Page 1 of 2

[FALSE ALARM] Kaspersky Alarming Virus Warning

Posted: Thu Dec 01, 2016 2:19 pm
by ben8238723
I installed 10.1 update with no problem yesterday afternoon but this morning woke up to these virus notices and a locked down computer which demanded disinfection from:

FCOutDrw.dll Trojan-Banker.Win32.Banbra.vdfk
FontCreatorSetup.exe/data0083 Trojan-Banker.Win32.Banbra.vdfk
FontCreatorSetup.exe UDS:DangerousObjectMulti.Generic

You can see how it's reported in VirusTotal here:
https://www.virustotal.com/en/file/f2b5 ... 480601892/

I hope and presume this is a false alarm, but obviously for Kaspersky users this is a problem.

Re: Kaspersky Alarming Virus Warning

Posted: Thu Dec 01, 2016 2:38 pm
by Bhikkhu Pesala
Yes, of course it's a false alarm. If I am not mistaken you can run FontCreator 10.1 without this DLL, but the preview of outlines will not be quite as smooth.

Is it your experience that FontCreator runs, or does it fail to start due to the missing DLL?

Re: Kaspersky Alarming Virus Warning

Posted: Thu Dec 01, 2016 6:26 pm
by Patrick Schoenbach
Confirmed.

Re: Kaspersky Alarming Virus Warning

Posted: Thu Dec 01, 2016 7:05 pm
by Erwin Denissen
Another customer just forwarded a report from Anti-Virus Lab, Kaspersky Lab HQ:
Thank you for sending a file for analysis to the Anti-Virus Lab.

Kaspersky Anti-Virus has scanned files.

No malware detected in files:
FontCreatorSetup.exe

We will thoroughly analyze files. If the result of the analysis is different from this scan result, you will be notified via email within 5 days.

This is an automatically generated message. Please, do not reply to it.

Re: Kaspersky Alarming Virus Warning

Posted: Fri Dec 02, 2016 5:41 am
by ben8238723
Bhikkhu Pesala wrote:If I am not mistaken you can run FontCreator 10.1 without this DLL, but the preview of outlines will not be quite as smooth.

Is it your experience that FontCreator runs, or does it fail to start due to the missing DLL?
FontCreator does still run, and very oddly having the virus scanner delete FCOutDrw.dll fixed a rendering problem I was seeing and reported here. So maybe the font isn't as smooth in preview, but it actually looks right/better, it isn't screwing up when displaying overlapped curves.

Re: Kaspersky Alarming Virus Warning

Posted: Fri Dec 02, 2016 7:47 am
by Erwin Denissen
ben8238723 wrote:
Bhikkhu Pesala wrote:If I am not mistaken you can run FontCreator 10.1 without this DLL, but the preview of outlines will not be quite as smooth.

Is it your experience that FontCreator runs, or does it fail to start due to the missing DLL?
FontCreator does still run, and very oddly having the virus scanner delete FCOutDrw.dll fixed a rendering problem I was seeing and reported here. So maybe the font isn't as smooth in preview, but it actually looks right/better, it isn't screwing up when displaying overlapped curves.
FCOutDrw is a new dynamic linked library (DLL) which is used to draw smooth glyph outlines. If the file is removed, FontCreator will use the old drawing method.

The new method uses the even-odd rule when it comes to determining whether an area is inside or outside while the old method uses the non-zero winding rule.
See: https://en.wikipedia.org/wiki/Nonzero-rule

Re: Kaspersky Alarming Virus Warning

Posted: Fri Dec 02, 2016 2:41 pm
by ben8238723
Erwin Denissen wrote:The new method uses the even-odd rule when it comes to determining whether an area is inside or outside while the old method uses the non-zero winding rule.
See: https://en.wikipedia.org/wiki/Nonzero-rule
Thanks for the detailed explanation. Just curious, why would the new method use the even-odd rule? Is it to try to highlight and discourage people leaving curve overlaps in a font or something? Ultimately the fonts seem to render okay either way when used as a font, but maybe it's bad form.

Re: Kaspersky Alarming Virus Warning

Posted: Fri Dec 02, 2016 2:44 pm
by Erwin Denissen
The new method uses the graphical device interface to draw outlines, which should be faster, and is smooth. The downside at the moment is the fact we can't change the fill mode.
oldnewdraw.png
oldnewdraw.png (13.74 KiB) Viewed 3175 times
The first line is drawn with the old method, the second line is the improved one.

The "F" consist of a single contour that is self-intersecting.

Re: Kaspersky Alarming Virus Warning

Posted: Thu Dec 08, 2016 12:34 pm
by KaizenNeko
Bumping this to make a note that Windows Defender is now also flagging and removing it.

Windows 10 Pro
Definitions version: 1.233.1718.0

Re: Kaspersky Alarming Virus Warning

Posted: Thu Dec 08, 2016 12:45 pm
by Erwin Denissen
I've just scanned all files with Windows Defender version 1.233.1724.0 and it didn't find any issues.

What file(s) are flagged on your system?

Re: Kaspersky Alarming Virus Warning

Posted: Thu Dec 08, 2016 8:44 pm
by Leon Gauthier
In Windows 10.1 Pro, Windows Defender just flagged FCOutDrw.dll as a Trojan on my machine ...
More precisely, it said:
"There is a problem [TrojanSpy:Win32/Banker] in [FCOutDrw.dll] You should run a full system scan to fix it." Even now after I removed the file from quarantine.

I am looking for ways to alert Microsoft.

Re: Kaspersky Alarming Virus Warning

Posted: Thu Dec 08, 2016 10:23 pm
by MikeW
My PC gets scanned everyday by Win Defender. I just did a manual scan on the SysWOW64 folder and there was no issue even though the noted DLL is present. Also Win 10.1 Pro.

Weird.

Mike

Re: Kaspersky Alarming Virus Warning

Posted: Thu Dec 08, 2016 10:33 pm
by Erwin Denissen
Can you send that file to us, so we can compare it with ours?

Or upload it to https://www.virustotal.com/ and let us know the processed url.

We've just uploaded it at:
https://www.virustotal.com/en/file/1e16 ... 481236460/

SHA256: 1e1667da19564b097fc5497d53d40f230640956a452f4833c118d9bf5cbf21fd
File name: FCOutDrw.dll
Detection ratio: 0 / 54
Analysis date: 2016-12-08 22:34:20 UTC

Re: Kaspersky Alarming Virus Warning

Posted: Thu Dec 08, 2016 10:53 pm
by Leon Gauthier
I performed a complete scan with Windows Defender and it listed more items associated with this detected "Trojan":

containerfile:C:\Users\Nick\AppData\Local\Temp\FontCreatorSetup.exe
containerfile:C:\Users\Nick\Downloads\FontCreatorSetup.exe
file:C:\Users\Nick\AppData\Local\Temp\FontCreatorSetup.exe->(inno#000083)
file:C:\Users\Nick\Downloads\FontCreatorSetup.exe->(inno#000083)

Which I suppose are just the locations of where this dll came from although I do not understand why the setup.exe is in two different places..

Re: Kaspersky Alarming Virus Warning

Posted: Thu Dec 08, 2016 11:00 pm
by Erwin Denissen
Can you upload them to virustotal, or send them to me?

We've just released another maintenance release, so I wonder what Defender has to say about it. On my system it all runs just fine :o