Community
    • Login

    Notepad++ 32bit installer detected as malware on virustotal?

    Scheduled Pinned Locked Moved General Discussion
    virus
    11 Posts 3 Posters 4.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Chowder908C
      Chowder908
      last edited by Chowder908

      Went to check the installer like I normally for anything I download noticed the 32bit installer detected 5/50. I’m sure these are false positives, but I’d thought I’d post here to let the developers know incase they don’t.

      1 Reply Last reply Reply Quote 1
      • andrecool-68A
        andrecool-68
        last edited by

        https://www.virustotal.com/ru/url/06f2b4b05f83ff97b63c0c8f009b8d1698260d065fefee62b3d2af66877d0852/analysis/1551976063/

        1 Reply Last reply Reply Quote 2
        • Chowder908C
          Chowder908
          last edited by

          I used https://www.virustotal.com/#/file/3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157/detection
          Looks like it dropped from 5 to 4 so I guess it’s a false positive.

          1 Reply Last reply Reply Quote 1
          • andrecool-68A
            andrecool-68
            last edited by

            The first time I checked the link to the file, and now checked the downloaded file. You are right to show that there is a virus.
            https://www.virustotal.com/ru/file/3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157/analysis/1551978217/

            SHA256: 3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157
            File name: npp.7.6.4.Installer.exe
            Detection ratio: 4 / 70
            Analysis date: 2019-03-07 17:03:37 UTC ( 4 minutes ago ) View latest

            Chowder908C 1 Reply Last reply Reply Quote 1
            • Chowder908C
              Chowder908 @andrecool-68
              last edited by Chowder908

              @andrecool-68 the SHA256 don’t match with the download link on the download page.

              1 Reply Last reply Reply Quote 0
              • andrecool-68A
                andrecool-68
                last edited by

                Everything matches!
                https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.sha1.md5.digest.txt

                1 Reply Last reply Reply Quote 1
                • Chowder908C
                  Chowder908
                  last edited by

                  Yeah I was just about to post that I looked at the wrong sha256. Looked at the 64bit one not 32. Tho this is a little suspicious since the 64bit installer only has a 1/70 detection. Still it’s most likely a false positive.

                  Meta ChuhM 1 Reply Last reply Reply Quote 0
                  • Meta ChuhM
                    Meta Chuh moderator @Chowder908
                    last edited by Meta Chuh

                    hi @andrecool-68 @Chowder908 and all

                    i can confirm, that a virustotal.com url scan shows no virus detections, but if i download the npp installer from the same url, and manually upload it to virustotal.com, it will trigger some virus/malware detections.


                    url scans:

                    url: https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.Installer.exe
                    result: https://www.virustotal.com/#/url/06f2b4b05f83ff97b63c0c8f009b8d1698260d065fefee62b3d2af66877d0852/detection
                    sha: 3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157
                    detections: 0/69

                    url: https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.Installer.x64.exe
                    result: https://www.virustotal.com/#/url/0a2390eae8713b5ff96d97cc3107b54c4a188117da626d0cb65beb8c68fc675e/detection
                    sha: 2716fbb5180e2fd7264c4c2f5c74f280d355cbdb9660c6b7d18bc506f7b87398
                    detections: 0/69


                    file scans, manually uploaded to virustotal.com:

                    file: npp.7.6.4.Installer.exe
                    result: https://www.virustotal.com/#/file/3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157/detection
                    detections: 4/68

                    file: npp.7.6.4.Installer.x64.exe
                    result: https://www.virustotal.com/#/file/2716fbb5180e2fd7264c4c2f5c74f280d355cbdb9660c6b7d18bc506f7b87398/detection
                    detections: 2/68


                    can anybody else confirm that too ?
                    or has anybody discovered a plausible explanation for that ?

                    it is very intriguing, as i don’t recall any virustotal.com tests, where an url scan result has differed from an upload result of the same file, producing the false positives we currently see.

                    Chowder908C 1 Reply Last reply Reply Quote 3
                    • Chowder908C
                      Chowder908 @Meta Chuh
                      last edited by

                      @Meta-Chuh yeah URL is fine the file has some detections.

                      1 Reply Last reply Reply Quote 1
                      • andrecool-68A
                        andrecool-68
                        last edited by

                        If you unpack the installer all clean!
                        I think it was found in the installer script, or maybe I’m wrong.

                        Meta ChuhM 1 Reply Last reply Reply Quote 1
                        • Meta ChuhM
                          Meta Chuh moderator @andrecool-68
                          last edited by Meta Chuh

                          looking at bkav’s HW32.Packed detection, it might indicate, that it is triggered by the nsis compressor setting
                          SetCompressor /SOLID lzma in nppSetup.nsi, as the result is an .exe with compressed resources.

                          just like .exe files, that are compressed with UPX.
                          they often (as in very, very, very often) produce heuristic virus alerts.

                          and now, with the missing code signing certificate, it might be possible, that the engines do not whitelist the notepad++ installer any more, if they have whitelisted it before.

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post
                          The Community of users of the Notepad++ text editor.
                          Powered by NodeBB | Contributors