[Solved] Malware/Trojan alert for latest Vivaldi Windows snapshot?!



  • Hi,

    did anybody else receive an alert during/right after the installation of the most recent Vivaldi snapshot 1.15.1132.3 ?

    My Avira AntiVirus felt it had to move setup.exe to the quarantine.

    https://ibb.co/dujGEc

    alt text


  • Ambassador

    These are always false positives.

    It got a clean bill of health from Virus Total



  • "Vivaldi.1.15.1132.3.x64.exe" = "setup.exe" ?

    A Virustotal scan was the first thing I wanted to do as well. (yeah, yeah, I know, another of those Google related services....)

    So I decided to restore it from my quarantine to be able to upload it to them but it did not show up in "C:\Program Files (x86)\Vivaldi\Application\1.15.1132.3\Installer" by restoring.

    I tried the "Previous Versions" feature offered through Windows, which is active for that drive/folder, but no luck either.

    I spotted a vivaldi.7z file in there, [size: 162.064.573 Bytes], [size on disk 162.066.432 Bytes} that has a time/date stamp from the day/time when the update was carried out.
    I opened the archive to see whether there is a "setup.exe" inside that might have triggered the alarm but 'no' - I didn't find that file.

    So I'm back to my first question:
    Does "Vivaldi.1.15.1132.3.x64.exe" contain "setup.exe" ?

    Thanks.

    P.S.: Yes, I would love to have that file as well that triggered the alarm.

    P.P.S.: Will try it on another Win7/64 machine.
    P.P.P.S.: the SAME result -> Trojan found. trying to fetch it from the quarantine this time although the restore function did not work last time. searching for alternative to get it out of there.


    "Results"

    Avira Antivirus during installation

    https://ibb.co/kiNOcx
    alt text

    Running "Lauschangriff" tool that logs "all" file system activity

    https://ibb.co/k2Njjc
    alt text

    Unfortunately the file itself though seems to have escaped me again. Trying my luck with the quarantine some more.
    ......
    Lucky me - I was able to restore it and have it checked by Virustotal:
    "One engine detected this file
    SHA-256 8a22cd9eebf5ac05b71f5846eb2192f75f50a56e5ee0ef9e114cce6424ab49ec
    File name setup.exe
    File size 12.86 MB
    Last analysis 2018-03-22 19:39:18 UTC
    "

    https://ibb.co/c5Ns4c
    alt text

    I kept a copy of the file within a RAR archive whose extension I altered to *.ra_ should you be interested in it.

    Conclusion: might be a false positive but I'm not savvy enough to say that for sure.


  • Moderator

    My downloaded Vivaldi.1.15.1132.3.x64.exe has SHAsum:

    a15ac180bcdba0bca1fcaef805efbbbbe729098ef0721d8216bea9e30fccd4e7   Vivaldi.1.15.1132.3.x64.exe
    

    Scan on Virtustotal see https://www.virustotal.com/#/file/a15ac180bcdba0bca1fcaef805efbbbbe729098ef0721d8216bea9e30fccd4e7/detection



  • @gwen-dragon:
    "Vivaldi.1.15.1132.3.x64.exe" = "setup.exe" ?
    I'd say "no". Neither in file size nor regarding their name.

    Some 40-50 MB (I don't recall the download's size to be honest) vs. 12.86 MB.
    But I assume the "Vivaldi.1.15.1132.3.x64.exe" is a self-extracting file containing files within.

    As I am not aware of any other activity than the Vivaldi update at the time I do assume that the "setup.exe" I am referring to is/was part of "Vivaldi.1.15.1132.3.x64.exe".
    Furthermore if you have a look at the file system activity screenshot I posted and look for the "VIVALDI.PACKED.7z" file and the "setup.exe" file that comes out of it we do seem to come to full circle, don't we?

    It still could be a false positive, but I preferred to inform rather than just to shrug my shoulders here; no offense.


  • Moderator

    Did virus alert happened after Autoupdate or after downloading and starting the mentioned Vivaldi.1.15.1132.3.x64.exe?



  • Please see:

    • time stamp from Antivirus program screenshot:
      https://ibb.co/kiNOcx
      19:57 - unfortunately not more precise than that, only hh:mm

    and

    I started the monitoring tool right before permitting the Vivaldi update notification to commence, as in download the update date and let it install.
    The antivirus alert will have popped up between just shy of finishing the Vivaldi update installation and at max 5 seconds after it was finished. My main focus was on being able to grab the setup.exe file itself.
    I still am somehow convinced that the setup.exe that was reported belongs to the received and extracted Vivaldi update, as
    a) nothing else was running on the machine at the time that would run or trigger a call of some setup.exe which
    b) resided in the same temp folder that was used to extract and run (parts of) the Vivaldi update process.

    If I had a third Windows machine I'd add an additional process watchdog/logger.

    P.S.: As mentioned before I do have a copy of that setup.exe file "contained" within a WinRAR archive that I could make available to you. You would only have to rename it from <filename>.ra_ to <filename>.rar to be able to extract it on some isolated machine.
    I do not feel comfortable though posting a link to a service that could be used for this making available - such as wetransfer.com or workupload.com - as I wouldn't want to spread it.
    And 'yes', of course it can still be a false positive but when it comes to such matters I find a statement such as "These are always false positives." quite "bold". ๐Ÿ˜‰


  • Moderator

    Please report the issue to our bugtracker so our security team can check it..
    Please read How to Report a bug for Vivaldi carefully and then report to Vivaldi bugtracker.

    Wait until the bug report mail reaches you
    Pack the the setup.exe into a zip archive. Open a reply mail and attach it.
    We may investigate if the setup.exe is a valid part of the Vivaldi update process.



  • @gwen-dragon Roger that. I'll do that right away.


  • Moderator

    @rogerwilco Fine.


  • Moderator

    Your bug is VB-38874 "Avira Antivirus reported Malware/Trojan during last Vivaldi update"
    Send us now the files.




  • Moderator

    Thanks for the files.
    @tarquin + Vivaldi Security Team will check it.


  • Moderator

    As i saw in investigation your sent setup.exe had a valid Vivaldi signature and is virus free.

    You should send Avira Support the file to fix their false positive.


  • Moderator



  • @gwen-dragon said in Malware/Trojan alert for latest Vivaldi Windows snapshot?!:

    As i saw in investigation your sent setup.exe had a valid Vivaldi signature and is virus free.

    You should send Avira Support the file to fix their false positive.

    Interesting.
    I agree, Avira could/should be informed of this false positive Vivaldi setup.exe.

    Then again, referring to your last message, I see no point in me sending it to them, as
    a) you scanned the provided setup.exe with virustotal.com, which now is reported as clean (identical SHA-256)
    which to me means that
    b) they reevaluated it.

    So I guess I'll change this thread's title to "Solved"

    Regards
    RogerWilco


  • Moderator

    Avira Support told me the setup.exe is ok. False positive.
    I close your reported bug,


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.