Virus Trojan:Win32/Tnega!MSR report from Microsoft Defender on v1.2.2 release

[charstnut]

Operating System

Windows

(Linux only) Distribution

No response

(Linux only) Desktop Environment

No response

(Linux Only) Display Server

None

Installation Method

Official release exe (not portable)

Xournal++ Version

1.2.2

libgtk Version

3.24.39

Bug Description

Windows defender reports the installer as a malicious file (Trojan:Win32/Tnega!MSR).
I have tested on virustotal and Trapmine also reports the installer as malicious. Is this a false positive?
Thanks!

Expected Behaviour

The installer is reported as safe.

Steps to Reproduce

Download the windows installer zip file
extract the exe
Windows Defender outputs the warning

Additional Context

No response

[eldipa]

I'm not familiar with the building process and I'm not a Windows user so I cannot say if it is a false positive or not. For some additional context, I tested with VirusTotal other versions of Xournal++ for Windows. These are the results:

• release 1.1.0: clean (report)
• release 1.2.0: clean (report)
• release 1.2.1: flagged with Trapmine Malicious.moderate.ml.score (report)
• release 1.2.2: flagged with Trapmine Malicious.moderate.ml.score and Microsoft Trojan:Win32/Tnega!MSR (report)

[gchait]

FYI anyone interested in a working product regardless of potential security risks, scoop install xournalpp@1.2.1 does not trigger Microsoft Defender.

[rolandlo]

Thanks @eldipa for the reports. The official release builds are automatically built on Microsoft's Azure Pipelines from source and Microsoft defender is the only one complaining about a Trojan contained in the Windows installer. All the binaries for the 1.2.2 release have the same timestamp (Oct 14, 12:43 PM GMT+2), so it doesn't look like someone uploaded a different installer than the one built on Azure Pipelines. Unfortunately the assets built on Azure Pipelines are only stored for a couple of days, so we can't check directly if the file has been modified in the meantime.

The nightly build has a clean report by the way. So maybe use the nightly build if you are worried that the 1.2.2 installer might be infected.

[bhennion]

(I think) I launched a new build of the 1.2.2 version
https://dev.azure.com/xournalpp/xournalpp/_build/results?buildId=29347&view=results
It'll take a while to complete, but then we can test the generated installers

[Febbe]

The portable version is also unflagged: https://www.virustotal.com/gui/file/80532b9b153bf73fc7bb240543760ba4b7b797a7ca811ba8782f0e85e4134095
There might be an issue with nsis, they already have a wikipage about false positives: https://nsis.sourceforge.io/NSIS_False_Positives

[bhennion]

(I think) I launched a new build of the 1.2.2 version https://dev.azure.com/xournalpp/xournalpp/_build/results?buildId=29347&view=results It'll take a while to complete, but then we can test the generated installers

The newly generated artefact is clean, according to Virustotal

[bhennion]

You can find the artefacts here:
https://dev.azure.com/xournalpp/xournalpp/_build/results?buildId=29347&view=artifacts&pathAsName=false&type=publishedArtifacts

[bhennion]

Does anyone know how to replace the artefact on the release page?

[rolandlo]

Can't you just click on the edit button on the releases page

and then remove the old artefact

and add the new one?

[bhennion]

Indeed you can! (but it does not work if the new asset has the same name as the one you remove. You need to apply your changes and then rename the new artefact)
It's done. @charstnut Could you download the new version available on the release page
https://github.com/xournalpp/xournalpp/releases/tag/v1.2.2
It should be clean now.

[charstnut]

Thank you all! I can confirm that the latest windows version is clean.

[Yohanners]

Hello, i'm gonna use this thread while it is still open instead of creating a new one
But I was having the same problem but with a different virus
When I tried to install Xournal++ for Windows on the site Windows Defender screamed virus

Trojan:Win32/Vigorf.A
Is it fixed? Is it safe to download?

[Febbe]

Most likely a false positive. We can't do much about it, unfortunately, the antivirus vendors analyze files in their cloud, and when they detect code paths, which are similar to those used by truly malicious software, the AI may classify the file as malicious too.
The only thing we can do, is, to contact the vendor.

Steps you can do: https://www.microsoft.com/en-us/wdsi/defenderupdates
Upload the file on virus total and flag it as safe.
Upload the file to the vendor and flag it as safe.

Sources for false positive:
https://stackoverflow.com/questions/48833995/nsis-installer-vs-windows-10-defender-block-and-message-about-trojan-win32-spr
https://nsis.sourceforge.io/NSIS_False_Positives