[FALSE ALARM] Kaspersky Alarming Virus Warning

Post your bug reports here. Include information that helps us to understand and reproduce the bug.
Erwin Denissen
Moderator
Moderator
Posts: 6589
Joined: Fri Oct 04, 2002 12:41 am
Location: De Bilt, The Netherlands
Contact:

Re: Kaspersky Alarming Virus Warning

Postby Erwin Denissen » Thu Dec 08, 2016 11:10 pm

So at first Kaspersky did detect Trojan-Banker.Win32.Banbra.vdfk and no other virus scanners complained.

Analysis1.png
Analysis1.png (26.72 KiB) Viewed 269 times


Now I've just re-scanned the same setup file at virustotal, and Kaspersky no longer complains, but these do:
AegisLab Troj.Banker.W32.Banbra!c
Microsoft TrojanSpy:Win32/Banker
Rising Malware.Strealer!8.1EF-6bvIvnloz5H (cloud)
nProtect Banker/W32.Banbra.14582792

Analysis2.png
Analysis2.png (28.07 KiB) Viewed 269 times


I wonder if Kaspersky did provide this information to them, and then didn't notify them about the fact they no longer flag our software?
Erwin Denissen
High-Logic
Proven Font Technology

Leon Gauthier
Posts: 53
Joined: Thu May 07, 2015 6:07 am

Re: Kaspersky Alarming Virus Warning

Postby Leon Gauthier » Thu Dec 08, 2016 11:19 pm

When I first submitted the file, I got this:
on FontCreatorSetup.exe, Virus Total reported:

This file was last analysed by VirusTotal on 2016-12-06 13:41:11 UTC (2 days, 9 hours ago) it was first analysed by VirusTotal on 2016-11-30 20:32:31 UTC.

Detection ratio: 2/55

You can take a look at the last analysis or analyse it again now.


Results of Virustotal re-submission:
url = https://www.virustotal.com/en/file/f2b5 ... 481238322/

If that url is no good, here is the partial text:
SHA256: f2b5c21f61fc0525950207545bad7df2f172b45561a477ecb4bdaf6965c4b44b
File name: FontCreatorSetup.exe
Detection ratio: 4 / 56
Analysis date: 2016-12-08 23:05:22 UTC ( 0 minutes ago )

Antivirus Result Update
AegisLab Troj.Banker.W32.Banbra!c 20161208
Microsoft TrojanSpy:Win32/Banker 20161208
Rising Malware.Strealer!8.1EF-6bvIvnloz5H (cloud) 20161208
nProtect Banker/W32.Banbra.14582792 20161208
ALYac

Leon Gauthier
Posts: 53
Joined: Thu May 07, 2015 6:07 am

Re: Kaspersky Alarming Virus Warning

Postby Leon Gauthier » Thu Dec 08, 2016 11:25 pm

Seems odd to me that this pops up here only now. I also scan everyday.
I guess I'll just download the latest release and see if that changes anything.

Erwin Denissen
Moderator
Moderator
Posts: 6589
Joined: Fri Oct 04, 2002 12:41 am
Location: De Bilt, The Netherlands
Contact:

Re: Kaspersky Alarming Virus Warning

Postby Erwin Denissen » Thu Dec 08, 2016 11:34 pm

Leon Gauthier wrote:When I first submitted the file, I got this:

Well, at least that is exactly the same setup I uploaded.

I've reported this issue, so I hope Microsoft will act soon. I'll keep you updated as soon as I receive a reply.
Erwin Denissen
High-Logic
Proven Font Technology

MikeW
Posts: 390
Joined: Mon May 20, 2013 2:51 pm

Re: Kaspersky Alarming Virus Warning

Postby MikeW » Thu Dec 08, 2016 11:38 pm

I just scanned the system and the concerned files directly with Malwarebytes with nothing being detected either.

Mike

Leon Gauthier
Posts: 53
Joined: Thu May 07, 2015 6:07 am

Re: Kaspersky Alarming Virus Warning

Postby Leon Gauthier » Thu Dec 08, 2016 11:41 pm

Is this your latest maintenance release?
If so, I guess there is no point in me re-installing!

Erwin Denissen
Moderator
Moderator
Posts: 6589
Joined: Fri Oct 04, 2002 12:41 am
Location: De Bilt, The Netherlands
Contact:

Re: Kaspersky Alarming Virus Warning

Postby Erwin Denissen » Thu Dec 08, 2016 11:45 pm

No, we released one an hour ago!
Erwin Denissen
High-Logic
Proven Font Technology

KaizenNeko
Posts: 6
Joined: Sat Feb 15, 2014 8:29 pm

Re: Kaspersky Alarming Virus Warning

Postby KaizenNeko » Fri Dec 09, 2016 12:40 am

Erwin Denissen wrote:I've just scanned all files with Windows Defender version 1.233.1724.0 and it didn't find any issues.

What file(s) are flagged on your system?


From the report.
file:C:\WINDOWS\sysWOW64\FCOutDrw.dll
shareddll:HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS\\C:\WINDOWS\SysWoW64\FCOutDrw.dll
regkey:HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS\\C:\WINDOWS\SysWoW64\FCOutDrw.dll

I don't doubt it's a false positive, but I'll let Windows Defender do it's thing to make it happy. I'm in the process of doing a full-scan so I haven't see it flag the installer as of yet.

I see that Defender now has updated to 1.233.1759.0 but haven't tested to see if it still false-flags FCOutDrw.

Leon Gauthier
Posts: 53
Joined: Thu May 07, 2015 6:07 am

Re: Kaspersky Alarming Virus Warning

Postby Leon Gauthier » Fri Dec 09, 2016 6:30 am

FYI:
After scanning again with updated virus and spyware definitions and finding nothing, I instructed Windows Defender to allow the "Trojan" but the dll was deleted anyway upon re-booting. It also removed the registry entry:

HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS\\C:\WINDOWS\SysWOW64\FCOutDrw.dll

So the obvious recourse was to re-install the latest version of FontCreator 10.1.0 build 2257 posted today.
I am scanning now with the latest Virus and Spyware definition versions (1.233.1783.0) which is the third update of those files I saw today.
All clear, nothing found.

I also submitted FontCreatorSetup.exe to VirusTotal and got a clean bill of health:
SHA256: e61636655357d9c48c4cf1f59e2a6db3a03dc01e043c82979f7636213e0456ec
File name: FontCreatorSetup.exe
Detection ratio: 0 / 56
Analysis date: 2016-12-09 06:20:55 UTC ( 1 minute ago )
https://www.virustotal.com/en/file/e61636655357d9c48c4cf1f59e2a6db3a03dc01e043c82979f7636213e0456ec/analysis/1481264455/

Erwin Denissen
Moderator
Moderator
Posts: 6589
Joined: Fri Oct 04, 2002 12:41 am
Location: De Bilt, The Netherlands
Contact:

Re: Kaspersky Alarming Virus Warning

Postby Erwin Denissen » Fri Dec 09, 2016 6:42 am

We've also performed a full scan last night, and Windows Defender didn't find anything on this development system.

In the mean time it was updated as well, so it now is using version 1.233.1768.0 for both virus and spyware definitions.
Erwin Denissen
High-Logic
Proven Font Technology


Return to “FontCreator - Bug Reports”

Who is online

Users browsing this forum: No registered users and 1 guest