Ledger Live 2.1.0, 2.2.0, 2.2.3 Installers and Uninstallers for Windows are triggering Windows Defender with Trojan:Win32/Bulta!rfn detection

[d-rez]

EDIT from @gre:

The bug has been solved in 2.2.4. Just be aware that if the first time you installed Ledger Live was on 2.2.3 you need to fully uninstall it to correctly recover from the antivirus detection situation.

Here is the diagram we think currently cover everything.

The TLDR is that as soon as you have Ledger Live's Uninstaller being detected as a virus (or is gone), we recommend to uninstall the Live using a "valid" (not detected as a virus) Uninstaller that we will also distribute on our website soon (meanwhile => https://github.com/LedgerHQ/ledger-live-desktop/releases/download/v2.2.3/Uninstall.Ledger.Live.exe – sha256sum of
0e7245dde4d656758c3f03724e1615239cbe358f1a61db0b3b6326669b5cbd60 )

---

Ledger Live Version and Operating System

• tested on Ledger Live 2.1.0
• Platform and version: Win10

Expected behavior

Installer installs software

Actual behavior

Installer gets blocked by Windows Defender,

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3aWin32%2fBulta!rfn&threatid=2147694403

Steps to reproduce the behavior

• Download installer from GitHub releases, specifically the Windows installer
• Launch the installer or go to a folder where it's downloaded to
• Windows Defender pop-up shows up, threat is marked as "serious" and the file gets deleted

Note: 2.2.0 installer doesn't trigger this

[d-rez]

On top of that, more resources related to 2.2.0 installation get detected as a Trojan as well:

[gre]

Thanks for raising this issue.
We think to have fixed it in our upcoming 2.2.3.

[d-rez]

No worries, I know it's not a normal issue but depending on a platform that could possibly go into a full release unnoticed. Feel free to close once addressed :)

[picatextra]

Still detected with 2.2.3

[Dviros]

Can confirm Uninstaller.exe is still triggering Defender with version 2.2.3:

[ftapon]

Same problem.
According to the Ledger folks on Reddit, it's a false positive.

[gre]

we are working on it #2860

[ahsbt]

after installing 2.2.3 , my windows immediately raised the flag for this trojan in the ledger uninstaller .exe
the problem became worse when i tried to uninstall ledger live , these files(screenshot) were made from A to Z when i finally uninstalled the program (i had to manually allow the uninstaller.exe in defender to run to be able to uninstall the program, i hope my windows is not infected , surely i wont connect my device to desktop until a solution comes up).

[d-rez]

Bracing for a tide of newcomers commenting "me too"

Please just +1 the issue on top, thanks!

@gre so it wasn't the automatic installation thingy? Just a framework update that caused it? Curious!

[gre]

Yes the issue is due to electron-userland/electron-builder#4793 that upgraded NSIS which likely is flagged by Windows antivirus.. (false positive)

The issue only affects the Uninstaller and in the meantime you can use https://github.com/LedgerHQ/ledger-live-desktop/releases/download/v2.2.3/Uninstall.Ledger.Live.exe if you want to uninstall Ledger Live. unfortunately you MUST uninstall Live if you installed a 2.2.3 from scratch because app updates won't update the Uninstaller.. only the first install of Ledger Live do.
so all users that have installed 2.2.3 for the first time need to uninstall it either by allowing the false positive virus detection or by using that separate uninstaller..

That's why we are now preparing a 2.2.4 to try to minimize number of users entering this problem. It's already a prerelease at the moment.

thanks

[gre]

2.2.4 was released. make sure to check message above. we'll try to document it better next week.

[d-rez]

Thanks! Glad that's sorted :)

btw,

unfortunately you MUST uninstall Live if you installed a 2.2.3 from scratch because app updates won't update the Uninstaller.. only the first install of Ledger Live do.
so all users that have installed 2.2.3 for the first time need to uninstall it either by allowing the false positive virus detection or by using that separate uninstaller..

Are you sure that's the case? AV removed the uninstaller and when I installed 2.2.4 over my 2.2.3 install (which was missing the uninstaller due to above), the uninstaller got recreated just fine and the entry re-appeared in Windows' Add/Remove Apps

[gre]

very interesting! i guess it works if the uninstaller was removed before updating then 🤔 maybe it's just not copied if it exists. thanks for your feedback

[a1exandrovm]

Ledger Live Version Ver. 2.0.1, Ver. 2.2.3 on
Windows 7 & Windows 10 64-bit

360 Total Security detects the virus (Generic / Trojan.Downloader.251) in the installation file from your official site. Ledger Live Desktop Ver. 2.0.1, Ver. 2.2.3

On three devices I checked the distribution from your official site, and on all three devices with the pre-installed 360Total Security antivirus, I got a warning.

Additionally, I rechecked your file through the VirusTotal.com and MetaDefender.opswat.com online virus scan service (attached screenshot). This service also gives a warning, referring to the engine Qihoo-360 by 360 Total Security. Let me remind you that the previous Ledger Live distribution was installed without problems and without warnings.

Please close this bug so that users can safely install the Ledger Live application update for Windows. After all, the installation package The distribution of the previous version was installed well, without threats to the operating system.

[gre]

The bug is closed and has been solved in 2.2.4. Just be aware you need to fully uninstall 2.2.3 if you had it installed in the first time to correctly recover from the antivirus detection situation.

Here is the diagram we think currently cover everything.

The TLDR is that as soon as you have Ledger Live's Uninstaller being detected as a virus, we recommend to uninstall the Live using a "valid" (not detected as a virus) Uninstaller that we will also distribute on our website soon (but it's going to be https://github.com/LedgerHQ/ledger-live-desktop/releases/download/v2.2.3/Uninstall.Ledger.Live.exe – sha256sum of
0e7245dde4d656758c3f03724e1615239cbe358f1a61db0b3b6326669b5cbd60 )

[gre]

if there is any remaining issue you are facing and even after uninstalling and reinstalling completely, please create a new Github issue or contact our tech support. Thanks!