Win Defender alerts Trojan

[mikael1000]

My Windows Defender just quarantined: libpause_click_plugin.dll

Windows Defender says it is dangerous and is run by an attacker. Win Defender calls it: Trojan:Win32/Peals.F!cl And the warning level is set to: Serious

The path is: file:C:\Program Files (x86)\VideoLAN\VLC\plugins\video_filter\libpause_click_plugin.dll

Should I worry!?

[nurupo]

1. Where did you download it from? I would like to know the URL. Note that only safe place to download my plugin from is the Releases page of this GitHub repository.

2. Check the file your antivirus complains about using https://www.virustotal.com , it will check it using over 60 antiviruses and report back results, so you will see if it's false positive or not.

I just checked all libpause_click_plugin.dll from the latest 0.4.0 release using https://www.virustotal.com and no antivirus has detected anything in them:

• libpause_click_plugin.dll from vlc-2.2-64bit-win.zip
• libpause_click_plugin.dll from vlc-2.2-32bit-win.zip
• libpause_click_plugin.dll from vlc-2.1-64bit-win.zip
• libpause_click_plugin.dll from vlc-2.1-32bit-win.zip

3. What is SHA-256 of the libpause_click_plugin.dll you got? It might be possible that you downloaded some modified version of it from somewhere else or some malware on you computer modified it after you downloaded it from the proper source, so I would like to know the sha-256 hash.

[nurupo]

Huh, I just googled "Win32/Peals.F!cl" and found quite a few search results posted within last 12 hours. I want to keep an eye on them, so will just note them in a comment here, mostly for myself.

• https://www.reddit.com/r/sysadmin/comments/7o1a5n/windows_defender_possible_false_positive_on/
• https://devtalk.nvidia.com/default/topic/1028256/windows-defender-flags-cudnn64_6-dll-as-trojan-win32-peals-f-cl/
• https://social.technet.microsoft.com/Forums/en-US/57ab8e8e-9886-4312-9067-c5e60c76897c/system-center-endpoint-protection-has-detected-a-malware-outbreak-malware-name?forum=ConfigMgrCompliance

It could be that Windows Defender started throwing false positives for Win32/Peals.F!cl with some last update, or it could be a legitimate virus outbreak. Looks more like the former than latter, but let's not jump to assumptions.

[mikael1000]

I downloaded it from here and I have used it over a year. It have worked out great until yesterday. Win defender quarantined the file and the function (click the screen) stopped working. The strange thing is that now when I started VLC the click-function works again and when I check Win Defender there is no file quarantined.

Yes it did happen, I'm not that old (just answering the obvious question). But am I the only one that this happened to?

EDIT: I guess this answer it: https://www.reddit.com/r/sysadmin/comments/7o19q0/trojanwin32pealsfcl_false_positives_in_windows/

EDIT2: I also want to thank for this awesome application. I love it. A suggestion (not very important) I have is that it should not start or stop on dubble click.

[nurupo]

A suggestion (not very important) I have is that it should not start or stop on dubble click.

I have added this in the last version of the plugin (0.4.0), but it's disabled by default, you have to enable it in preferences (screenshot) by checking "Ignore double cilcks". You might also want to adjust the dobule click interval time to your tastes if you find it incorrectly detecting two consecutive single clicks as a double click and ignoring them often, though the default value should be okay.

[nurupo]

The Windows plugin binaries I build myself on my own computer, so I can assure that no one has added any viruses in them when building them, but you don't have to trust me on this if you don't want to, you can build the plugin yourself since I provide the build instructions on how to do it and Travis-CI makes sures that those instructions keep working. Btw, the build instructions got even simplier in the new branch in which I'm working on adding support for the upcoming VLC 3.0.0.