Joplin-Setup-2.5.10.exe might have a virus?

I think that there might be problems with the file Joplin-Setup-2.5.10.exe on the page Release v2.5.10 · laurent22/joplin · GitHub

Another user had the same problem and reported it on the Joplin Discord Channel Discord

STEPS TAKEN:

Updated my Windows 10 Security.
Downloaded the file with Firefox.
Scanned the file in my downloads folder, no threats found.

Installed Opera.
Downloaded the file with Opera.
Download interrupted with message: "Interrupted: Virus detected".
Windows 10 Security blocked and quarantined the file.

Uninstalled Opera.

Downloaded the file with Firefox.
Windows 10 Security blocked and quarantined the file.

Downloaded the file with Google Chrome.
Windows 10 Security blocked and quarantined the file.

CONCLUSION:

there might be problems with the file Joplin-Setup-2.5.10.exe on the page Release v2.5.10 · laurent22/joplin · GitHub.

The only strange thing is that the first time I downloaded the file, using Firefox, Windows 10 Security didn't find any viruses. It started finding the virus after installing Opera and downloading it with Opera. I'm not sure what to make of this, maybe Opera changed something on the computer.

1 Like

The virus detected is the trojan Trojan:Win32/Spursint.Q!cl

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Spursint.Q!cl&threatId=-2147243563

This was the message from Windows 10 Security (Microsoft Defender):
image

What does Virus Total say?

Sorry, what do you mean by Virus Total?

So far 100% of virus reports for Joplin have been false positive, and you can usually verify this on this website: VirusTotal

It will scan the file with multiple scanners and if only one or two report a virus it's probably a false positive.

I have turned off Real-time protection, downloaded the file and uploaded it to the VirusTotal website to be scanned. The result said that 0 out of 60 Security Vendors flagged the file as malicious.

image

After that I turned back on Real-time protection, scanned the file and Windows Defender gave again the alarm. I guess it's a false positive.

image

Do you have an option in the dialog to report it as a false positive?

Witch WIndows Defender signature update do you use?
I have no problems with the following versions:

Output from Get-MpComputerStatuspowershell command.

AMEngineVersion                 : 1.1.18700.4
AMProductVersion                : 4.18.2110.6
AMServiceVersion                : 4.18.2110.6
AntispywareSignatureLastUpdated : 05.11.2021 03:20:28
AntispywareSignatureVersion     : 1.353.458.0
AntivirusSignatureLastUpdated   : 05.11.2021 03:20:29
AntivirusSignatureVersion       : 1.353.458.0
NISEngineVersion                : 1.1.18700.4
NISSignatureLastUpdated         : 05.11.2021 03:20:29
NISSignatureVersion             : 1.353.458.0

I have the same problem,today with the file saved on download folder.
I aldeady installed Joplin 2.5.10 some days ago and windows defender did not detect any virus.

There no option to set as false positive.

AMEngineVersion : 1.1.18700.4
AMProductVersion : 4.18.2110.6
AMServiceVersion : 4.18.2110.6
AntispywareSignatureLastUpdated : 04/11/2021 11:06:03
AntispywareSignatureVersion : 1.353.411.0
AntivirusSignatureLastUpdated : 04/11/2021 11:06:06
AntivirusSignatureVersion : 1.353.411.0
BehaviorMonitorEnabled : True
NISEngineVersion : 1.1.18700.4
NISSignatureLastUpdated : 04/11/2021 11:06:06
NISSignatureVersion : 1.353.411.0

Defender freaked out for me too when I downloaded it. Blocked it and threw it in quarantine.

AMEngineVersion                 : 1.1.18700.4
AMProductVersion                : 4.18.2110.6
AMServiceVersion                : 4.18.2110.6
AntispywareSignatureLastUpdated : 05/11/2021 02:20:28
AntispywareSignatureVersion     : 1.353.458.0
AntivirusSignatureLastUpdated   : 05/11/2021 02:20:29
AntivirusSignatureVersion       : 1.353.458.0
NISEngineVersion                : 1.1.18700.4
NISSignatureLastUpdated         : 05/11/2021 02:20:29
NISSignatureVersion             : 1.353.458.0

@JackGruber has more recent signature files, and it doesn't trigger for him, so there's a chance they've already fixed the issue.

Edit: although only the date is different, so that's probably something else.

Version 449 gave me the alert

image

I have just updated to 458

image

Downloaded the file and scanned it and it didn't alert me this time

image

1 Like

First update the signature Update-MpSignature or you can exclude a file with the following powershell command:

Set-MpPreference -ExclusionPath "C:\Users\USER\Downloads\Joplin-Setup-2.5.10.exe"

So I ran Update-MpSignature but Defender is still killing the download (I don't actually need it for an install or anything, just trying to help to see what the issue might be).

I have updated the signature to 464 and again it didn't give me the alert.

It gave me the alert with 449, but only with the second and subsequent scans, and it didn't give me the alert with 458 and 464. But Daeraxa had the problem with 458.

I haven't found out yet how to report the problem to Microsoft, but I don't have the problem anymore so I will just try to find out how to report it for the next time it happens and leave it at that.

For the people that still have the problem, I guess the problem will solve itself in the next hours, days, after some other signature updates

AMEngineVersion                 : 1.1.18700.4
AMProductVersion                : 4.18.2110.6
AMServiceVersion                : 4.18.2110.6
AntispywareSignatureLastUpdated : 05/11/2021 05:38:26
AntispywareSignatureVersion     : 1.353.464.0
AntivirusSignatureLastUpdated   : 05/11/2021 05:38:29
AntivirusSignatureVersion       : 1.353.464.0
BehaviorMonitorEnabled          : True
NISEngineVersion                : 1.1.18700.4
NISSignatureLastUpdated         : 05/11/2021 05:38:29
NISSignatureVersion             : 1.353.464.0
1 Like

I HAVE SUBMITTED THE FILE FOR ANALYSIS

I have again installed the Opera browser and Microsoft Defender started alerting again, so I decided to send the file Joplin-Setup-2.5.10.exe for analysis.

In the Virus & Threat protection settings there is a link to submit a sample manually.

image

The link is to Submit a file for malware analysis - Microsoft Security Intelligence

I will reply to this post if there are any updates from Microsoft.

3 Likes

Can this be the reason: Embedded malware in coa · GHSA-73qr-pfmq-6rp8 · GitHub Advisory Database · GitHub? I see references to this package in some package-lock files.

1 Like

I hope that's not the issue but I'll check. We didn't do any release within the mentioned time frame so hopefully we're good.

"Which anti-virus?"

It's the default anti-virus that comes with Windows 10 (with default settings and auto-update schedule).

THE PROBLEM SEEMS TO BE SOLVED

This is the comment to my ticket:

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

  1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
  2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
  3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: Manage Microsoft Defender Antivirus updates and apply baselines | Microsoft Docs

Thank you for contacting Microsoft.

8 Likes