• Login
Community
  • Login

Notepad++ 32bit installer detected as malware on virustotal?

Scheduled Pinned Locked Moved General Discussion
virus
11 Posts 3 Posters 4.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    Chowder908
    last edited by Chowder908 Mar 7, 2019, 4:33 PM Mar 7, 2019, 4:31 PM

    Went to check the installer like I normally for anything I download noticed the 32bit installer detected 5/50. I’m sure these are false positives, but I’d thought I’d post here to let the developers know incase they don’t.

    1 Reply Last reply Reply Quote 1
    • A
      andrecool-68
      last edited by Mar 7, 2019, 4:41 PM

      https://www.virustotal.com/ru/url/06f2b4b05f83ff97b63c0c8f009b8d1698260d065fefee62b3d2af66877d0852/analysis/1551976063/

      1 Reply Last reply Reply Quote 2
      • C
        Chowder908
        last edited by Mar 7, 2019, 4:53 PM

        I used https://www.virustotal.com/#/file/3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157/detection
        Looks like it dropped from 5 to 4 so I guess it’s a false positive.

        1 Reply Last reply Reply Quote 1
        • A
          andrecool-68
          last edited by Mar 7, 2019, 5:21 PM

          The first time I checked the link to the file, and now checked the downloaded file. You are right to show that there is a virus.
          https://www.virustotal.com/ru/file/3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157/analysis/1551978217/

          SHA256: 3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157
          File name: npp.7.6.4.Installer.exe
          Detection ratio: 4 / 70
          Analysis date: 2019-03-07 17:03:37 UTC ( 4 minutes ago ) View latest

          C 1 Reply Last reply Mar 7, 2019, 5:55 PM Reply Quote 1
          • C
            Chowder908 @andrecool-68
            last edited by Chowder908 Mar 7, 2019, 5:56 PM Mar 7, 2019, 5:55 PM

            @andrecool-68 the SHA256 don’t match with the download link on the download page.

            1 Reply Last reply Reply Quote 0
            • A
              andrecool-68
              last edited by Mar 7, 2019, 6:27 PM

              Everything matches!
              https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.sha1.md5.digest.txt

              1 Reply Last reply Reply Quote 1
              • C
                Chowder908
                last edited by Mar 7, 2019, 6:37 PM

                Yeah I was just about to post that I looked at the wrong sha256. Looked at the 64bit one not 32. Tho this is a little suspicious since the 64bit installer only has a 1/70 detection. Still it’s most likely a false positive.

                M 1 Reply Last reply Mar 7, 2019, 11:58 PM Reply Quote 0
                • M
                  Meta Chuh moderator @Chowder908
                  last edited by Meta Chuh Mar 8, 2019, 12:18 AM Mar 7, 2019, 11:58 PM

                  hi @andrecool-68 @Chowder908 and all

                  i can confirm, that a virustotal.com url scan shows no virus detections, but if i download the npp installer from the same url, and manually upload it to virustotal.com , it will trigger some virus/malware detections.


                  url scans:

                  url: https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.Installer.exe
                  result: https://www.virustotal.com/#/url/06f2b4b05f83ff97b63c0c8f009b8d1698260d065fefee62b3d2af66877d0852/detection
                  sha: 3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157
                  detections: 0/69

                  url: https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.Installer.x64.exe
                  result: https://www.virustotal.com/#/url/0a2390eae8713b5ff96d97cc3107b54c4a188117da626d0cb65beb8c68fc675e/detection
                  sha: 2716fbb5180e2fd7264c4c2f5c74f280d355cbdb9660c6b7d18bc506f7b87398
                  detections: 0/69


                  file scans, manually uploaded to virustotal.com :

                  file: npp.7.6.4.Installer.exe
                  result: https://www.virustotal.com/#/file/3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157/detection
                  detections: 4/68

                  file: npp.7.6.4.Installer.x64.exe
                  result: https://www.virustotal.com/#/file/2716fbb5180e2fd7264c4c2f5c74f280d355cbdb9660c6b7d18bc506f7b87398/detection
                  detections: 2/68


                  can anybody else confirm that too ?
                  or has anybody discovered a plausible explanation for that ?

                  it is very intriguing, as i don’t recall any virustotal.com tests, where an url scan result has differed from an upload result of the same file, producing the false positives we currently see.

                  C 1 Reply Last reply Mar 8, 2019, 7:06 AM Reply Quote 3
                  • C
                    Chowder908 @Meta Chuh
                    last edited by Mar 8, 2019, 7:06 AM

                    @Meta-Chuh yeah URL is fine the file has some detections.

                    1 Reply Last reply Reply Quote 1
                    • A
                      andrecool-68
                      last edited by Mar 8, 2019, 12:41 PM

                      If you unpack the installer all clean!
                      I think it was found in the installer script, or maybe I’m wrong.

                      M 1 Reply Last reply Mar 8, 2019, 1:10 PM Reply Quote 1
                      • M
                        Meta Chuh moderator @andrecool-68
                        last edited by Meta Chuh Mar 8, 2019, 2:02 PM Mar 8, 2019, 1:10 PM

                        looking at bkav’s HW32.Packed detection, it might indicate, that it is triggered by the nsis compressor setting
                        SetCompressor /SOLID lzma in nppSetup.nsi, as the result is an .exe with compressed resources.

                        just like .exe files, that are compressed with UPX.
                        they often (as in very, very, very often) produce heuristic virus alerts.

                        and now, with the missing code signing certificate, it might be possible, that the engines do not whitelist the notepad++ installer any more, if they have whitelisted it before.

                        1 Reply Last reply Reply Quote 1
                        1 out of 11
                        • First post
                          1/11
                          Last post
                        The Community of users of the Notepad++ text editor.
                        Powered by NodeBB | Contributors