Notepad++ 32bit installer detected as malware on virustotal?

Chowder908 · Mar 7, 2019, 4:33 PM

Went to check the installer like I normally for anything I download noticed the 32bit installer detected 5/50. I’m sure these are false positives, but I’d thought I’d post here to let the developers know incase they don’t.

andrecool-68 · Mar 7, 2019, 4:41 PM

https://www.virustotal.com/ru/url/06f2b4b05f83ff97b63c0c8f009b8d1698260d065fefee62b3d2af66877d0852/analysis/1551976063/

Chowder908 · Mar 7, 2019, 4:53 PM

I used https://www.virustotal.com/#/file/3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157/detection
Looks like it dropped from 5 to 4 so I guess it’s a false positive.

andrecool-68 · Mar 7, 2019, 5:21 PM

The first time I checked the link to the file, and now checked the downloaded file. You are right to show that there is a virus.
https://www.virustotal.com/ru/file/3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157/analysis/1551978217/

SHA256: 3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157
File name: npp.7.6.4.Installer.exe
Detection ratio: 4 / 70
Analysis date: 2019-03-07 17:03:37 UTC ( 4 minutes ago ) View latest

Chowder908 · Mar 7, 2019, 5:56 PM

@andrecool-68 the SHA256 don’t match with the download link on the download page.

andrecool-68 · Mar 7, 2019, 6:27 PM

Everything matches!
https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.sha1.md5.digest.txt

Chowder908 · Mar 7, 2019, 6:37 PM

Yeah I was just about to post that I looked at the wrong sha256. Looked at the 64bit one not 32. Tho this is a little suspicious since the 64bit installer only has a 1/70 detection. Still it’s most likely a false positive.

Meta Chuh · Mar 8, 2019, 7:06 AM

hi @andrecool-68 @Chowder908 and all

i can confirm, that a virustotal.com url scan shows no virus detections, but if i download the npp installer from the same url, and manually upload it to virustotal.com , it will trigger some virus/malware detections.

url scans:

url: https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.Installer.exe
result: https://www.virustotal.com/#/url/06f2b4b05f83ff97b63c0c8f009b8d1698260d065fefee62b3d2af66877d0852/detection
sha: 3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157
detections: 0/69

url: https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.Installer.x64.exe
result: https://www.virustotal.com/#/url/0a2390eae8713b5ff96d97cc3107b54c4a188117da626d0cb65beb8c68fc675e/detection
sha: 2716fbb5180e2fd7264c4c2f5c74f280d355cbdb9660c6b7d18bc506f7b87398
detections: 0/69

file scans, manually uploaded to virustotal.com :

file: npp.7.6.4.Installer.exe
result: https://www.virustotal.com/#/file/3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157/detection
detections: 4/68

file: npp.7.6.4.Installer.x64.exe
result: https://www.virustotal.com/#/file/2716fbb5180e2fd7264c4c2f5c74f280d355cbdb9660c6b7d18bc506f7b87398/detection
detections: 2/68

can anybody else confirm that too ?
or has anybody discovered a plausible explanation for that ?

it is very intriguing, as i don’t recall any virustotal.com tests, where an url scan result has differed from an upload result of the same file, producing the false positives we currently see.

Chowder908 · Mar 8, 2019, 7:06 AM

@Meta-Chuh yeah URL is fine the file has some detections.

andrecool-68 · Mar 8, 2019, 1:10 PM

If you unpack the installer all clean!
I think it was found in the installer script, or maybe I’m wrong.

Meta Chuh · Mar 8, 2019, 2:02 PM

looking at bkav’s HW32.Packed detection, it might indicate, that it is triggered by the nsis compressor setting
SetCompressor /SOLID lzma in nppSetup.nsi, as the result is an .exe with compressed resources.

just like .exe files, that are compressed with UPX.
they often (as in very, very, very often) produce heuristic virus alerts.

and now, with the missing code signing certificate, it might be possible, that the engines do not whitelist the notepad++ installer any more, if they have whitelisted it before.