Trojan.Win32.Ebowla.il

[osher]

Day after installing nvm using the msi installer - I got the attached virus alert, which I though you might want to know about:

My Environment

• Windows 10

I have already...

• [ X] read the README to be aware of npm gotchas & antivirus issues.
• [ X] reviewed the wiki to make sure my issue hasn't already been resolved.
• verified I'm using an account with administrative privileges.
• [ X] searched the issues (open and closed) to make sure this isn't a duplicate.
• made sure this isn't a question about how to use NVM for Windows, since gitter is used for questions and comments.

My issue is related to (check only those which apply):

• settings.txt
• proxy support
• 32 or 64 bit support

Expected Behavior

After installing - I expect no viruses with any reference to nvm

Actual Behavior

See photo:

Steps to reproduce the problem:

Just FYI

[coreybutler]

Thanks for reporting this, though I'm kind of stumped on what in nvm4w could trigger this. Was this with the latest v1.1.1?

[coreybutler]

This appears to be a false positive. See golang/go#16292 for detail. There isn't much I can do about this since it appears Kaspersky is specifically looking for Go signatures. I suspect many other Go apps will have this same false positive.

For anyone coming across this issue with Symantec products, please see issue #133.

Closing, since there is nothing I can do about this until Go fixes it.

[webuniverseio]

Hi, I also get an alert from Malwarebytes for version 1.1.1. I didn't have that issue with 1.0.6.

[Offirmo]

Windows Defender as well

[sawilde]

Some multi-scan analysis

nvm-setup.exe

https://www.virustotal.com/en/file/04f1488a7074b12a7809834798e6d726e1c72d982f8277f4650744780fa5fe3c/analysis/1469399604/

nvm.exe

https://www.virustotal.com/en/file/b194e2ebb14b5694dbabb88d9beb3a366aa4e1b3767586ae7a6cbae994160978/analysis/1469399770/

To deal with this you'll need to submit it to each vendor as to why you think it is a false positive.

[coreybutler]

@sawilde - very helpful, thanks for your comments.

[coreybutler]

To all: @sawilde is correct, each vendor needs to be contacted in regards to the false positive. The folks behind Go (i.e. Google) are in the process of doing this, but there is no ETA. I've looked into doing it specifically for NVM4W. There are alot of requirements around having a registered company, a website, and a bunch of other validation processes (depending on the vendor). I have a company, and I'll be obtaining signing certificates for my other project (Fenix) that I believe can be used in this scenario. It's something of an ordeal though, so I cannot promise anything at the moment.

Depending on how complex this ultimately ends up being, I may consider switching to Java. I'd like to wait a little bit because I really don't want to switch to Java. I also have to believe the entire Go community will be pushing for this, since the entire programming language has been flagged.

[coreybutler]

This was posted in Gitter, but for anyone viewing this, there is a video showing how to exclude files in Windows Defender.

[georgeedwards]

Urgh, this is really biting me with Kaspersky Total Security v16. Which deletes nvm.exer whenever it is used... Even if I add it to my trusted applications, it still gets deleted.

[MartinKolarik]

Had the same problem with avast! a few days ago. Sent them a false-positive report and it seems they already fixed it. Either way, having a signed executable would be great, and would most likely help with AV false-positives as well.

[sawilde]

Updated windows defender

Analysis of the file(s) in Submission ID MMPC16080237329614 is now complete.    

This is the final email that you will receive regarding this submission.    

The Microsoft Malware Protection Center (MMPC) has investigated the following file(s) which we received on 8/2/2016 6:14:01 AM Pacific Time.    
Below is the determination for your submission. 

========    
Submission ID MMPC16080237329614    

  Submitted Files   
  ============================================= 
  nvm-setup.zip [Not Malware]   
  +---nvm-setup.exe [Not Malware]   




Your submission was scanned using antimalware definition version 1.225.2971.0.  
========    

The latest definitions work.

[coreybutler]

@sawilde - awesome!!!

[coreybutler]

@MartinKolarik - also awesome! that avast has already fixed it!!

[coreybutler]

@szarouski - I've got an awesome friend at Malwarebytes who looked into this and got it whitelisted. So, it should be "safe" in the latest definitions.