Kasperky Internet Security reports 3.8 release contains Trojan.Multi.GenAutorunReg.A

[pskerr]

n/t

[jansokoly]

Please attach a screenshot.
Did you do a new installation from *.msi or updated from previous version using built-in updater?

[pskerr]

It was picked up when automatically downloading the update, and I also downloaded the zip file from here and scanned it to double check. Also picked up there.

[pskerr]

[shellscape]

ran the installer through https://scan.kaspersky.com and it reported the same.

[shellscape]

edited the release, added a note about the possible infection, and marked it as a pre-release. @jansokoly high recommend scanning your local machine :)

[jansokoly]

From the name of the "trojan" being HEUR:Trojan.Win32.Generic, I assume it's just Kaspersky false positive based on some overprotective heuristic, probably identifying update mechanism as a trojan.

I recommend checking the file with more then just one antivirus before mocking. https://www.virustotal.com/en/file/a7726321acf1e45ad8f724529bd036e4b19ffd88ba496eba7648160d6effdc41/analysis/

[pskerr]

That's why I put both screenshots in there, once loaded in memory, it was more specific. I definitely leave it up to you guys as to how you want to handle it, though.

[shellscape]

@jansokoly I didn't read the messages as anyone mocking you. hopefully you don't think that. I only edited that release to pre-release as a precaution. if you feel that this is a false positive, please do change it to full release. total faith in you bud!

[pneuschwander]

Greetings.
I got the update via built-in "AutoUpdater" (a feature that can't be disabled? - found no option in settings)
The "behavioral analysis" of G Data InternetSecurity jumped in and reported suspicious actions:

The program connects to a network.
The program has created or manipulated an executable file.
The program has tried to delete its own program file.
The program tried to change the name of its own program file.
The program has tried to move its own program file.

I was asked whether I want to allow or deny those actions.
The .exe itself is reported to be clean. Just the behavioral thing when the update was applied automatically.

Seems to be a false positive.

@jansokoly Thank you for maintaining the application!

[shellscape]

thanks for investigating @regmebaby

[pskerr]

I'll go ahead and close the issue.

[pskerr]

@shellscape @jansokoly Well, I'll keep it closed, because there's no need to scare the world, but I can't even get Kaspersky to whitelist your file. I won't be able to run this without changes. Want me to create an "incompatibility" issue?

[jansokoly]

@pskerr I'm not familiar with Kaspersky, but they seem to have a form to report false positives here: https://newvirus.kaspersky.com
Not sure if we can do anything else than submit url to installer (https://github.com/shellscape/Gmail-Notifier-Plus/releases/download/v3.8/Gmail-Notifier-Plus-3.8.msi) via that form.

[shellscape]

Received an email from a user with HitmanPro, claiming there was a trojan in the update:

Hi, I've been using Gmail Notifier Plus for some time now and like it. HitmanPro is saying, however, that there is a Trojan in the files after the most recent update. Do you have any information on this?

I'm no longer on Windows and don't have access to it, so I cannot verify.

[shellscape]

I've performed a multiclient online scan, and a scan on Sophos for mac with only hits on Kaspersky clients and clients which depend on Kaspersky data:

These results point to false positives. Will leave the issue open for additional input. It also looks like this is not an isolated incident. https://forum.kaspersky.com/index.php?showtopic=360642