Easy RSA Flagged as trojan/ransomware

[FabianMMB]

I have tried to set up a VPN Connection for zero trust connection from my laptop to a new server.
Downloading the RSA versions 3.2.3 or 3.2.4 from https://github.com/OpenVPN/easy-rsa/releases is not possible in Chrome or Edge with safe browsing on because they are flagged as malware. Having worked with prior versions and trusting them, I thought nothing of it (false positive) and just deactivated safe browsing for the download. Additionally, it is a new server without any data, so there is nothing dangerous yet.
Lo and behold, windows defender quarantines the downloaded zip-files. Again, I cautiously ignored it and installed it anyways. Now my CyberProtect System also flagged first of all the zip-file again, some cached files from the chrome download and another file in my VPN setup: "C:\Program Files\OpenVPN\easy-rsa\libcrypto-3-x64.dll".
The files are now quarantined and the VPN does not work anymore.

A check with virustotal shows the following:

The zip-file is flagged by 33/68 vendors with the following flags:
Popular threat label: trojan.pigyx/usblh925
Threat categories: trojan, ransomware
Family labels: pigyx, usblh925

The dll-file is flagged by 36/72 vendors with the exact same flags as the zip-file.

Testing this with the zip-file version 3.2.2 has only one vendor flagging it and no files are quarantined by my Cyberprotect.

Why could this be?

[TinCanTech]

Easy-RSA zip files contain executable files in the form of .exe and .dll.

Not only does Chrome block the download but so does Windows Defender.

If you want to download from this repository then you must temporarily lower your security settings and also allow the files to be downloaded.

If you are not prepared to make the required security changes to your device then it is recommended that you download the OpenVPN installer from https://community.openvpn.net/Downloads

The OpenVPN installer comes with Easy-RSA as an optional extra during installation.

[TinCanTech]

The files are now quarantined and the VPN does not work anymore

That is a false claim, the quarantined files have zero impact on the functioning of OpenVPN.

[FabianMMB]

The files are now quarantined and the VPN does not work anymore

That is a false claim, the quarantined files have zero impact on the functioning of OpenVPN.

True, it coincidentally happened at roughly the same time that my VPN crashed and my CyberProtect quarantined the files.

But I am still curious, do you know why only the versions 3.2.3 and 3.2.4 are flagged, but not other versions like 3.2.2?

[TinCanTech]

I do not know why only v3.2.3 and v3.2.4 are blocked. Perhaps the older versions have been white-listed by Chrome.

[FabianMMB]

Alright, thanks for your input!

[TinCanTech]

FTR, only the OpenSSL binaries change between releases, so you could test those on virustotal ...

I'll reopen this for a while, if anybody wants to test those binaries and leave us some feedback

[FabianMMB]

I am going to test them right now, will let you know what the outcome is