Community
    • Login

    notepad++ flagged as malicious, should i worry?

    Scheduled Pinned Locked Moved Security
    3 Posts 3 Posters 82 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Zhane HernandezZ
      Zhane Hernandez
      last edited by

      i run process explorer that can automatically submit file images to virus total. I noticed that notepad++ had a one out of 70 which indicated someone flagged it. I dropped it into hybrid analysis and it came back as a positive period here are the links to that analysis. Should we be concerned? Or is this a normal false positive?

      thanks, can reach me at valiskeogh@ gmail.com

      https://hybrid-analysis.com/sample/ca3f56a705b26536b44f9213dd75f420139902f8d0a2851b176351cd3dab8685

      https://hybrid-analysis.com/sample/ca3f56a705b26536b44f9213dd75f420139902f8d0a2851b176351cd3dab8685/68ae78bf549d5281ab016df1

      PeterJonesP xomxX 2 Replies Last reply Reply Quote 0
      • PeterJonesP
        PeterJones @Zhane Hernandez
        last edited by

        @Zhane-Hernandez ,

        See this earlier post

        1 Reply Last reply Reply Quote 1
        • xomxX
          xomx @Zhane Hernandez
          last edited by

          @Zhane-Hernandez said in notepad++ flagged as malicious, should i worry?:

          https://hybrid-analysis.com/sample/ca3f56a705b26536b44f9213dd75f420139902f8d0a2851b176351cd3dab8685

          Did you check that hybrid-analysis report?!
          I found its Risk Assessment part hilarious (remember, N++ is a text editor, so who would e.g. expect it to work with the Clipboard or the keyboard ;-) ), so commented some stuff below:

          Spyware
    Contains ability to open the clipboard
    Contains ability to read clipboard data
    Contains ability to retrieve keyboard strokes
    Found a string that may be used as part of an injection method
Fingerprint
    Contains ability to retrieve information about the current system
    Queries process information
Evasive
    Found a Wine emulator related string
    Marks file for deletion
    Possibly tries to evade analysis by sleeping many times

          From the Spyware part is only interesting the “Found a string that may be used as part of an injection method” - I guess it will be a N++ or its underlying libraries autodetection pattern string signs for different shells recognition etc.

          Fingerprint part is a typical AV nonsense, that stuff use 99% apps.

          And Evasive - “Wine emulator related string” is correctly there because N++ needs to detect&disable some stuff (e.g. Scintilla DirectWrite) while running under the WINE emulator. “Marks file for deletion” probably means that the AV scanner just found the MS MoveFileEx WINAPI sign used in the code or the NSIS installer postponed deletion of the loaded NppShell extension. “Possibly tries to evade analysis by sleeping many times” - here IDK whether to laugh or cry at the state of the so-called “risk detection”.

          1 Reply Last reply Reply Quote 2
          • First post
            Last post
          The Community of users of the Notepad++ text editor.
          Powered by NodeBB | Contributors