Detection on latest version in Virustotal (usually "auto-update: triggered" one): is it safe?

saladah0330

I’ve noticed that whenever a newer version of Notepad++ is released (usually with “auto update: Triggered”), it is detected by Virustotal’s Zillya. I know this detection is usually a false positive, but I was wondering if it is related to the recent mimeTools tampering by unofficial fake plugins.

I noticed that the 8.6.7 version that I downloaded last week didn’t have “auto-update: triggered” attached to it, and the state was “undetected”.

I would appreciate if you could provide more information on why this occurs.

mkupper

@saladah0330 - I uploaded Notepad++ v8.6.7 to https://www.virustotal.com/gui/home/upload and that web site says Zillya / Trojan.Rozena.Win32.219427

If you search the Notepad++ forums for Zillya you will find it’s a longstanding issue. As AV vendors do not document the details of their detection process we don’t know why that particular scanner complains about Notepad++.

Notepad++'s triggering for updates process is not related to this issue. The installer package that you download is exactly the same regardless on if a download was before or after is triggered for updates.

It’s a puzzle that Zillya did not complain about the file you downloaded. If you still have the installer.exe file see if Zillya still does not complain.

The size of your file should be one of:

4,701,256 bytes for npp.8.6.7.Installer.exe
4,854,296 bytes for npp.8.6.7.Installer.x64.exe

Check your web browser’s download history and get the exact URL that you downloaded the installer from. It should be either

The download page at https://notepad-plus-plus.org/downloads/v8.6.7/ has GPG signatures that can be used to see if the exe you have in hand matches what Notepad++'s developer intended you have…