[Solved] Malware/Trojan alert for latest Vivaldi Windows snapshot?!
-
Hi,
did anybody else receive an alert during/right after the installation of the most recent Vivaldi snapshot 1.15.1132.3 ?
My Avira AntiVirus felt it had to move setup.exe to the quarantine.
-
These are always false positives.
It got a clean bill of health from Virus Total
-
"Vivaldi.1.15.1132.3.x64.exe" = "setup.exe" ?
A Virustotal scan was the first thing I wanted to do as well. (yeah, yeah, I know, another of those Google related services....)
So I decided to restore it from my quarantine to be able to upload it to them but it did not show up in "C:\Program Files (x86)\Vivaldi\Application\1.15.1132.3\Installer" by restoring.
I tried the "Previous Versions" feature offered through Windows, which is active for that drive/folder, but no luck either.
I spotted a vivaldi.7z file in there, [size: 162.064.573 Bytes], [size on disk 162.066.432 Bytes} that has a time/date stamp from the day/time when the update was carried out.
I opened the archive to see whether there is a "setup.exe" inside that might have triggered the alarm but 'no' - I didn't find that file.So I'm back to my first question:
Does "Vivaldi.1.15.1132.3.x64.exe" contain "setup.exe" ?Thanks.
P.S.: Yes, I would love to have that file as well that triggered the alarm.
P.P.S.: Will try it on another Win7/64 machine.
P.P.P.S.: the SAME result -> Trojan found. trying to fetch it from the quarantine this time although the restore function did not work last time. searching for alternative to get it out of there.
"Results"
Avira Antivirus during installation
Running "Lauschangriff" tool that logs "all" file system activity
Unfortunately the file itself though seems to have escaped me again. Trying my luck with the quarantine some more.
......
Lucky me - I was able to restore it and have it checked by Virustotal:
"One engine detected this file
SHA-256 8a22cd9eebf5ac05b71f5846eb2192f75f50a56e5ee0ef9e114cce6424ab49ec
File name setup.exe
File size 12.86 MB
Last analysis 2018-03-22 19:39:18 UTC"I kept a copy of the file within a RAR archive whose extension I altered to *.ra_ should you be interested in it.
Conclusion: might be a false positive but I'm not savvy enough to say that for sure.
-
@gwen-dragon:
"Vivaldi.1.15.1132.3.x64.exe" = "setup.exe" ?
I'd say "no". Neither in file size nor regarding their name.Some 40-50 MB (I don't recall the download's size to be honest) vs. 12.86 MB.
But I assume the "Vivaldi.1.15.1132.3.x64.exe" is a self-extracting file containing files within.As I am not aware of any other activity than the Vivaldi update at the time I do assume that the "setup.exe" I am referring to is/was part of "Vivaldi.1.15.1132.3.x64.exe".
Furthermore if you have a look at the file system activity screenshot I posted and look for the "VIVALDI.PACKED.7z" file and the "setup.exe" file that comes out of it we do seem to come to full circle, don't we?It still could be a false positive, but I preferred to inform rather than just to shrug my shoulders here; no offense.
-
Please see:
- time stamp from Antivirus program screenshot:
https://ibb.co/kiNOcx
19:57 - unfortunately not more precise than that, only hh:mm
and
- time stamp from file system monitoring tool as posted earlier:
https://ibb.co/k2Njjc
19:57:16.238 -
I started the monitoring tool right before permitting the Vivaldi update notification to commence, as in download the update date and let it install.
The antivirus alert will have popped up between just shy of finishing the Vivaldi update installation and at max 5 seconds after it was finished. My main focus was on being able to grab the setup.exe file itself.
I still am somehow convinced that the setup.exe that was reported belongs to the received and extracted Vivaldi update, as
a) nothing else was running on the machine at the time that would run or trigger a call of some setup.exe which
b) resided in the same temp folder that was used to extract and run (parts of) the Vivaldi update process.If I had a third Windows machine I'd add an additional process watchdog/logger.
P.S.: As mentioned before I do have a copy of that setup.exe file "contained" within a WinRAR archive that I could make available to you. You would only have to rename it from <filename>.ra_ to <filename>.rar to be able to extract it on some isolated machine.
I do not feel comfortable though posting a link to a service that could be used for this making available - such as wetransfer.com or workupload.com - as I wouldn't want to spread it.
And 'yes', of course it can still be a false positive but when it comes to such matters I find a statement such as "These are always false positives." quite "bold".
- time stamp from Antivirus program screenshot:
-
@gwen-dragon Roger that. I'll do that right away.
-
@gwen-dragon Roger. Wilco.
<scnr>Explanation: https://www.urbandictionary.com/define.php?term=roger wilco
-
@gwen-dragon said in Malware/Trojan alert for latest Vivaldi Windows snapshot?!:
As i saw in investigation your sent setup.exe had a valid Vivaldi signature and is virus free.
You should send Avira Support the file to fix their false positive.
Interesting.
I agree, Avira could/should be informed of this false positive Vivaldi setup.exe.Then again, referring to your last message, I see no point in me sending it to them, as
a) you scanned the provided setup.exe with virustotal.com, which now is reported as clean (identical SHA-256)
which to me means that
b) they reevaluated it.So I guess I'll change this thread's title to "Solved"
Regards
RogerWilco -
Ppafflick unlocked this topic on -
Ppafflick moved this topic from Vivaldi for Windows on
