Kaspersky detects phnode.exe and index.js as trojan horse

[acemi1]

Describe the bug

I installed your program for the first time and clicked on the default project to learn and suddenly Kaspersky started giving me a warning. Kaspersky warning messages are below.

Event: Malicious object detected
Application: Node.js JavaScript Runtime
User: DESKTOP-B6IE8V3\Ev1_2
User type: Started by
Component: System Monitor
Result description: Detected
Type: Trojan horse
Name: PDM:Trojan.Win32.Generic
Threat level: High
Object type: Process
Object path: C:\Users\Ev1_2\AppData\Local\Phoenix Code\src-node
Object name: index.js
Reason: Behavior analysis
Databases version date: Today, 08/31/2024 18:26:00
MD5: 4D225167DB1C5FF49CFF24C43546C700

Event: Process terminated
Application: Node.js JavaScript Runtime
User: DESKTOP-B6IE8V3\Ev1_2
User type: Started by
Component: System Monitor
Result description: Process terminated
Type: Trojan
Name: PDM:Trojan.Win32.Generic
Threat level: High
Object type: Process
Object path: C:\Users\Ev1_2\AppData\Local\Phoenix Code
Object name: phnode.exe
MD5: 4D225167DB1C5FF49CFF24C43546C700

Event: Object deleted
Application: Node.js JavaScript Runtime
User: DESKTOP-B6IE8V3\Ev1_2
User type: Started by
Component: System Monitor
Result description: Deleted
Type: Trojan
Name: PDM:Trojan.Win32.Generic
Threat level: High
Object type: Process
Object path: C:\Users\Ev1_2\AppData\Local\Phoenix Code\src-node
Object name: index.js
MD5: 4D225167DB1C5FF49CFF24C43546C700

Event: Object deleted
Application: Node.js JavaScript Runtime
User: DESKTOP-B6IE8V3\Ev1_2
User type: Started by
Component: System Monitor
Result description: File deleted
Type: Trojan horse
Threat level: Informational
Object type: File
Object path: E:\documents\Phoenix Code\Home1\album
Object name: index.html
MD5: 4D225167DB1C5FF49CFF24C43546C700

Event: Object deleted
Application: Node.js JavaScript Runtime
User: DESKTOP-B6IE8V3\Ev1_2
User type: Started by
Component: System Monitor
Result description: File deleted
Type: Trojan horse
Threat level: Informational
Object type: File
Object path: E:\documents\Phoenix Code\Home1\assets\dist\js
Object name: bootstrap.bundle.min.js
MD5: 4D225167DB1C5FF49CFF24C43546C700

Event: Object deleted
Application: Node.js JavaScript Runtime
User: DESKTOP-B6IE8V3\Ev1_2
User type: Started by
Component: System Monitor
Result description: File deleted
Type: Trojan horse
Threat level: Informational
Object type: File
Object path: E:\documents\Phoenix Code\Home1\carousel
Object name: index.html
MD5: 4D225167DB1C5FF49CFF24C43546C700

Event: Object deleted
Application: Node.js JavaScript Runtime
User: DESKTOP-B6IE8V3\Ev1_2
User type: Started by
Component: System Monitor
Result description: File deleted
Type: Trojan horse
Threat level: Informational
Object type: File
Object path: E:\documents\Phoenix Code\Home1\cover
Object name: index.html
MD5: 4D225167DB1C5FF49CFF24C43546C700

Reproduction

No response

Expected behavior

No response

OS, Browser and Phoenix versions

windows 10

logs or debug stack trace if any

No response

Additional context

No response

[abose]

Thanks for reporting the issue @acemi1

The files listed above are just the stantard nodejs process that we use. It is exceesingly likeley to be a false positive. It looks like it flagged HTML files too when you tried to create a bootstrap project? Can you tell the exact steps you did when this happened?

Did you face this issue with any other apps in your pc?

[acemi1]

If I remember correctly, about 5 minutes after installing the program, I wanted to view the default project in the internet browser. To do this, I clicked on one of the browser icons at the top of the preview section. Kaspersky gave me a warning immediately. I did not encounter this problem in other applications on my computer.

[abose]

Got it. The files listed above inside C:\Users\Ev1_2\AppData\Local\Phoenix Code are safe, and there is no need to worry about it. It looks like its a false positive. Let me investigate why it was detected by kaspersky so.

Also how did you end up with the contents in E:\documents\Phoenix Code\Home1\carousel

Was it created with phoenix? Can you attacth the affected files in that folder in this issue? It looks like our node process got flagged when it was trying to access files in that folder.

[acemi1]

I did not try to access the contents in E:\documents\Phoenix Code\Home1\carousel. (at least not consciously)
After the Kaspersky warning, I deleted the program because Kaspersky deleted the relevant files.
I will try to use the https://phcode.dev/ site.

[abose]

Looks like this may have to do with Phoenix code using our own signatures for nodejs binary instead of keeping the original signatures from nodejs. While this has not caused us any issue in the past, with this report, it may be good to fallback to original signatures from nodejs.

We will be creating an emergency patch release most likely in a day or two. @acemi1 would you be able to help us verify the fix once we create the new release? Just install the new binaries and see if kaspersky is happy with it once we created the new installer?

[acemi1]

I'd be happy to help.
After installing the new version of the program, please let me know if there's anything I need to do in particular.

[abose]

@acemi1 I am unable to reproduce the issue after installing kaspersky on our test machines. What is the exact version of kaspersky you are using? Also, Can you try to download a fresh copy of the current installer from phcode.io and see if the issue is still there?

[acemi1]

kaspersky plus 21.18.5.438(a)
After Phoenix opened, the operations I did:
I opened the default project
I clicked on index.thml.
I clicked on Chrome from the internet browser icons in the area I marked with yellow in the screenshot.
That's all the operations I did. Then, as seen in the screenshot, Kaspersky gave a warning and deleted the files.

Event: Malicious object detected
Application: Node.js JavaScript Runtime
User: DESKTOP-B6IE8V3\Ev1_2
User type: Active user
Component: System Watcher
Result description: Detected
Type: Trojan horse
Name: PDM:Trojan.Win32.Generic
Threat level: High
Object type: Process
Object path: C:\Users\Ev1_2\AppData\Local\Phoenix Code\src-node
Object name: index.js
Reason: Behavior analysis
Databases version date: Today, 09/1/2024 10:15:00
MD5: 4D225167DB1C5FF49CFF24C43546C700

Event: Process terminated
Application: Node.js JavaScript Runtime
User: DESKTOP-B6IE8V3\Ev1_2
User type: Active user
Component: System Watcher
Result description: Process terminated
Type: Trojan
Name: PDM:Trojan.Win32.Generic
Threat level: High
Object type: Process
Object path: C:\Users\Ev1_2\AppData\Local\Phoenix Code
Object name: phnode.exe
MD5: 4D225167DB1C5FF49CFF24C43546C700

Event: Object deleted
Application: Node.js JavaScript Runtime
User: DESKTOP-B6IE8V3\Ev1_2
User type: Active user
Component: System Watcher
Result description: Deleted
Type: Trojan
Name: PDM:Trojan.Win32.Generic
Threat level: High
Object type: Process
Object path: C:\Users\Ev1_2\AppData\Local\Phoenix Code\src-node
Object name: index.js
MD5: 4D225167DB1C5FF49CFF24C43546C700

Event: Object deleted
Application: Node.js JavaScript Runtime
User: DESKTOP-B6IE8V3\Ev1_2
User type: Active user
Component: System Watcher
Result description: File deleted
Type: Trojan horse
Threat level: Informational
Object type: File
Object path: E:\documents\Phoenix Code\default project
Object name: index.html
MD5: 4D225167DB1C5FF49CFF24C43546C700

Event: Object deleted
Application: Node.js JavaScript Runtime
User: DESKTOP-B6IE8V3\Ev1_2
User type: Active user
Component: System Watcher
Result description: File deleted
Type: Trojan horse
Threat level: Informational
Object type: File
Object path: E:\documents\Phoenix Code\default project
Object name: script.js
MD5: 4D225167DB1C5FF49CFF24C43546C700

[abose]

@acemi1 Got it, with the steps i was able to repro the problem. Let me investigate the root cause.

[abose]

@acemi1 Can you download this release and verify if the issue is fixed?

1. download from https://github.com/abose/wer/releases/download/testkasper/Phoenix.kaspersky.fix.zip
2. extract the files. Execute Phoenix Code Experimental Build.exe

This is a beta build witha a few unreleased features and is not code signed. It should be fairly stable to use though.
Can you verify if the kaspersky issue is gone?

[acemi1]

The problem seems to be solved. Thank you for your interest.

[abose]

A release is planned for this week with the fix.

We consider security issues critical and without your help to isolate the issue and validate the fix, this would have gone unnoticed - and for that, we are very thankful.

We've added your name to the release credits to acknowledge your help. If you would like to modify how your name appears, or prefer to be omitted from the release credits, please let us know by commenting here before September 3rd, @acemi1.

[acemi1]

Thank you for your interest.

[abose]

Closing as fixed.