[FALSE ALARM] Kaspersky Alarming Virus Warning

ben8238723 · December 1, 2016, 2:19pm

I installed 10.1 update with no problem yesterday afternoon but this morning woke up to these virus notices and a locked down computer which demanded disinfection from:

FCOutDrw.dll Trojan-Banker.Win32.Banbra.vdfk
FontCreatorSetup.exe/data0083 Trojan-Banker.Win32.Banbra.vdfk
FontCreatorSetup.exe UDS:DangerousObjectMulti.Generic

You can see how it’s reported in VirusTotal here:
https://www.virustotal.com/en/file/f2b5c21f61fc0525950207545bad7df2f172b45561a477ecb4bdaf6965c4b44b/analysis/1480601892/

I hope and presume this is a false alarm, but obviously for Kaspersky users this is a problem.

Bhikkhu_Pesala · December 1, 2016, 2:38pm

Yes, of course it’s a false alarm. If I am not mistaken you can run FontCreator 10.1 without this DLL, but the preview of outlines will not be quite as smooth.

Is it your experience that FontCreator runs, or does it fail to start due to the missing DLL?

Patrick_Schoenbach · December 1, 2016, 6:26pm

Confirmed.

ErwinDenissen · December 1, 2016, 7:05pm

Another customer just forwarded a report from Anti-Virus Lab, Kaspersky Lab HQ:

Thank you for sending a file for analysis to the Anti-Virus Lab.

Kaspersky Anti-Virus has scanned files.

No malware detected in files:
FontCreatorSetup.exe

We will thoroughly analyze files. If the result of the analysis is different from this scan result, you will be notified via email within 5 days.

This is an automatically generated message. Please, do not reply to it.

ben8238723 · December 2, 2016, 5:41am

FontCreator does still run, and very oddly having the virus scanner delete FCOutDrw.dll fixed a rendering problem I was seeing and reported here. So maybe the font isn’t as smooth in preview, but it actually looks right/better, it isn’t screwing up when displaying overlapped curves.

ErwinDenissen · December 2, 2016, 7:47am

FCOutDrw is a new dynamic linked library (DLL) which is used to draw smooth glyph outlines. If the file is removed, FontCreator will use the old drawing method.

The new method uses the even-odd rule when it comes to determining whether an area is inside or outside while the old method uses the non-zero winding rule.
See: https://en.wikipedia.org/wiki/Nonzero-rule

ben8238723 · December 2, 2016, 2:41pm

Thanks for the detailed explanation. Just curious, why would the new method use the even-odd rule? Is it to try to highlight and discourage people leaving curve overlaps in a font or something? Ultimately the fonts seem to render okay either way when used as a font, but maybe it’s bad form.

ErwinDenissen · December 2, 2016, 2:44pm

The new method uses the graphical device interface to draw outlines, which should be faster, and is smooth. The downside at the moment is the fact we can’t change the fill mode.

The first line is drawn with the old method, the second line is the improved one.

The “F” consist of a single contour that is self-intersecting.

KaizenNeko · December 8, 2016, 12:34pm

Bumping this to make a note that Windows Defender is now also flagging and removing it.

Windows 10 Pro
Definitions version: 1.233.1718.0

ErwinDenissen · December 8, 2016, 12:45pm

I’ve just scanned all files with Windows Defender version 1.233.1724.0 and it didn’t find any issues.

What file(s) are flagged on your system?

Leon_Gauthier · December 8, 2016, 8:44pm

In Windows 10.1 Pro, Windows Defender just flagged FCOutDrw.dll as a Trojan on my machine …
More precisely, it said:
“There is a problem [TrojanSpy:Win32/Banker] in [FCOutDrw.dll] You should run a full system scan to fix it.” Even now after I removed the file from quarantine.

I am looking for ways to alert Microsoft.

MikeW · December 8, 2016, 10:23pm

My PC gets scanned everyday by Win Defender. I just did a manual scan on the SysWOW64 folder and there was no issue even though the noted DLL is present. Also Win 10.1 Pro.

Weird.

Mike

ErwinDenissen · December 8, 2016, 10:33pm

Can you send that file to us, so we can compare it with ours?

Or upload it to https://www.virustotal.com/ and let us know the processed url.

We’ve just uploaded it at:
https://www.virustotal.com/en/file/1e1667da19564b097fc5497d53d40f230640956a452f4833c118d9bf5cbf21fd/analysis/1481236460/

SHA256: 1e1667da19564b097fc5497d53d40f230640956a452f4833c118d9bf5cbf21fd
File name: FCOutDrw.dll
Detection ratio: 0 / 54
Analysis date: 2016-12-08 22:34:20 UTC

Leon_Gauthier · December 8, 2016, 10:53pm

I performed a complete scan with Windows Defender and it listed more items associated with this detected “Trojan”:

containerfile:C:\Users\Nick\AppData\Local\Temp\FontCreatorSetup.exe
containerfile:C:\Users\Nick\Downloads\FontCreatorSetup.exe
file:C:\Users\Nick\AppData\Local\Temp\FontCreatorSetup.exe->(inno#000083)
file:C:\Users\Nick\Downloads\FontCreatorSetup.exe->(inno#000083)

Which I suppose are just the locations of where this dll came from although I do not understand why the setup.exe is in two different places..

ErwinDenissen · December 8, 2016, 11:00pm

Can you upload them to virustotal, or send them to me?

We’ve just released another maintenance release, so I wonder what Defender has to say about it. On my system it all runs just fine

ErwinDenissen · December 8, 2016, 11:10pm

So at first Kaspersky did detect Trojan-Banker.Win32.Banbra.vdfk and no other virus scanners complained.

Now I’ve just re-scanned the same setup file at virustotal, and Kaspersky no longer complains, but these do:
AegisLab Troj.Banker.W32.Banbra!c
Microsoft TrojanSpy:Win32/Banker
Rising Malware.Strealer!8.1EF-6bvIvnloz5H (cloud)
nProtect Banker/W32.Banbra.14582792

I wonder if Kaspersky did provide this information to them, and then didn’t notify them about the fact they no longer flag our software?

Leon_Gauthier · December 8, 2016, 11:19pm

When I first submitted the file, I got this:

on FontCreatorSetup.exe, Virus Total reported:

This file was last analysed by VirusTotal on 2016-12-06 13:41:11 UTC (2 days, 9 hours ago) it was first analysed by VirusTotal on 2016-11-30 20:32:31 UTC.

Detection ratio: 2/55

You can take a look at the last analysis or analyse it again now.

Results of Virustotal re-submission:
url = https://www.virustotal.com/en/file/f2b5c21f61fc0525950207545bad7df2f172b45561a477ecb4bdaf6965c4b44b/analysis/1481238322/

If that url is no good, here is the partial text:

SHA256: f2b5c21f61fc0525950207545bad7df2f172b45561a477ecb4bdaf6965c4b44b
File name: FontCreatorSetup.exe
Detection ratio: 4 / 56
Analysis date: 2016-12-08 23:05:22 UTC ( 0 minutes ago )

Antivirus Result Update
AegisLab Troj.Banker.W32.Banbra!c 20161208
Microsoft TrojanSpy:Win32/Banker 20161208
Rising Malware.Strealer!8.1EF-6bvIvnloz5H (cloud) 20161208
nProtect Banker/W32.Banbra.14582792 20161208
ALYac

Leon_Gauthier · December 8, 2016, 11:25pm

Seems odd to me that this pops up here only now. I also scan everyday.
I guess I’ll just download the latest release and see if that changes anything.

ErwinDenissen · December 8, 2016, 11:34pm

Well, at least that is exactly the same setup I uploaded.

I’ve reported this issue, so I hope Microsoft will act soon. I’ll keep you updated as soon as I receive a reply.

MikeW · December 8, 2016, 11:38pm

I just scanned the system and the concerned files directly with Malwarebytes with nothing being detected either.

Mike