joined: Tue Oct 29, 2002 5:28 am
Location: Seven Kings, London UK
Contact:

Re: Kaspersky Alarming Virus Warning

Post by Bhikkhu Pesala »

Yes, of course it's a false alarm. If I am not mistaken you can run FontCreator 10.1 without this DLL, but the preview of outlines will not be quite as smooth.

Is it your experience that FontCreator runs, or does it fail to start due to the missing DLL?
My FontsReviews: MainTypeFont CreatorHelpFC15 + MT12.0 @ Win 10 64-bit build 19045.2486
Patrick Schoenbach
Posts: 25
Joined: Sat Feb 06, 2016 2:36 pm

Re: Kaspersky Alarming Virus Warning

Post by Patrick Schoenbach »

Confirmed.
Erwin Denissen
Moderator
Moderator
Posts: 11108
Joined: Fri Oct 04, 2002 12:41 am
Location: Bilthoven, The Netherlands
Contact:

Re: Kaspersky Alarming Virus Warning

Post by Erwin Denissen »

Another customer just forwarded a report from Anti-Virus Lab, Kaspersky Lab HQ:
Thank you for sending a file for analysis to the Anti-Virus Lab.

Kaspersky Anti-Virus has scanned files.

No malware detected in files:
FontCreatorSetup.exe

We will thoroughly analyze files. If the result of the analysis is different from this scan result, you will be notified via email within 5 days.

This is an automatically generated message. Please, do not reply to it.
Erwin Denissen
High-Logic
Proven Font Technology
ben8238723
Posts: 8
Joined: Wed Nov 30, 2016 11:46 pm

Re: Kaspersky Alarming Virus Warning

Post by ben8238723 »

Bhikkhu Pesala wrote:If I am not mistaken you can run FontCreator 10.1 without this DLL, but the preview of outlines will not be quite as smooth.

Is it your experience that FontCreator runs, or does it fail to start due to the missing DLL?
FontCreator does still run, and very oddly having the virus scanner delete FCOutDrw.dll fixed a rendering problem I was seeing and reported here. So maybe the font isn't as smooth in preview, but it actually looks right/better, it isn't screwing up when displaying overlapped curves.
Erwin Denissen
Moderator
Moderator
Posts: 11108
Joined: Fri Oct 04, 2002 12:41 am
Location: Bilthoven, The Netherlands
Contact:

Re: Kaspersky Alarming Virus Warning

Post by Erwin Denissen »

ben8238723 wrote:
Bhikkhu Pesala wrote:If I am not mistaken you can run FontCreator 10.1 without this DLL, but the preview of outlines will not be quite as smooth.

Is it your experience that FontCreator runs, or does it fail to start due to the missing DLL?
FontCreator does still run, and very oddly having the virus scanner delete FCOutDrw.dll fixed a rendering problem I was seeing and reported here. So maybe the font isn't as smooth in preview, but it actually looks right/better, it isn't screwing up when displaying overlapped curves.
FCOutDrw is a new dynamic linked library (DLL) which is used to draw smooth glyph outlines. If the file is removed, FontCreator will use the old drawing method.

The new method uses the even-odd rule when it comes to determining whether an area is inside or outside while the old method uses the non-zero winding rule.
See: https://en.wikipedia.org/wiki/Nonzero-rule
Erwin Denissen
High-Logic
Proven Font Technology
ben8238723
Posts: 8
Joined: Wed Nov 30, 2016 11:46 pm

Re: Kaspersky Alarming Virus Warning

Post by ben8238723 »

Erwin Denissen wrote:The new method uses the even-odd rule when it comes to determining whether an area is inside or outside while the old method uses the non-zero winding rule.
See: https://en.wikipedia.org/wiki/Nonzero-rule
Thanks for the detailed explanation. Just curious, why would the new method use the even-odd rule? Is it to try to highlight and discourage people leaving curve overlaps in a font or something? Ultimately the fonts seem to render okay either way when used as a font, but maybe it's bad form.
Erwin Denissen
Moderator
Moderator
Posts: 11108
Joined: Fri Oct 04, 2002 12:41 am
Location: Bilthoven, The Netherlands
Contact:

Re: Kaspersky Alarming Virus Warning

Post by Erwin Denissen »

The new method uses the graphical device interface to draw outlines, which should be faster, and is smooth. The downside at the moment is the fact we can't change the fill mode.
oldnewdraw.png
oldnewdraw.png (13.74 KiB) Viewed 9132 times
The first line is drawn with the old method, the second line is the improved one.

The "F" consist of a single contour that is self-intersecting.
Erwin Denissen
High-Logic
Proven Font Technology
KaizenNeko
Posts: 6
Joined: Sat Feb 15, 2014 8:29 pm

Re: Kaspersky Alarming Virus Warning

Post by KaizenNeko »

Bumping this to make a note that Windows Defender is now also flagging and removing it.

Windows 10 Pro
Definitions version: 1.233.1718.0
Erwin Denissen
Moderator
Moderator
Posts: 11108
Joined: Fri Oct 04, 2002 12:41 am
Location: Bilthoven, The Netherlands
Contact:

Re: Kaspersky Alarming Virus Warning

Post by Erwin Denissen »

I've just scanned all files with Windows Defender version 1.233.1724.0 and it didn't find any issues.

What file(s) are flagged on your system?
Erwin Denissen
High-Logic
Proven Font Technology
Leon Gauthier
Posts: 127
Joined: Thu May 07, 2015 6:07 am

Re: Kaspersky Alarming Virus Warning

Post by Leon Gauthier »

In Windows 10.1 Pro, Windows Defender just flagged FCOutDrw.dll as a Trojan on my machine ...
More precisely, it said:
"There is a problem [TrojanSpy:Win32/Banker] in [FCOutDrw.dll] You should run a full system scan to fix it." Even now after I removed the file from quarantine.

I am looking for ways to alert Microsoft.
MikeW
Posts: 625
Joined: Mon May 20, 2013 2:51 pm

Re: Kaspersky Alarming Virus Warning

Post by MikeW »

My PC gets scanned everyday by Win Defender. I just did a manual scan on the SysWOW64 folder and there was no issue even though the noted DLL is present. Also Win 10.1 Pro.

Weird.

Mike
Erwin Denissen
Moderator
Moderator
Posts: 11108
Joined: Fri Oct 04, 2002 12:41 am
Location: Bilthoven, The Netherlands
Contact:

Re: Kaspersky Alarming Virus Warning

Post by Erwin Denissen »

Can you send that file to us, so we can compare it with ours?

Or upload it to https://www.virustotal.com/ and let us know the processed url.

We've just uploaded it at:
https://www.virustotal.com/en/file/1e16 ... 481236460/

SHA256: 1e1667da19564b097fc5497d53d40f230640956a452f4833c118d9bf5cbf21fd
File name: FCOutDrw.dll
Detection ratio: 0 / 54
Analysis date: 2016-12-08 22:34:20 UTC
Erwin Denissen
High-Logic
Proven Font Technology
Leon Gauthier
Posts: 127
Joined: Thu May 07, 2015 6:07 am

Re: Kaspersky Alarming Virus Warning

Post by Leon Gauthier »

I performed a complete scan with Windows Defender and it listed more items associated with this detected "Trojan":

containerfile:C:\Users\Nick\AppData\Local\Temp\FontCreatorSetup.exe
containerfile:C:\Users\Nick\Downloads\FontCreatorSetup.exe
file:C:\Users\Nick\AppData\Local\Temp\FontCreatorSetup.exe->(inno#000083)
file:C:\Users\Nick\Downloads\FontCreatorSetup.exe->(inno#000083)

Which I suppose are just the locations of where this dll came from although I do not understand why the setup.exe is in two different places..
Erwin Denissen
Moderator
Moderator
Posts: 11108
Joined: Fri Oct 04, 2002 12:41 am
Location: Bilthoven, The Netherlands
Contact:

Re: Kaspersky Alarming Virus Warning

Post by Erwin Denissen »

Can you upload them to virustotal, or send them to me?

We've just released another maintenance release, so I wonder what Defender has to say about it. On my system it all runs just fine :o
Erwin Denissen
High-Logic
Proven Font Technology
Post Reply