• Login
Community
  • Login

False Positive on VirusTotal for Notepad++ 8.5.6?

Scheduled Pinned Locked Moved Security
5 Posts 2 Posters 3.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    BenI570
    last edited by BenI570 Nov 11, 2023, 6:01 AM Nov 11, 2023, 6:00 AM

    www.virustotal. com/gui/file/9e70f821b23c997211e083a0965cf0c3ea627866685e02e7c124b803801c0478?nocache=1

    There was an older thread that mentioned that a similar flag (on previous versions of Notepad++) comes from the fact that Notepad++ is built with NSIS. Is this the case again? It is interesting because the latest version (8.5.8) of Notepad++ is not flagged by VirusTotal anymore.

    Here’s the link to that older thread:
    community.notepad-plus-plus.
    org/topic/23697/trojan-rozena-win32-164323_npp-8-4-6-installer-x64-exe/6

    I apologize for the weird formatting; I have no reputation so I cannot properly post links. Thank you all!

    M 1 Reply Last reply Nov 11, 2023, 6:41 PM Reply Quote 1
    • M
      mkupper @BenI570
      last edited by mkupper Nov 11, 2023, 6:42 PM Nov 11, 2023, 6:41 PM

      @BenI570, the virustotal link you provided is for the Notepad++ v8.5.6 installer. It’s not clear what your question is.

      Virus scanners have a problem in that they are being asked to scan the random junk seen in most executable files to see if there is some pattern data that may be a virus. It’s like trying to identify a person by only looking at a shadow cast on a sidewalk. Apparently, one scanner from one vendor saw a pattern it did not like in Notepad++'s v8.5.6 installer. Other anti-virus vendors use different methods of pattern matching and were happy with Notepad++'s v8.5.6 installer.

      Notepad++'s v8.5.8 installer is a different pile of essentially random junk that most, and maybe all anti-virus vendor’s are happy with.

      It’s still a good practice to keep backups of the things you care about and to keep them off line from your computer.

      B 1 Reply Last reply Nov 11, 2023, 8:23 PM Reply Quote 1
      • B
        BenI570 @mkupper
        last edited by BenI570 Nov 11, 2023, 8:25 PM Nov 11, 2023, 8:23 PM

        @mkupper That makes sense. Thank you for the information on how antiviruses detect things.

        To clarify my original question, I was just curious if the v8.5.8 installer detection was caused for the same reason as the detection caused by the v8.4.6 installer, the v8.4.6 detection being because Notepad++ is built with NSIS. The whole NSIS thing is what the older thread was talking about.
        Notepad++ v8.4.6 VirusTotal Scan
        Notepad++ v8.5.8 VirusTotal Scan

        Thanks again for the reply!

        M 1 Reply Last reply Nov 12, 2023, 5:12 PM Reply Quote 0
        • M
          mkupper @BenI570
          last edited by Nov 12, 2023, 5:12 PM

          @BenI570, unfortunately, your question or concerns can’t be answered with a definite yes or no supported by facts. The people who write virus scanners generally don’t publicize the details of how they do the detection. Thus, we don’t know why one of the 72 virus scanners that the VirusTotal web site is using at present reports that a particular file may contain a particular virus.

          We can guess the reason is because Notepad++, along with a few other applications, use the NSIS installer. Some viruses also use the NSIS installer. Other viruses may include chunks or data or code designed to appear to be the NSIS installer in an attempt to evade detection. All of this paragraph though about NSIS is mildly informed speculation. It may be wrong.

          As Zillya seems to be the only AV scanner that complains about the Notepad+++ installer file then it seems likely the problem is more on Zillya’s end. When I enter Zillya into the Google search box the second line of the hints Google provides is “zillya false positive” indicating it’s a popular and common search topic. I did not test to see if “false positive” is a common sub-topic for other anti-virus packages.

          B 1 Reply Last reply Nov 22, 2023, 9:21 PM Reply Quote 3
          • B
            BenI570 @mkupper
            last edited by Nov 22, 2023, 9:21 PM

            @mkupper That also makes sense. Thank you for the clarification and possible reasons for this occurring! I really do appreciate it.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            The Community of users of the Notepad++ text editor.
            Powered by NodeBB | Contributors