Windows Security reports Electrum installer infected

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

Quote from: nc50lc on February 08, 2019, 10:27:09 PM

My antivirus never detected anything from it so...

Mine either. Somehow I thought that's obvious that if only 5 of 67 find it then it's a false positive...
But in such cases I can't blame people if they want to be super sure (and check with ThomasV key), especially with the late madness with Electrum..

nc50lc

legendary

Activity: 2534

Merit: 6080

Self-proclaimed Genius

Quote from: NeuroticFish on February 08, 2019, 07:03:23 AM

I don't know if it helps, but I just checked the official electrum setup 3.3.3 with virustotal and 5 of 67 antivirus do detect it as trojan/malware. Similar result is also for the portable version.

Hah! Scan the older versions and you'll get more false positives than that and we've been using it for years.

Obviously false-positives from those "super-aggressive" antivirus software.

Example: Electrum v3.1.3 (Windows Installer Version) https://www.virustotal.com/#/file/4f2e0b548e1a8e7b8cc37b55ef4fdc663f93d20008f5b7948ed8cfafbce9b4c9/detection

Quote

AhnLab-V3: Malware/Gen.Generic.C2472072
Comodo: Malware@#3cz97x1rl7u5q
Fortinet: Riskware/TorJok
Kaspersky: not-a-virus:NetTool.Win32.TorJok.aic
MAX: malware (ai score=76)
Palo Alto Networks: generic.ml
Sophos AV: Generic PUA DO (PUA)
Trapmine: malicious.moderate.ml.score
ZoneAlarm: not-a-virus:NetTool.Win32.TorJok.aic

I never heard of those AV aside from Kapersky which is known for its aggressiveness.
My antivirus never detected anything from it so...

HCP

legendary

Activity: 2086

Merit: 4361

Quote from: tenusertwo on February 08, 2019, 06:56:22 AM

Edit:
easy to reproduce.
just download electrum-3.3.3-setup.exe ,
right click on it -> Scan with Windows Defender

I cannot reproduce this? Huh

I even redownloaded the electrum-3.3.3-setup.exe from electrum.org (checked the digital signature)... and tried scanning with Windows Defender... it doesn't complain about the file or show any viruses/trojans.

I know several users have seen Windows Defender complaining about the Electrum installers, so I am now wondering if my Windows Defender is working properly. Undecided

TryNinja

legendary

Activity: 2758

Merit: 6830

It’s just a false-positive.

Quote from: TryNinja on February 07, 2019, 04:07:14 PM

Don’t worry. That’s most likely just a false positive. Electrum shows as a trojan to a few AVs out there. If you downloaded from electrum.org then you are safe. But, make sure to verify the file signatures before running it.

Here is an tutorial on how to verify the file signature: https://bitcointalksearch.org/topic/how-to-verify-your-electrum-windows-linux-mac-5105901

I made a post talking about this yesterday:

Quote from: TryNinja on February 06, 2019, 01:52:28 PM

Quote from: zetzetzet on February 06, 2019, 12:54:05 PM

Lucius, yeah, just seen that thread.

ThomasV, could you, please, write here in sticky thread MD5 / SHA-1 / signature of real Electrum 3.3.3 ?

Just verify the signatures.

Electrum is commonly acussed as a trojan by a few random AV’s. But that’s just a false-positive. It happens all the time.

Here is Electrum’s “official” explanation:

Quote

"Anti-virus" software uses shitty heuristics to detect malware. PyInstaller is a convenient tool to package python apps. We use PyInstaller. Malware authors use PyInstaller. Everything that uses PyInstaller is detected as malware.

Quote

Anti-virus software have (and always had) false positives, and some of them tag Electrum as malware. This is out of our control. This does not mean that Electrum is or contains malware.

The Windows binaries are signed using the native Windows signing scheme by an entity named Electrum Technologies GmbH. They are also signed using GPG by @ecdsa (ThomasV). The GPG key fingerprint is 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6.

If you trust the developers of the project, you can verify the GPG signature, and ignore any anti-virus warnings.

If you don't trust the developers with not backdooring the binaries, you can (1) build binaries yourself; or (2) you can run from source. Some of the binaries are built reproducibly, so you can also check that those match.

More: https://github.com/spesmilo/electrum/issues/3198#issuecomment-458949319

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

I don't know if it helps, but I just checked the official electrum setup 3.3.3 with virustotal and 5 of 67 antivirus do detect it as trojan/malware. Similar result is also for the portable version.

For the setup I've read somewhere that it's caused by the pyinstaller which is used by many malware.

Edit: if you are certain your system is clean, you should also check the signature to make sure you downloaded the right setup.

tenusertwo

newbie

Activity: 3

Merit: 0

Windows Security reports Electrum installer ( electrum-3.3.3-setup.exe ) infected with Trojan:Win32/Ludicrouz.V
Is it a known issue ?

Windows deleted the file, so I can't double check with checksum. But I downloaded it from electrum.org so pretty sure it's the good one.

screenshot of the report :
https://imgur.com/a/3VqlAxS

Edit:
easy to reproduce.
just download electrum-3.3.3-setup.exe ,
right click on it -> Scan with Windows Defender

Edit2:
I realized Windows did not only delete the installer file, but the whole electrum installation.

Topic: Windows Security reports Electrum installer infected (Read 178 times)