Notepad++ 32bit installer detected as malware on virustotal?
- 
 Went to check the installer like I normally for anything I download noticed the 32bit installer detected 5/50. I’m sure these are false positives, but I’d thought I’d post here to let the developers know incase they don’t. 
- 
 
- 
 I used https://www.virustotal.com/#/file/3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157/detection 
 Looks like it dropped from 5 to 4 so I guess it’s a false positive.
- 
 The first time I checked the link to the file, and now checked the downloaded file. You are right to show that there is a virus. 
 https://www.virustotal.com/ru/file/3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157/analysis/1551978217/SHA256: 3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157 
 File name: npp.7.6.4.Installer.exe
 Detection ratio: 4 / 70
 Analysis date: 2019-03-07 17:03:37 UTC ( 4 minutes ago ) View latest
- 
 @andrecool-68 the SHA256 don’t match with the download link on the download page. 
- 
 Everything matches! 
 https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.sha1.md5.digest.txt
- 
 Yeah I was just about to post that I looked at the wrong sha256. Looked at the 64bit one not 32. Tho this is a little suspicious since the 64bit installer only has a 1/70 detection. Still it’s most likely a false positive. 
- 
 hi @andrecool-68 @Chowder908 and all i can confirm, that a virustotal.com url scan shows no virus detections, but if i download the npp installer from the same url, and manually upload it to virustotal.com, it will trigger some virus/malware detections. 
 url scans: url: https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.Installer.exe
 result: https://www.virustotal.com/#/url/06f2b4b05f83ff97b63c0c8f009b8d1698260d065fefee62b3d2af66877d0852/detection
 sha: 3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157
 detections: 0/69url: https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.Installer.x64.exe
 result: https://www.virustotal.com/#/url/0a2390eae8713b5ff96d97cc3107b54c4a188117da626d0cb65beb8c68fc675e/detection
 sha: 2716fbb5180e2fd7264c4c2f5c74f280d355cbdb9660c6b7d18bc506f7b87398
 detections: 0/69
 file scans, manually uploaded to virustotal.com: file: npp.7.6.4.Installer.exe
 result: https://www.virustotal.com/#/file/3e95ce4191b73c755a3139c4df5039b255069eadda57ae827cbf843c60836157/detection
 detections: 4/68file: npp.7.6.4.Installer.x64.exe
 result: https://www.virustotal.com/#/file/2716fbb5180e2fd7264c4c2f5c74f280d355cbdb9660c6b7d18bc506f7b87398/detection
 detections: 2/68
 can anybody else confirm that too ? 
 or has anybody discovered a plausible explanation for that ?it is very intriguing, as i don’t recall any virustotal.com tests, where an url scan result has differed from an upload result of the same file, producing the false positives we currently see. 
- 
 @Meta-Chuh yeah URL is fine the file has some detections. 
- 
 If you unpack the installer all clean! 
 I think it was found in the installer script, or maybe I’m wrong.
- 
 looking at bkav’s HW32.Packeddetection, it might indicate, that it is triggered by the nsis compressor setting
 SetCompressor /SOLID lzmainnppSetup.nsi, as the result is an .exe with compressed resources.just like .exe files, that are compressed with UPX. 
 they often (as in very, very, very often) produce heuristic virus alerts.and now, with the missing code signing certificate, it might be possible, that the engines do not whitelist the notepad++ installer any more, if they have whitelisted it before. 


