Open CPN 4.2 for Windows flaggged as containing Trojan: Varpes.M!cl by Win Defender

[bjbest]

Windows 10 Defender (up to date) blocked my attempt to install OpenCPN from OpenCPN.org a few minutes ago, identifying opencpn_4.2.0_setup.exe as the location of the problem, and Trojan Varpes.M!cl as the exact malware.

I did a full scan, reboot, and re-downloaded the file, getting the exact same result.

Here's the download link I used (from the opencpn.org site):

http://opencpn.navnux.org/4.2.0/opencpn_4.2.0_setup.exe

Here's the virus description:

https://www.microsoft.com/security/p...ID=-2147258324

I'm guessing this isn't a false alarm, but I am setting up a computer and installing other software, so it's possible this came from a different install. (Not sure where to post it to bring it to the attention of the powers that be, so I created this thread.)

Brad

[bdbcat]

Brad...

Probably a false positive. The MD5 sum of the download whose URL you provided matches that of the archived original distribution, so I doubt the CDN copy has been tampered with. We have received no other indications of virus infection on this image after many thousands of current installations.

Code:

$ md5sum opencpn_4.2.0_setup.exe
e68d6f7fdf304bbf8107ca9a1f0ce923  opencpn_4.2.0_setup.exe

Thanks for checking, though, and keeping us on our toes. Malicious people will not go away on their own. We must be vigilant.

Dave

[bcn]

To help it would be interesting to report a "false positive" to Microsoft

[chrisnmandy]

I just got the exact same thing on my install.

[Opie91]

Same thing here on 4.4

[dbdb]

Yeah, same thing here. Maybe the image needs to be submitted for review or something to MS? How do you resolve a false positive?

[seandepagnier]

maybe just change the program slightly to get a different md5sum?

[Franziska]

Same here. Interesting enough I did not have the issue 3days ago.

Sent from my D5503 using Cruisers Sailing Forum mobile app

[AedanC]

I installed 4.4 when it first came out and got no warning. I then uninstalled 4.4 and reinstalled 4.2. Last night I installed 4.4 again and did get the warning. Windows 10, fully updated in both cases.


Sent from my iPhone using Cruisers Sailing Forum

[rgleason]

Try scanning it with vieustotal.com and post the SHA here. I will then scan it.

[rgleason]

Sorry virustotal.com

[AedanC]

Quote:

Originally Posted by rgleason

Try scanning it with vieustotal.com and post the SHA here. I will then scan it.

I went to do this just now but decided to scan it again with Windows Defender first, just to make sure the problem was still there. Nothing was reported, so I downloaded V4.4 again and this time there were no warnings. Hopefully this means that Windows Defender has updated itself in the meantime and the problem has gone away.

[willemb2]

I had the same problem with 4.4.0 and Windows 10 Defender. Even though virustotal.com said "Microsoft" does not detect it. It is unclear what they mean with "Microsoft" because MS has several antimalware products.

I tried to submit it as a false positive (this is an option under Help in Windows Defender), but they have an upload limit of only 10 MB and this one is 23 MB. You cannot submit something without uploading at least 1 file, so I uploaded a README.TXT with explanation and a link to the opencpn_4.4.0_setup.exe. This morning I got a report: they had scanned my README.TXT and it did not contain any malware. There are a lot of smilies next to this editor window, but not one with smoke coming out of its ears.....

The good news is that as of definitions 1.225.370.0 opencpn_4.4.0_setup.exe is not detected as malware anymore.

[rgleason]

From my cell phone I just checked the win v4.4 download file by going to opencpn download link, pressing the link and selecting copy url from the popup. Then going to virustotal selecting url and pasting in the url of the download file. Then enter and wait for the result.
Here is the result:
SHA256: fe2711422821589855c122489686072bcf0eccb8bc9efbf734 6c3c539e5a42ff
File name: opencpn_4.4.0_setup.exe
Detection ratio: 0 / 53
Analysis date: 2016-07-03 23:46:07 UTC ( 12 hours, 39 minutes ago )

I think the download path you were using had a rogue server that was malicious and changed the file OR it was a false positive.
What this exercise illustrates is that you can even check a file remotely without ever downloading it an risking infection. You can even do this from your cell phone!

[willemb2]

Yesterday I wrote:

Quote:

Originally Posted by willemb2

The good news is that as of definitions 1.225.370.0 opencpn_4.4.0_setup.exe is not detected as malware anymore.

Today I received an email from Microsoft Malware Protection Center with a confirmation that the new definitions were issued to fix this false positive and apologies for the inconvenience.