So at first Kaspersky did detect Trojan-Banker.Win32.Banbra.vdfk and no other virus scanners complained.
Now I've just re-scanned the same setup file at virustotal, and Kaspersky no longer complains, but these do:
AegisLab Troj.Banker.W32.Banbra!c
Microsoft TrojanSpy:Win32/Banker
Rising Malware.Strealer!8.1EF-6bvIvnloz5H (cloud)
nProtect Banker/W32.Banbra.14582792
I wonder if Kaspersky did provide this information to them, and then didn't notify them about the fact they no longer flag our software?
[FALSE ALARM] Kaspersky Alarming Virus Warning
-
- Moderator
- Posts: 11194
- Joined: Fri Oct 04, 2002 12:41 am
- Location: Bilthoven, The Netherlands
- Contact:
-
- Posts: 127
- Joined: Thu May 07, 2015 6:07 am
Re: Kaspersky Alarming Virus Warning
When I first submitted the file, I got this:
url = https://www.virustotal.com/en/file/f2b5 ... 481238322/
If that url is no good, here is the partial text:
Results of Virustotal re-submission:on FontCreatorSetup.exe, Virus Total reported:
This file was last analysed by VirusTotal on 2016-12-06 13:41:11 UTC (2 days, 9 hours ago) it was first analysed by VirusTotal on 2016-11-30 20:32:31 UTC.
Detection ratio: 2/55
You can take a look at the last analysis or analyse it again now.
url = https://www.virustotal.com/en/file/f2b5 ... 481238322/
If that url is no good, here is the partial text:
SHA256: f2b5c21f61fc0525950207545bad7df2f172b45561a477ecb4bdaf6965c4b44b
File name: FontCreatorSetup.exe
Detection ratio: 4 / 56
Analysis date: 2016-12-08 23:05:22 UTC ( 0 minutes ago )
Antivirus Result Update
AegisLab Troj.Banker.W32.Banbra!c 20161208
Microsoft TrojanSpy:Win32/Banker 20161208
Rising Malware.Strealer!8.1EF-6bvIvnloz5H (cloud) 20161208
nProtect Banker/W32.Banbra.14582792 20161208
ALYac
-
- Posts: 127
- Joined: Thu May 07, 2015 6:07 am
Re: Kaspersky Alarming Virus Warning
Seems odd to me that this pops up here only now. I also scan everyday.
I guess I'll just download the latest release and see if that changes anything.
I guess I'll just download the latest release and see if that changes anything.
-
- Moderator
- Posts: 11194
- Joined: Fri Oct 04, 2002 12:41 am
- Location: Bilthoven, The Netherlands
- Contact:
Re: Kaspersky Alarming Virus Warning
Well, at least that is exactly the same setup I uploaded.Leon Gauthier wrote:When I first submitted the file, I got this:
I've reported this issue, so I hope Microsoft will act soon. I'll keep you updated as soon as I receive a reply.
Re: Kaspersky Alarming Virus Warning
I just scanned the system and the concerned files directly with Malwarebytes with nothing being detected either.
Mike
Mike
-
- Posts: 127
- Joined: Thu May 07, 2015 6:07 am
Re: Kaspersky Alarming Virus Warning
Is this your latest maintenance release?
If so, I guess there is no point in me re-installing!
If so, I guess there is no point in me re-installing!
-
- Moderator
- Posts: 11194
- Joined: Fri Oct 04, 2002 12:41 am
- Location: Bilthoven, The Netherlands
- Contact:
Re: Kaspersky Alarming Virus Warning
No, we released one an hour ago!
-
- Posts: 6
- Joined: Sat Feb 15, 2014 8:29 pm
Re: Kaspersky Alarming Virus Warning
From the report.Erwin Denissen wrote:I've just scanned all files with Windows Defender version 1.233.1724.0 and it didn't find any issues.
What file(s) are flagged on your system?
file:C:\WINDOWS\sysWOW64\FCOutDrw.dll
shareddll:HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS\\C:\WINDOWS\SysWoW64\FCOutDrw.dll
regkey:HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS\\C:\WINDOWS\SysWoW64\FCOutDrw.dll
I don't doubt it's a false positive, but I'll let Windows Defender do it's thing to make it happy. I'm in the process of doing a full-scan so I haven't see it flag the installer as of yet.
I see that Defender now has updated to 1.233.1759.0 but haven't tested to see if it still false-flags FCOutDrw.
-
- Posts: 127
- Joined: Thu May 07, 2015 6:07 am
Re: Kaspersky Alarming Virus Warning
FYI:
After scanning again with updated virus and spyware definitions and finding nothing, I instructed Windows Defender to allow the "Trojan" but the dll was deleted anyway upon re-booting. It also removed the registry entry:
HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS\\C:\WINDOWS\SysWOW64\FCOutDrw.dll
So the obvious recourse was to re-install the latest version of FontCreator 10.1.0 build 2257 posted today.
I am scanning now with the latest Virus and Spyware definition versions (1.233.1783.0) which is the third update of those files I saw today.
All clear, nothing found.
I also submitted FontCreatorSetup.exe to VirusTotal and got a clean bill of health:
SHA256: e61636655357d9c48c4cf1f59e2a6db3a03dc01e043c82979f7636213e0456ec
File name: FontCreatorSetup.exe
Detection ratio: 0 / 56
Analysis date: 2016-12-09 06:20:55 UTC ( 1 minute ago )
https://www.virustotal.com/en/file/e616 ... 481264455/
After scanning again with updated virus and spyware definitions and finding nothing, I instructed Windows Defender to allow the "Trojan" but the dll was deleted anyway upon re-booting. It also removed the registry entry:
HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS\\C:\WINDOWS\SysWOW64\FCOutDrw.dll
So the obvious recourse was to re-install the latest version of FontCreator 10.1.0 build 2257 posted today.
I am scanning now with the latest Virus and Spyware definition versions (1.233.1783.0) which is the third update of those files I saw today.
All clear, nothing found.
I also submitted FontCreatorSetup.exe to VirusTotal and got a clean bill of health:
SHA256: e61636655357d9c48c4cf1f59e2a6db3a03dc01e043c82979f7636213e0456ec
File name: FontCreatorSetup.exe
Detection ratio: 0 / 56
Analysis date: 2016-12-09 06:20:55 UTC ( 1 minute ago )
https://www.virustotal.com/en/file/e616 ... 481264455/
-
- Moderator
- Posts: 11194
- Joined: Fri Oct 04, 2002 12:41 am
- Location: Bilthoven, The Netherlands
- Contact:
Re: Kaspersky Alarming Virus Warning
We've also performed a full scan last night, and Windows Defender didn't find anything on this development system.
In the mean time it was updated as well, so it now is using version 1.233.1768.0 for both virus and spyware definitions.
In the mean time it was updated as well, so it now is using version 1.233.1768.0 for both virus and spyware definitions.