Windows Defender Antivirus quarantined Electrum 3.3.2 for trojan

[Engelberg]

On Dec 28, I downloaded and installed electrum-3.3.2-setup.exe and confirmed its signature prior to installing.

On Dec 30, Windows Defender Antivirus (Windows 10) quarantined the installer executable saying it had Trojan:Win32/Zpevdo.B and it quarantined the installed executable saying it had Trojan:Win32/Tiggre!plock.

As part of the quarantine, it also removed my shortcuts to the installed executable.

[shsmith]

Same thing happened to me. I was able to manually restore from quarantine.

virustotal.com is really unhappy with electrum-3.3.2.exe https://www.virustotal.com/en/file/210e7594a2d50a0594390e6f8455876b05d5cff79ae53353b8e9f170eaf4a2f7/analysis/1546133577/

SHA256: | 210e7594a2d50a0594390e6f8455876b05d5cff79ae53353b8e9f170eaf4a2f7
File name: | electrum-3.3.2.exe
Detection ratio: | 23 / 71

Likely false positive, but I fear some bundled dependency is in fact malicious.

[dabura667]

I am getting a different hash for the same exe file:

e5bf6cfcb3181c452ea8f0eaab4539a694a60c45bc6fae8fadbb9eb0ac9b44d3

I have verified the GPG sig for the above exe and it verified... soooooo I think @shsmith probably got a bad download.

(Though, the signed exe also had 5 hits: https://www.virustotal.com/en/file/e5bf6cfcb3181c452ea8f0eaab4539a694a60c45bc6fae8fadbb9eb0ac9b44d3/analysis/ )

[dabura667]

btw I downloaded from here:

https://download.electrum.org/3.3.2/electrum-3.3.2.exe

[shsmith]

https://download.electrum.org/3.3.2/electrum-3.3.2.exe is the portable version, I think.
The electrum-3.3.2.exe I am speaking of is the one delivered by electrum-3.3.2-setup.exe.

0350701574cf817469b8ed505892c808b64250d21336806acefae21a14a8939f electrum-3.3.2-setup.exe

[Engelberg]

Sha256 of electrum-3.3.2-setup.exe:
0350701574CF817469B8ED505892C808B64250D21336806ACEFAE21A14A8939F

Sha256 of the electrum executable that is in the electrum directory installed by the above installer:
210E7594A2D50A0594390E6F8455876B05D5CFF79AE53353B8E9F170EAF4A2F7

To reiterate, I confirmed electrum-3.3.2-setup.exe against the electrum-3.3.2-setup.exe.asc file.

I am reluctant to run these programs until we can be certain it is a false positive from the virus checker.

[Engelberg]

After updating the Windows Defender virus scan definitions on 1/2/2019, it no longer seems to be flagging Electrum for quarantine.

[shsmith]

To clarify, there are three different files and three different hashes. These are all the correct sha256 as far as I can tell:

e5bf6cfcb3181c452ea8f0eaab4539a694a60c45bc6fae8fadbb9eb0ac9b44d3  electrum-3.3.2(download).exe
210e7594a2d50a0594390e6f8455876b05d5cff79ae53353b8e9f170eaf4a2f7  electrum-3.3.2(inside-electrum-3.3.2-setup).exe
0350701574cf817469b8ed505892c808b64250d21336806acefae21a14a8939f  electrum-3.3.2-setup.exe

$ ls -l electrum*
-rwxrwxrwx 1 shsmith shsmith 44943864 Dec 21 14:12 'electrum-3.3.2(download).exe'
-rwxrwxrwx 1 shsmith shsmith  6269033 Nov 11  2000 'electrum-3.3.2(inside-electrum-3.3.2-setup).exe'
-rwxrwxrwx 1 shsmith shsmith 30131456 Jan  2 15:06  electrum-3.3.2-setup.exe

The one being flagged is the smallest one, which is delivered to C:\Program Files by the setup program. I also unzipped the electrum-3.3.2-setup.exe and confirmed that inner electrum-3.3.2.exe matches the one that was flagged.

Here are the latest virustotal results:
https://www.virustotal.com/en/file/e5bf6cfcb3181c452ea8f0eaab4539a694a60c45bc6fae8fadbb9eb0ac9b44d3/analysis/

Detection ratio: | 5 / 69

https://www.virustotal.com/en/file/210e7594a2d50a0594390e6f8455876b05d5cff79ae53353b8e9f170eaf4a2f7/analysis/

Detection ratio: | 23 / 71

https://www.virustotal.com/en/file/0350701574cf817469b8ed505892c808b64250d21336806acefae21a14a8939f/analysis/

Detection ratio: | 17 / 68

[dabura667]

I have verified the sha256 hashes of the below were all signed with ThomasV's GPG key which I know to be his.

03097280a0fbcf25f68dcf05e2f74db4d6decacca7e4365a389be897cb1744ef  Electrum-3.3.2.0-release.apk
51b2a5dd3b0e924a9525dc1da801a87d113050ee109296496e86e6bc396cee6d  Electrum-3.3.2.tar.gz
0baed8b83f24918db8dcbda64dea010c68eadddce4bb8542c525db826a314eb6  Electrum-3.3.2.zip
22489e88966a9939cf34a94878f7ddf1dad140cce28ebe5339af6212afa611be  electrum-3.3.2-portable.exe
0350701574cf817469b8ed505892c808b64250d21336806acefae21a14a8939f  electrum-3.3.2-setup.exe
815e03a88f9e012ed6a207fa8b0f525819288d2460cb4e143d44791e8c212eaa  electrum-3.3.2.dmg
e5bf6cfcb3181c452ea8f0eaab4539a694a60c45bc6fae8fadbb9eb0ac9b44d3  electrum-3.3.2.exe

Obviously you should verify for yourself. But just to add some redundancy.

[du2zy]

Can anybody explain the situation? Is electrum insecure?

[SomberNight]

Probably related to #3198
Electrum 3.3.x started using PyInstaller 3.4; maybe that's to do with the increased "detection ratio"

Can anybody explain the situation?

"Anti-virus" software uses shitty heuristics to detect malware. PyInstaller is a convenient tool to package python apps. We use PyInstaller. Malware authors use PyInstaller. Everything that uses PyInstaller is detected as malware.

[du2zy]

Can I repeat build process for Windows?

Where is instructions?

I want to manual build Windows release and compare it with downloaded from electrum.org

I need a versions of used compillers, libraries, dependencies, etc.

[pm73]

@du2zy Instructions are in repository:
https://github.com/spesmilo/electrum/tree/master/contrib/build-wine/docker

Easiest way would be probably to use Linux, not Windows.

[zer0trst]

I'm getting report of Trojan.GenericKD.40875564 in my AV which is reported at VirusTotal as well. when uploading electrum-3.3.2-setup.exe downloaded from https://download.electrum.org/3.3.2/

I also get this detection in my browser's cache after downloading the file.

  C:\Users\ >USER< \AppData\Local\Mozilla\Firefox\Profiles\9v35uttg.default-1531366618453\cach
  \entries\813218673042E2CF56722738229FA97D93294DAE=>(NSIS o)=>lzma_solid_nsis0037
  
  Trojan.GenericKD.40875564

  Infected

I have verified the signatures as well and the file checks out fine but this trojan report is a little concerning given the climate around Electrum right now. It would be good to have an official answer on this.

[ecdsa]

@zer0trst Antivirus software often reports false positives. This is out of our control.

[SomberNight]

merging this issue into #3198