graintiger 2 Posted February 23, 2021 Posted February 23, 2021 (edited) Virus Total is suggesting that in the setup.exe (downloaded just now from https://emby.media/windows-server.html) for Windows Trojan.Badur.Win32.34093 has been detected as per: https://www.virustotal.com/gui/file/69dfe396541681f27b510eb85a53fd88429533cdcd22efd8df0f8c6469e39aa8/detection albeit only by one engine Zillya Is this a false positive or should more attention be paid to this? Edited February 25, 2021 by steveyeu
Abobader 3464 Posted February 23, 2021 Posted February 23, 2021 Hello steveyeu, Please wait for someone from staff support or our members to reply to you. It's recommended to provide more info, as it explain in this thread: Thank you. Emby Team
Luke 42080 Posted February 23, 2021 Posted February 23, 2021 Hi, looks like a false positive. @Happy2Play are you able to reproduce?
Happy2Play 9782 Posted February 23, 2021 Posted February 23, 2021 (edited) 11 minutes ago, Luke said: Hi, looks like a false positive. @Happy2Play are you able to reproduce? Downloading Beta kicks off Windows Smartscreen, and running that downloaded beta setup file through virustotal.com does show that same detections. Looks like running stable setup reports the same, but did not have smartscreen pop-ups. Unless they have been acknowledged previously and allowed. Edited February 23, 2021 by Happy2Play
Luke 42080 Posted February 23, 2021 Posted February 23, 2021 At what point in the process does it say that? Can you show a screenshot? I just ran through the beta installer and did not encounter that.
Happy2Play 9782 Posted February 23, 2021 Posted February 23, 2021 9 minutes ago, Luke said: At what point in the process does it say that? Can you show a screenshot? I just ran through the beta installer and did not encounter that. Choosing my downloaded setup a file, opens the url hash above in first post. https://www.virustotal.com/gui/file/69dfe396541681f27b510eb85a53fd88429533cdcd22efd8df0f8c6469e39aa8/detection
Luke 42080 Posted February 23, 2021 Posted February 23, 2021 Does it happen with the stable installer?
Happy2Play 9782 Posted February 23, 2021 Posted February 23, 2021 (edited) 7 minutes ago, Luke said: Does it happen with the stable installer? That was stable, but that same file is clean here, I guess irrelevant as virustotal say Kaspersky is clean Beta has this hash for me. Stable has the other. https://www.virustotal.com/gui/file/1373e04ae35830c2af063f4ca05d2e34d82eecb522062f508b197505c58b202a/detection Edited February 23, 2021 by Happy2Play
Happy2Play 9782 Posted February 23, 2021 Posted February 23, 2021 Does seem odd as Trojan.Badur.Win32 has been around for years and only one engine sees a issue. Zillya does seem to have a lot of false positives per online search.
graintiger 2 Posted February 23, 2021 Author Posted February 23, 2021 So would the general consensus here be that the file is safe and the flag on Zilya is likley a false positive?
graintiger 2 Posted February 23, 2021 Author Posted February 23, 2021 (edited) 6 minutes ago, Luke said: Yes certainly. Is it worth reporting to help@zillya.com as a false positive? Edited February 23, 2021 by steveyeu
Luke 42080 Posted February 23, 2021 Posted February 23, 2021 12 hours ago, steveyeu said: Is it worth reporting to help@zillya.com as a false positive? Yes it is. @cayars can look into that. Thank you for reporting this to us.
graintiger 2 Posted February 24, 2021 Author Posted February 24, 2021 For reference the same setup file from the download page is also now picked up by VBA32 as Trojan.Zpevdo https://www.virustotal.com/gui/file/1373e04ae35830c2af063f4ca05d2e34d82eecb522062f508b197505c58b202a/detection
Happy2Play 9782 Posted February 24, 2021 Posted February 24, 2021 Since the setup file modified your firewall I would expect this one. But since it is from the same engine, one would need to tell them it is a safe installer. Quote Win32/Zpevdo is high-risk trojan designed to modify Windows Firewall settings. This malware typically infiltrates systems when another trojan is installed (a result of "chain infections") or when users visit malicious websites. The presence of Win32/Zpevdo trojan makes the system more vulnerable to other infections.
graintiger 2 Posted February 24, 2021 Author Posted February 24, 2021 Wait are VBA32 and Zillya using the same engine?
Happy2Play 9782 Posted February 24, 2021 Posted February 24, 2021 1 minute ago, steveyeu said: Wait are VBA32 and Zillya using the same engine? Sorry I miss read the chart. But knowing the definition of Zpevdo, I would expect it.
graintiger 2 Posted February 24, 2021 Author Posted February 24, 2021 (edited) Makes sense. Are there any plans to publish the MD5/SHA256 checksums on the download page for the file so that it is easily compared and verfied in situations such as these? Edited February 24, 2021 by steveyeu 2
Luke 42080 Posted February 24, 2021 Posted February 24, 2021 14 hours ago, steveyeu said: Makes sense. Are there any plans to publish the MD5/SHA256 checksums on the download page for the file so that it is easily compared and verfied in situations such as these? Yea we publish those i just haven't had a chance to add them to the website yet.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now