[FALSE ALARM] Kaspersky Alarming Virus Warning

Post your bug reports here. Include information that helps us to understand and reproduce the bug.
Erwin Denissen
Moderator
Moderator
Posts: 11108
Joined: Fri Oct 04, 2002 12:41 am
Location: Bilthoven, The Netherlands
Contact:

Re: Kaspersky Alarming Virus Warning

Post by Erwin Denissen »

So at first Kaspersky did detect Trojan-Banker.Win32.Banbra.vdfk and no other virus scanners complained.
Analysis1.png
Analysis1.png (26.72 KiB) Viewed 6614 times
Now I've just re-scanned the same setup file at virustotal, and Kaspersky no longer complains, but these do:
AegisLab Troj.Banker.W32.Banbra!c
Microsoft TrojanSpy:Win32/Banker
Rising Malware.Strealer!8.1EF-6bvIvnloz5H (cloud)
nProtect Banker/W32.Banbra.14582792
Analysis2.png
Analysis2.png (28.07 KiB) Viewed 6614 times
I wonder if Kaspersky did provide this information to them, and then didn't notify them about the fact they no longer flag our software?
Erwin Denissen
High-Logic
Proven Font Technology
Leon Gauthier
Posts: 127
Joined: Thu May 07, 2015 6:07 am

Re: Kaspersky Alarming Virus Warning

Post by Leon Gauthier »

When I first submitted the file, I got this:
on FontCreatorSetup.exe, Virus Total reported:

This file was last analysed by VirusTotal on 2016-12-06 13:41:11 UTC (2 days, 9 hours ago) it was first analysed by VirusTotal on 2016-11-30 20:32:31 UTC.

Detection ratio: 2/55

You can take a look at the last analysis or analyse it again now.
Results of Virustotal re-submission:
url = https://www.virustotal.com/en/file/f2b5 ... 481238322/

If that url is no good, here is the partial text:
SHA256: f2b5c21f61fc0525950207545bad7df2f172b45561a477ecb4bdaf6965c4b44b
File name: FontCreatorSetup.exe
Detection ratio: 4 / 56
Analysis date: 2016-12-08 23:05:22 UTC ( 0 minutes ago )

Antivirus Result Update
AegisLab Troj.Banker.W32.Banbra!c 20161208
Microsoft TrojanSpy:Win32/Banker 20161208
Rising Malware.Strealer!8.1EF-6bvIvnloz5H (cloud) 20161208
nProtect Banker/W32.Banbra.14582792 20161208
ALYac
Leon Gauthier
Posts: 127
Joined: Thu May 07, 2015 6:07 am

Re: Kaspersky Alarming Virus Warning

Post by Leon Gauthier »

Seems odd to me that this pops up here only now. I also scan everyday.
I guess I'll just download the latest release and see if that changes anything.
Erwin Denissen
Moderator
Moderator
Posts: 11108
Joined: Fri Oct 04, 2002 12:41 am
Location: Bilthoven, The Netherlands
Contact:

Re: Kaspersky Alarming Virus Warning

Post by Erwin Denissen »

Leon Gauthier wrote:When I first submitted the file, I got this:
Well, at least that is exactly the same setup I uploaded.

I've reported this issue, so I hope Microsoft will act soon. I'll keep you updated as soon as I receive a reply.
Erwin Denissen
High-Logic
Proven Font Technology
MikeW
Posts: 625
Joined: Mon May 20, 2013 2:51 pm

Re: Kaspersky Alarming Virus Warning

Post by MikeW »

I just scanned the system and the concerned files directly with Malwarebytes with nothing being detected either.

Mike
Leon Gauthier
Posts: 127
Joined: Thu May 07, 2015 6:07 am

Re: Kaspersky Alarming Virus Warning

Post by Leon Gauthier »

Is this your latest maintenance release?
If so, I guess there is no point in me re-installing!
Erwin Denissen
Moderator
Moderator
Posts: 11108
Joined: Fri Oct 04, 2002 12:41 am
Location: Bilthoven, The Netherlands
Contact:

Re: Kaspersky Alarming Virus Warning

Post by Erwin Denissen »

No, we released one an hour ago!
Erwin Denissen
High-Logic
Proven Font Technology
KaizenNeko
Posts: 6
Joined: Sat Feb 15, 2014 8:29 pm

Re: Kaspersky Alarming Virus Warning

Post by KaizenNeko »

Erwin Denissen wrote:I've just scanned all files with Windows Defender version 1.233.1724.0 and it didn't find any issues.

What file(s) are flagged on your system?
From the report.
file:C:\WINDOWS\sysWOW64\FCOutDrw.dll
shareddll:HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS\\C:\WINDOWS\SysWoW64\FCOutDrw.dll
regkey:HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS\\C:\WINDOWS\SysWoW64\FCOutDrw.dll

I don't doubt it's a false positive, but I'll let Windows Defender do it's thing to make it happy. I'm in the process of doing a full-scan so I haven't see it flag the installer as of yet.

I see that Defender now has updated to 1.233.1759.0 but haven't tested to see if it still false-flags FCOutDrw.
Leon Gauthier
Posts: 127
Joined: Thu May 07, 2015 6:07 am

Re: Kaspersky Alarming Virus Warning

Post by Leon Gauthier »

FYI:
After scanning again with updated virus and spyware definitions and finding nothing, I instructed Windows Defender to allow the "Trojan" but the dll was deleted anyway upon re-booting. It also removed the registry entry:

HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS\\C:\WINDOWS\SysWOW64\FCOutDrw.dll

So the obvious recourse was to re-install the latest version of FontCreator 10.1.0 build 2257 posted today.
I am scanning now with the latest Virus and Spyware definition versions (1.233.1783.0) which is the third update of those files I saw today.
All clear, nothing found.

I also submitted FontCreatorSetup.exe to VirusTotal and got a clean bill of health:
SHA256: e61636655357d9c48c4cf1f59e2a6db3a03dc01e043c82979f7636213e0456ec
File name: FontCreatorSetup.exe
Detection ratio: 0 / 56
Analysis date: 2016-12-09 06:20:55 UTC ( 1 minute ago )
https://www.virustotal.com/en/file/e616 ... 481264455/
Erwin Denissen
Moderator
Moderator
Posts: 11108
Joined: Fri Oct 04, 2002 12:41 am
Location: Bilthoven, The Netherlands
Contact:

Re: Kaspersky Alarming Virus Warning

Post by Erwin Denissen »

We've also performed a full scan last night, and Windows Defender didn't find anything on this development system.

In the mean time it was updated as well, so it now is using version 1.233.1768.0 for both virus and spyware definitions.
Erwin Denissen
High-Logic
Proven Font Technology
Post Reply