Windows Defender Quarantines Joplin.exe, Category: "Backdoor"

Operating system


Joplin version


Desktop version info

Joplin 2.14.17 (prod, win32)

Client ID: 0b2cba7cb0c14c07a3d36214341939b9
Sync Version: 3
Profile Version: 46
Keychain Supported: Yes

Revision: 094175c

Backup: 1.4.0

What issue do you have?

Hello Team,
I recently updated to v2.14.17 and whenever I open the desktop app, I get a warning from Windows Defender saying that there is a severe threat found and quarantined. When I check the Defender Logs, it quarantined due to a potential backdoor. Also, whenever I get the warning, Joplin desktop app also gives and error about a plugin. I wonder if this is because a false positive from the Windows Defender side or it is about my system which might potentially infected and causing this issue.


Hello, 100% of virus reports for Joplin so far have been false positives, so the best thing to do is to report it to Microsoft. Usually they have a link somewhere to do this.

Review the note content in file
If you have any "hacking" payload (ex. HackTheBox stuff) it could be detected as virus.

I have the same problem here.

This might be the issue, and I looked for the file but couldn't find probably deleted by the system. At least, I don't get any warnings anymore :slight_smile:

It's in the tmp folder, which if I'm guessing correctly, means it's something you'd opened with an external editor. Once the editor is done with the file the file gets deleted from the harddrive and added back into the proper database, since Joplin doesn't store the notes as .md files normally.

Defender itself usually won't delete something without permission, it'd quarantine it and let the computer admin decide what to do; which makes me think it's Joplin itself that deleted the file.

It's really unexpected an .MD file would be capable of very much, especially in this context; unless as above, it has something being interpretted as a payload such as the EICAR string (but it likely won't be literally this since you'd assume that one would be named explicitly by Defender if so).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.