Atom detected as malware by antiviruses

[achalatsis]

Atom version: 0.136.0

From atom 0.136.0, the following two files are falsely detected as: Win32:Malware-gen:
atom-0.136.0\build\windows\Setup.exe
atom-0.136.0\build\windows\Update.exe

Avast version: 2015.10.0.2206
Virus signatures version: 141021-0

I will also submit this to avast.

[zcbenz]

@paulcbetts Are Setup.exe and Update.exe signed?

[anaisbetts]

@zcbenz Yes, they should be in the build

Edit: The final generated Setup.exe is signed in the CI build, the template Setup.exe checked-in isn't signed (since the build process will change it anyways)

[achalatsis]

@zcbenz yes they are.

I have reported it to avast as a false positive.

[jcarmena]

This is creepy. Are you sure it's safe?
I uploaded .zip to virustotal and 17 of 55 detects something bad:

[anaisbetts]

It looks like signing the final generated Setup.exe with a Code Signing certificate (which the official Atom CI build does) will cause them all to pass:

Setup.exe and Update.exe are built from https://github.com/Squirrel/Squirrel.Windows (you can build them yourself if you want), and are used to build the installer.

[jcarmena]

Great! thank you

[Fammy]

I'm getting (hopefully) a false positive on Atom.exe when installing the new AtomSetup.exe (See Issue #4244) on Sophos Anti Virus.

[anaisbetts]

@Fammy Can you give us the details of what Sophos claims it is infected with?

[Fammy]

@paulcbetts They claim it is infected with Mal/Behav-027. I submitted a sample of atom.exe to them a few minutes ago. I tested with Release 149 and 150, both AtomSetup.exe installs have the same issue.

[anaisbetts]

@Fammy Can you submit the AtomSetup.exe too?

[Fammy]

@paulcbetts I cannot, they do not accept files over 30MB.

FWIW, I did not have any issues with the chocolatey install.

[bennor]

I'm getting the Sophos error too. It seems to accept the initial installation (an item is created in Programs & Features), but it fails with this message - no doubt because Sophos has deleted its stuff before it can continue:

Program: Starting Squirrel Updater: --install .
Program: Starting install, writing to C:\Users\bmccarthy\AppData\Local\SquirrelTemp
CheckForUpdateImpl: Failed to load local releases, starting from scratch: System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\Users\bmccarthy\AppData\Local\atom\packages\RELEASES'.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
   at Squirrel.Utility.LoadLocalReleases(String localReleaseFile)
   at Squirrel.UpdateManager.CheckForUpdateImpl.<CheckForUpdate>d__28.MoveNext()
CheckForUpdateImpl: Reading RELEASES file from C:\Users\bmccarthy\AppData\Local\SquirrelTemp
CheckForUpdateImpl: First run or local directory is corrupt, starting from scratch
ApplyReleasesImpl: Writing files to app directory: C:\Users\bmccarthy\AppData\Local\atom\app-0.149.0
ApplyReleasesImpl: fixPinnedExecutables: oldAppDirectories is empty, this is pointless
ApplyReleasesImpl: runPostInstallAndCleanup: finished fixPinnedExecutables
IEnableLogger: Failed to invoke post-install: System.UnauthorizedAccessException: Access to the path 'C:\Users\bmccarthy\AppData\Local\atom\app-0.149.0\atom.exe' is denied.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
   at Mono.Cecil.ModuleDefinition.GetFileStream(String fileName, FileMode mode, FileAccess access, FileShare share)
   at Mono.Cecil.ModuleDefinition.ReadModule(String fileName, ReaderParameters parameters)
   at Squirrel.SquirrelAwareExecutableDetector.GetAssemblySquirrelAwareVersion(String executable)
   at Squirrel.SquirrelAwareExecutableDetector.GetPESquirrelAwareVersion(String executable)
   at Squirrel.SquirrelAwareExecutableDetector.<>c__DisplayClass5.<GetAllSquirrelAwareApps>b__2(String x)
   at System.Linq.Enumerable.WhereEnumerableIterator`1.MoveNext()
   at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
   at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
   at Squirrel.SquirrelAwareExecutableDetector.GetAllSquirrelAwareApps(String directory, Int32 minimumVersion)
   at Squirrel.UpdateManager.ApplyReleasesImpl.<invokePostInstall>d__a9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Squirrel.Utility.<LogIfThrows>d__42.MoveNext()

Workaround for me was to kill Sophos (which meant a couple of minutes of Task Manager whack-a-mole with the 2398576928 processes Sophos runs).

[anaisbetts]

It doesn't like Atom itself? That's bizarre. I'm not surprised that Squirrel is going to have some AV-related nonsense though - effectively, we do look a lot like a trojan, we unpack an executable then run it, which proceeds to install a bunch of other stuff. Just like any other installer technology :)

[Fammy]

Got an email back from Sophos, they'be confirmed that atom.exe is not a virus or malware (surprise!). They've done whatever they do and recommend updating Sophos.

[bennor]

👍

[anaisbetts]

@Fammy Thanks for submitting it

[50Wliu]

Just going to pop in and say that Avast deepscreen's AtomSetup.exe before it can continue, then it throws a few errors along the way that are sandboxed using AvastNG (I'm not sure if it's Avast throwing them or Squirrel).

[50Wliu]

Avast has been non-stop detecting Update.exe and Squirrel.exe as malware (and moving them to the virus chest even after I've excluded them from being checked, effectively disabling auto-updates), as well as deepscreening Atom before it starts for the first time after upgrading.
EDIT: I've submitted false positive reports for both files as well.

[anaisbetts]

Thanks @50Wliu - not sure what else we can do here other than recommend people install MS Security Essentials instead of Avast.

[jeffjarchow]

squirrel.exe was just removed from my system today by Symantec.cloud. It is their endpoint protection software. Luckily with Symantec it is an easy restore. I have been using atom for a few weeks now and this is the first time it has been reported as a suspicious item.

Version info:

Symantec.cloud - Cloud Agent    2.03.61.2573
Symantec.cloud - Endpoint Protection    NIS-21.5.0.19

Symantec Report:

Threat Name: squirrel.exe
Threat Type: Suspicious item
File Name: c:\users\username\appdata\local\atom\app-0.181.0\squirrel.exe

[BlaM]

Problem still exists. (Same Symantec version as @jeffjarchow)

Date & Time: 4/22/2015 3:00:39 PM
Risk: High
Threat: squirrel.exe (SONAR.Heuristic.120) detected by SONAR
Filename: c:\users\ddeobald\appdata\local\atom\app-0.194.0\squirrel.exe

[Zireael07]

I had the similar "suspicious" reports from my Norton 360.
I've learned to ignore them and whitelist apps. It seems Norton likes to detect apps which connect online as "suspicious"...

[anaisbetts]

Now Defender blocked it.

Now that's interesting to me. Can you share a screenshot?

[ihorvorotnov]

@paulcbetts gave it another try today. Avast still blocks (see screenshot below), but it passed through Defender. IDK what was the problem with it yesterday. Maybe some Win glitch.

Installed, turned Avast back on - works fine so far.

P.S.: When you say smth like this:

there is no reason to use 3rd party antivirus with Windows 10, it is already built-in. Windows Defender is a full antivirus application

I suppose you're on *nix / Mac, not using Win on a daily basis and just heard somewhere on the internet that MS made a Defender a full-featured built-in antivirus software. The fact is, it's not. It still lacks some essential features, it misses way more threats than freeware Avast Home, its databases are not that good etc. Using good 3rd-party antivirus software is still a good practice.

[anaisbetts]

I suppose you're on *nix / Mac, not using Win on a daily basis and just heard somewhere on the internet that MS made a Defender a full-featured built-in antivirus software.

I worked on the Windows Kernel at Microsoft, code I wrote is literally built into your operating system, tell me more about how I'm not a real Windows user

[benogle]

Now now. If either of these things think it's a virus, that is cause for concern. I thought we were passing through Avast at some point?

[anaisbetts]

@benogle It looks like Evo-Gen is the same kind of generic heuristic as the others - from http://malwaretips.com/blogs/win32evo-gen-susp-virus:

I'm not super concerned with Avast (whether it decides Squirrel is a virus seems to come and go), but Defender blocking us would be a HugeBig problem. We haven't heard of this at Slack at all recently, but it might be worth uploading AtomSetup.exe to Avast's whitelist.

[krimdomu]

Same for me with Kaspersky. It prevents the execution of AtomeSetup.exe because it thinks it is "PDM:Trojan.Win32.Generic"

[traverse]

Since I had the same thing happen to me with Kaspersky I took the liberty to email them about it being a false positive, just received an email back from them and it should be fixed in the next update.

[anaisbetts]

@traverse Thanks a lot! If other folx can do the same thing, that'd be amazing. Many AV vendors don't let you submit false positives without paying for their product :-/

[ozyman42]

This just happened today with me and Norton Security

[jeffwareham]

I had this happen for the first time with the new update of Atom in Nov 2016. As above, Norton flagged SONAR.AM.C!g1 as a Trojan/Virus. I kept reading online that I should consider it a false positive, but when I finally removed it, the odd behavior (lagging processes, video-refresh fails, and the slow network behavior) all disappeared. Not sure if it is a virus, but it certainly wrecked havoc with my system.

[Samillion]

Same thing just happened with me. This issue has been opened for a very long time, I hope this is sorted out soon. My tinfoil hat paranoid side is stopping me from using Atom.

2016-12-02 07:43:16	Detected Trojan: HEUR/QVM30.1.0000.Malware.Gen
Details: 
Trojan name: HEUR/QVM30.1.0000.Malware.Gen
Path: C:\Users\Trendafet\AppData\Local\atom\app-1.12.6\resources\app.asar.unpacked\node_modules\pathwatcher\build\Release\pathwatcher.node

2016-12-02 07:43:12	Detected Trojan: HEUR/QVM30.1.0000.Malware.Gen
Details: 
Trojan name: HEUR/QVM30.1.0000.Malware.Gen
Path: C:\Users\Trendafet\AppData\Local\atom\app-1.12.6\resources\app.asar.unpacked\node_modules\text-buffer\node_modules\pathwatcher\build\Release\pathwatcher.node

[50Wliu]

In general this comes and goes as AV vendors tweak their virus-detection mechanisms. For anyone who's experiencing this, please file a false positive report with your vendor.

[Polve]

Avira antivirus for windows detects it as malware.

[rezaamya]

okay!
then what we should do!?
it will detect as a virus and Avast will delete the exe file each time!

[Matt-F-95]

Avast just deleted Atom from my laptop, it said the infection was IDP.ARES.Generic and it was in the atom update.exe

Is this a false report?

[Swoy]

I can also report that Avast is complaining about a IDP.ARES.Generic infection. However, when running the file against VirusTotal, I get the following results:

Where Avast has marked it as safe. Seems the behavior of that file is tagged as unsafe when monitored.

[sunsp1der]

Getting this same problem, though it just says IDP.Generic for me.

[Bru141]

Also got the continual attack warnings. I'm running "WinPatrolWAR" so I am able to see the executables as they launch and allow or Quarentine them. Foe example.. "$r61ixy4.exe (32bit)" or $rdqhyb4.exe(64bit) which were both launched from the atom setup.exe file located in the recycle bin. I also noticed my python program "Anaconda" was trying to run scripts.."anaconda3\scripts (2to3.exe)". When I looked in my Win 7 control panel to uninstall programs I noticed that there was a second program in there installed on the same date as the Atom IDE. It was a "win64 driver updater" made in China. I removed Atom and the Chinese program...And am now scanning for any potential problems with ESET. Thanks for any advice.

[Bru141]

Update, ESET found no additional threats. I'm bummed about Atom IDE. I loved its simplicity. :-(

[lock]

This issue has been automatically locked since there has not been any recent activity after it was closed. If you can still reproduce this issue in Safe Mode then please open a new issue and fill out the entire issue template to ensure that we have enough information to address your issue. Thanks!