Notepad++ 32bit installer detected as malware on virustotal?
Went to check the installer like I normally for anything I download noticed the 32bit installer detected 5/50. I’m sure these are false positives, but I’d thought I’d post here to let the developers know incase they don’t.
I used https://www.virustotal.com/#/file/3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157/detection
Looks like it dropped from 5 to 4 so I guess it’s a false positive.
The first time I checked the link to the file, and now checked the downloaded file. You are right to show that there is a virus.
File name: npp.7.6.4.Installer.exe
Detection ratio: 4 / 70
Analysis date: 2019-03-07 17:03:37 UTC ( 4 minutes ago ) View latest
@andrecool-68 the SHA256 don’t match with the download link on the download page.
Yeah I was just about to post that I looked at the wrong sha256. Looked at the 64bit one not 32. Tho this is a little suspicious since the 64bit installer only has a 1/70 detection. Still it’s most likely a false positive.
i can confirm, that a virustotal.com url scan shows no virus detections, but if i download the npp installer from the same url, and manually upload it to virustotal.com, it will trigger some virus/malware detections.
file scans, manually uploaded to virustotal.com:
can anybody else confirm that too ?
or has anybody discovered a plausible explanation for that ?
it is very intriguing, as i don’t recall any virustotal.com tests, where an url scan result has differed from an upload result of the same file, producing the false positives we currently see.
@Meta-Chuh yeah URL is fine the file has some detections.
If you unpack the installer all clean!
I think it was found in the installer script, or maybe I’m wrong.
looking at bkav’s
HW32.Packeddetection, it might indicate, that it is triggered by the nsis compressor setting
SetCompressor /SOLID lzmain
nppSetup.nsi, as the result is an .exe with compressed resources.
just like .exe files, that are compressed with UPX.
they often (as in very, very, very often) produce heuristic virus alerts.
and now, with the missing code signing certificate, it might be possible, that the engines do not whitelist the notepad++ installer any more, if they have whitelisted it before.