Malware alert for the latest update (v 1.9.2.1 (01 apr 2024))

[uzzer123]

I got malware alert by Windows when trying to downloading the latest version of KeynoteNF. I also scanned the file through Virustotal and this is what I got:

[TLC49]

Good morning,

Since the last signature update on bitdefender, files are quarantined.

Immediately after unzipping the package, the following files are quarantined due to the presence of "Gen:variant.tedy.563328" and "Trojan.GenericKD.72190921":

kntLauncher keynote kntutils.dll kncalendar.knl

This does not necessarily concern the latest version of Keynote NF

Thank you for resolving this blocking problem when using Keynote NF.

Good day

[dpradov]

Could you indicate which BitDefender product you have, so I can report it as a false positive? There is a form to report it, but they ask to indicate a product and I don't know which one to put.

https://www.bitdefender.com/business/support/en/77209-343054-resolving-legitimate-applications-detected-as-threats-by-bitdefender.html

For example, if I look at virustotal, as @uzzer123 indicates, BitDefender marks it as malware. However, Bitdefender itself marks it as clean when it analyzes the same file by reading it through the URL published on GitHub...

https://github.com/dpradov/keynote-nf/releases/download/v1.9.2.1/KeyNote.NF_1.9.2.1.zip

https://github.com/dpradov/keynote-nf/releases/download/v1.9.2.1/kntSetup_1.9.2.1.exe

This has already been happening with other versions and it is very tiring.

As I indicate yesterday to other user by email, when I prepared the files I uploaded, the only more or less "serious" engine that marked it as malicious was "BitDefender", with a supposed virus called "Gen:Variant.Tedy" which is not the first time BitDefender has marked it incorrectly: https://stackoverflow.com/questions/75886428/fake-positive-bit-defender-problem-genvariant-tedy-304469

And for other similar cases, please take a look at: Security issues KeyNoteNF_1.8.5.1 #649 Issues identified in version 1.9.0 #652

[TLC49]

Thank you for these explanations. So I have Bitdefender Internet Security, version 27.0.30.140 Threat database: Threat Information Update: 14030512 Engine version: 7.96456

[TLC49]

I also found this link for the declaration https://www.bitdefender.fr/consumer/support/answer/53375/

[GrumpyGourmand]

I tried to download KeyNote.NF_1.9.2.1.zip with Microsoft Edge on 4/2 and Windows Defender thought it was a 'severe' threat, based on the file inside the archive named kntutils.dll.

On 4/3, I downloaded the zip file with wget to a directory that I have configured as an exclusion from Windows Defender. Then I copied the zip file to my desktop, and nothing seemed to happen. But when I extracted the zip, then Windows Defender had a problem with the file named kntLauncher.exe, which it also thinks is a 'severe' threat, but it lists a different trojan this time.

I have no doubt these are false positives, but this is a much bigger problem than some third-party malware detection software misbehaving, as this is Windows Defender itself doing this now, and immediately quarantining the file upon download. I would assume this now affects anyone running Windows 10 (or 11 presumably).

I'm sorry you have to deal with this, as I'm sure it's very irritating. Thank you for your efforts in regard to keeping this program updated, and also for dealing with these headaches.

[dpradov]

I personally update the version that I use on my computer with the installer (kntSetup_1.9.2.1.exe). The kntLauncher.exe file is identical to the one used in the previous version (1.9.1). Only the modification date varies because the setup program has two configuration commands that set with which a fixed date and time is set to the executables during installation, although these files are not replaced if the version is identical. In this version:

TouchDate=2024-04-01 TouchTime=22:00

Therefore, if I check the kntLauncher.exe file that I have in my installation folder it corresponds to 03/07/24 21:00 instead of the one that it is in the last .zip file (and inside the installer), which corresponds.

I wonder if that's what's causing him to be flagged as a suspect, which would surprise me. In the case of the kntutils.dll file, it is different from the one used in the previous version, but only because I have modified some texts, some literals, in relation to one of the changes incorporated in the new version (* Change of terminology: Simple notes / Tree Notes + nodes ==> "Folders" with "notes"). Those literals are used when generating a .html file with the keys configured. Beyond that there is no difference.

I say all this in case you want to try using the previous version of those two files together with the current version of KeyNote (keynote.exe), where logically there are necessary changes.

[dpradov]

The fact is that I have W11 with updated Windows Defender and it does not detect any viruses if I ask it to scan the .zip file or the previous kntLauncher.exe, for example. However, it is true that now even through virustotal it is marking the initial version of kntLauncher.exe as suspicious (when before it was marked as correct).

In case anyone is curious, the code for kntLauncher.exe is very simple. Is here: https://github.com/dpradov/keynote-nf/blob/master/kntLauncher.dpr

What it does is try to locate and activate a previous instance of Keynote.exe that could already be executing the .knt file that it is asked to open, for which it consults that instance. If the title parameter has been passed in the call to kntLauncher (recommended), it is used to directly locate the KeyNote instance based on the ClassName of the window and the title, with the Windows FindWindow API. Otherwise, it uses the Windows API EnumWindowsProc to locate the main window of the processes launched by KeyNote (based on its ClassName) and to be able to ask them if they have the requested .knt file open.

[dpradov]

Curiously, after doing the following, my own Windows also started complaining: 1- I have installed a cumulative optional update for Windows 11 Version 23H2 for x64-based systems (KB5035942)

After this and restarting, I scanned the .zip file I have locally with Defender (the same one I uploaded to GitHub) and it did not find any threat.

2- I have downloaded the .zip file from GitHub

When I downloaded that same file from GitHub, Defender gave me a virus warning. And after that, even for the same previous file in which a second before it did not see any threat, it now sees it. ??? I have of course verified that my local file is still identical to the one I uploaded at the time (verifying it through the signature with GPG)

I will report it to Microsoft :unamused:

I will also check it with the other files you point out.

[dpradov]

I have already reported the two files (kntLauncher.exe and kntutils.dll) to Microsoft. Let's see how long it takes them to respond to me. I'm going to check if there are any other files that are giving problems.

[dpradov]

I have also reported false positives on those files to BitDefender.

[dpradov]

[dpradov]

[dpradov]

I have applied what they indicate and it has worked. I had to restart the computer after doing so, because right after that it kept telling me that there were threats. I don't know, maybe it was some cache issue in Windows Defender.

I have also passed those two files through virustotal.com again and Microsoft already returns Undetected

[dpradov]

I just reported it as a false positive also to Google (it also marks the file KeyNote.NF_1.9.2.1.zip as a virus when I try to attach it in Gmail)

[plovec]

I just updated the signature files of Windows Defender via it's update definition function and now it correctly doesn't mark Keynote as a virus.

[GrumpyGourmand]

Yes, I can also confirm that Windows Defender is no longer giving me any hassles about KeyNote NF since I purged the cached detections and updated to the latest definitions. Thank you for addressing Microsoft's mistake and for everything you've done to keep this program updated after the previous developer stopped.

[thdoan]

I just got this alert now:

Update: I just tried to download again and got this in Chrome:

[dpradov]

Do you have the antivirus updated? Defender doesn't complain to me and if I force the executable to be reviewed again on VirusTotal.com, only four engines continue to mark it as malicious, among which Microsoft is not:

[thdoan]

I'm using the antivirus that comes with Windows 10, and yes it's updated to the latest. The only way for me to get rid of the warnings is to add the exe to the whitelist.