False Positive on VirusTotal for Notepad++ 8.5.6?

BenI570 · Nov 11, 2023, 6:01 AM

www.virustotal. com/gui/file/9e70f821b23c997211e083a0965cf0c3ea627866685e02e7c124b803801c0478?nocache=1

There was an older thread that mentioned that a similar flag (on previous versions of Notepad++) comes from the fact that Notepad++ is built with NSIS. Is this the case again? It is interesting because the latest version (8.5.8) of Notepad++ is not flagged by VirusTotal anymore.

Here’s the link to that older thread:
community.notepad-plus-plus.
org/topic/23697/trojan-rozena-win32-164323_npp-8-4-6-installer-x64-exe/6

I apologize for the weird formatting; I have no reputation so I cannot properly post links. Thank you all!

mkupper · Nov 11, 2023, 6:42 PM

@BenI570, the virustotal link you provided is for the Notepad++ v8.5.6 installer. It’s not clear what your question is.

Virus scanners have a problem in that they are being asked to scan the random junk seen in most executable files to see if there is some pattern data that may be a virus. It’s like trying to identify a person by only looking at a shadow cast on a sidewalk. Apparently, one scanner from one vendor saw a pattern it did not like in Notepad++'s v8.5.6 installer. Other anti-virus vendors use different methods of pattern matching and were happy with Notepad++'s v8.5.6 installer.

Notepad++'s v8.5.8 installer is a different pile of essentially random junk that most, and maybe all anti-virus vendor’s are happy with.

It’s still a good practice to keep backups of the things you care about and to keep them off line from your computer.

BenI570 · Nov 11, 2023, 8:25 PM

@mkupper That makes sense. Thank you for the information on how antiviruses detect things.

To clarify my original question, I was just curious if the v8.5.8 installer detection was caused for the same reason as the detection caused by the v8.4.6 installer, the v8.4.6 detection being because Notepad++ is built with NSIS. The whole NSIS thing is what the older thread was talking about.
Notepad++ v8.4.6 VirusTotal Scan
Notepad++ v8.5.8 VirusTotal Scan

Thanks again for the reply!

mkupper · Nov 12, 2023, 5:12 PM

@BenI570, unfortunately, your question or concerns can’t be answered with a definite yes or no supported by facts. The people who write virus scanners generally don’t publicize the details of how they do the detection. Thus, we don’t know why one of the 72 virus scanners that the VirusTotal web site is using at present reports that a particular file may contain a particular virus.

We can guess the reason is because Notepad++, along with a few other applications, use the NSIS installer. Some viruses also use the NSIS installer. Other viruses may include chunks or data or code designed to appear to be the NSIS installer in an attempt to evade detection. All of this paragraph though about NSIS is mildly informed speculation. It may be wrong.

As Zillya seems to be the only AV scanner that complains about the Notepad+++ installer file then it seems likely the problem is more on Zillya’s end. When I enter Zillya into the Google search box the second line of the hints Google provides is “zillya false positive” indicating it’s a popular and common search topic. I did not test to see if “false positive” is a common sub-topic for other anti-virus packages.

BenI570 · Nov 22, 2023, 9:21 PM

@mkupper That also makes sense. Thank you for the clarification and possible reasons for this occurring! I really do appreciate it.