-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows Defender Antivirus quarantined Electrum 3.3.2 for trojan #4986
Comments
Same thing happened to me. I was able to manually restore from quarantine. virustotal.com is really unhappy with electrum-3.3.2.exe https://www.virustotal.com/en/file/210e7594a2d50a0594390e6f8455876b05d5cff79ae53353b8e9f170eaf4a2f7/analysis/1546133577/
Likely false positive, but I fear some bundled dependency is in fact malicious. |
I am getting a different hash for the same exe file: e5bf6cfcb3181c452ea8f0eaab4539a694a60c45bc6fae8fadbb9eb0ac9b44d3 I have verified the GPG sig for the above exe and it verified... soooooo I think @shsmith probably got a bad download. (Though, the signed exe also had 5 hits: https://www.virustotal.com/en/file/e5bf6cfcb3181c452ea8f0eaab4539a694a60c45bc6fae8fadbb9eb0ac9b44d3/analysis/ ) |
btw I downloaded from here: |
https://download.electrum.org/3.3.2/electrum-3.3.2.exe is the portable version, I think.
|
Sha256 of electrum-3.3.2-setup.exe: Sha256 of the electrum executable that is in the electrum directory installed by the above installer: To reiterate, I confirmed electrum-3.3.2-setup.exe against the electrum-3.3.2-setup.exe.asc file. I am reluctant to run these programs until we can be certain it is a false positive from the virus checker. |
After updating the Windows Defender virus scan definitions on 1/2/2019, it no longer seems to be flagging Electrum for quarantine. |
To clarify, there are three different files and three different hashes. These are all the correct sha256 as far as I can tell:
The one being flagged is the smallest one, which is delivered to C:\Program Files by the setup program. I also unzipped the electrum-3.3.2-setup.exe and confirmed that inner electrum-3.3.2.exe matches the one that was flagged. Here are the latest virustotal results:
|
I have verified the sha256 hashes of the below were all signed with ThomasV's GPG key which I know to be his.
Obviously you should verify for yourself. But just to add some redundancy. |
Can anybody explain the situation? Is electrum insecure? |
Probably related to #3198
"Anti-virus" software uses shitty heuristics to detect malware. PyInstaller is a convenient tool to package python apps. We use PyInstaller. Malware authors use PyInstaller. Everything that uses PyInstaller is detected as malware. |
Can I repeat build process for Windows? Where is instructions? I want to manual build Windows release and compare it with downloaded from electrum.org I need a versions of used compillers, libraries, dependencies, etc. |
@du2zy Instructions are in repository: Easiest way would be probably to use Linux, not Windows. |
I'm getting report of I also get this detection in my browser's cache after downloading the file.
I have verified the signatures as well and the file checks out fine but this trojan report is a little concerning given the climate around Electrum right now. It would be good to have an official answer on this. |
@zer0trst Antivirus software often reports false positives. This is out of our control. |
merging this issue into #3198 |
On Dec 28, I downloaded and installed electrum-3.3.2-setup.exe and confirmed its signature prior to installing.
On Dec 30, Windows Defender Antivirus (Windows 10) quarantined the installer executable saying it had
Trojan:Win32/Zpevdo.B
and it quarantined the installed executable saying it hadTrojan:Win32/Tiggre!plock
.As part of the quarantine, it also removed my shortcuts to the installed executable.
The text was updated successfully, but these errors were encountered: