Open Sjoo90 opened 2 months ago
Hi @Sjoo90, that's odd! The MSI was built by our CI job (like all of our other releases). Are there any more details about why that antivirus thinks it's a trojan?
VirusTotal shows no detections of malicious behavior for that MSI artifact…
…but there is a note about potential false positive alerts that might be generated for the file:
⚠️ Matches rule _Windows_APIFunction from ruleset _Windows_APIFunction at https://github.com/InQuest/yara-rules-vt by InQuest Labs
↳ This signature detects the presence of a number of Windows API functionality often seen within embedded executables. When this signature alerts on an executable, it is not an indication of malicious behavior. However, if seen firing in other file types, deeper investigation may be warranted.
@Sjoo90 Does the SHA256 checksum match? (You can use the Get-FileHash
PowerShell utility on Windows to generate checksums.) The expected hash is
61c49446a032c077695f922cefeddc96f546de2a5f4be043d8428ce44a1b90e8
After uninstall and install again via winget, I still get trojan warning:
Hi @Sjoo90 similar to @jsejcksn, I'm not seeing any issues with the installer. I cleared it out, installed from winget
, then ran a full Windows Defender scan on my machine and found no vulnerabilities.
Given that the SHA matches the expected value (which I think is required by Winget anyway), my only hypothesis right now is that you're running into a false positive with the virus scan. If there are more details about what is found, that might help us understand why it's getting flagged as a false positive (though in my experience, virus scan programs are light on details to not give attackers more info than necessary on how to evade).
Edit: Another possibility - Could volta.exe
be infected by something after the installation? Can you calculate the hash of the file on disk? I was able to get a SHA512 value using the following command:
certutil -hashfile 'C:\Program Files\Volta\volta.exe' SHA512
Which gave me the following hash on the file installed from Winget:
efc61525f634358f3cb4bacc1ef5b4f02d3985254038da61c5a86db74296583254a78bc9efb5bedd6246033551af3fcbe3f5196e95aea8c53a50f88d9bf70cb3
Alternatively, using Get-FileHash
I get the SHA256 of volta.exe
to be:
C6EB40664964ED96E29D6E24E5948448BCDCFA29EE742FBE7B928458B4C4BF5F
This came up for me when I runned winget update --all for Volta.Volta
It's swedish, but I think you can find out.