[SOLVED] [04439300] Trojan WINRAR, false positive?

Container for RESOLVED incidents, queries SOLVED by the experts, EXPIRED topics or those that have been CLOSED by the users.
Locked
problematiqueMG
Registered user
Registered user
Posts: 28
Joined: Tue, 24 Sep 2013, 11:16

[SOLVED] [04439300] Trojan WINRAR, false positive?

Post by problematiqueMG » Fri, 18 Nov 2016, 13:27

Hello,

Yesterday I installed WINRAR (downloaded from the official site). Today i did a full scan on my pc and it detected this file as Trojan. ProgramFiles\WINRAR\Default.SFX. The file is now in quarantaine. Is this a false positive?

Im pretty surprised because Winrar is a common used program. And I used it many years before.

thanks in advance.

User avatar
VirusBuster
Official moderator
Official moderator
Posts: 7596
Joined: Mon, 02 Apr 2012, 18:53
Location: Panda HQ - Bilbao

Re: Trojan WINRAR, false positive?

Post by VirusBuster » Fri, 18 Nov 2016, 14:03

What Winrar version did you install?
I have Winrar 5.40 (64 bits) installed and have scanned its installation folder and the file itself and nothing is being detected
Can you post a copy of the antivirus report?
Regards,

Image
Jorge Torre
TechSupport Department - Panda Security

I don't reply to private messages unless I have previously requested them

problematiqueMG
Registered user
Registered user
Posts: 28
Joined: Tue, 24 Sep 2013, 11:16

Re: Trojan WINRAR, false positive?

Post by problematiqueMG » Fri, 18 Nov 2016, 14:24

VirusBuster wrote:What Winrar version did you install?
I have Winrar 5.40 (64 bits) installed and have scanned its installation folder and the file itself and nothing is being detected
Can you post a copy of the antivirus report?
EDIT: My bad, the file in the report which i said i scanned is the old winrar exe file which was still on my pc. I decided to download the newest version 5.40 from rarlabs and installed it. 5.40 is the version which give me the Trojan detection.

-------


Thank you for the quick reply. Sorry for posting this in the wrong thread though, i just noticed it.

I've installed version 5.40 (64 bits) downloaded from rarlab.com As attachment the report. You can see i scanned the winrar.exe file yesterday after downloading and before installing winrar. Nothing found.

When installed it now says theres a trojan in the folder.
Attachments
panda.jpg
panda.jpg (89.77 KiB) Viewed 6035 times

User avatar
VirusBuster
Official moderator
Official moderator
Posts: 7596
Joined: Mon, 02 Apr 2012, 18:53
Location: Panda HQ - Bilbao

Re: Trojan WINRAR, false positive?

Post by VirusBuster » Fri, 18 Nov 2016, 16:36

We have created the case 04439300 for this issue
It seems to be language dependant as my Spanish version is not detected but your Dutch one is
We'll keep you updated
Regards,

Image
Jorge Torre
TechSupport Department - Panda Security

I don't reply to private messages unless I have previously requested them

problematiqueMG
Registered user
Registered user
Posts: 28
Joined: Tue, 24 Sep 2013, 11:16

Re: [04439300] Trojan WINRAR, false positive?

Post by problematiqueMG » Fri, 18 Nov 2016, 17:15

Thank you for making a case for this issue. I look forward to the results.

For now as it is nearly weekend, can i make the conclusion that this probably is a false Positive? (Are you 50%, 90% or 100% sure?)

User avatar
VirusBuster
Official moderator
Official moderator
Posts: 7596
Joined: Mon, 02 Apr 2012, 18:53
Location: Panda HQ - Bilbao

Re: [04439300] Trojan WINRAR, false positive?

Post by VirusBuster » Fri, 18 Nov 2016, 17:20

I would say 90% false positive
Regards,

Image
Jorge Torre
TechSupport Department - Panda Security

I don't reply to private messages unless I have previously requested them

problematiqueMG
Registered user
Registered user
Posts: 28
Joined: Tue, 24 Sep 2013, 11:16

Re: [04439300] Trojan WINRAR, false positive?

Post by problematiqueMG » Fri, 18 Nov 2016, 23:09

Ok so this evening (friday) i got a popup message from Panda saying that file 4c06138..... was removed from Quarantine. See attachment for log, but this is the english translation

Event: blocking item undone
Status: Panda Antivirus Pro has determined the file can be used

Panda renamed the file to a strange name with numbers and letters, is this really the default.sfx file from Winrar? I'm a bit worried and not sure because Panda changed the name.

So if the answer is yes the issue is basically solved but i've still a couple of questions.

1. In the Panda interface it says 0 files in quarantine, but the physical file is still in de Quarantine folder on my PC (ProgramData\PandaSecurityProtection\Quarantine) with the strange filename. Panda didnt move it to the original location in the Winrar folder.

2. Can I rename it to Default.sfx and move it to Winrar Folder in Program Files?

OR
3. Do I need to reinstall Winrar to check if the issue is solved, if i do this what do i need to do with the file with the strange name
Attachments
panda2.jpg
panda2.jpg (91.22 KiB) Viewed 5969 times

TaTienDo
Official moderator
Official moderator
Posts: 344
Joined: Tue, 03 Apr 2012, 11:00

Re: [04439300] Trojan WINRAR, false positive?

Post by TaTienDo » Tue, 22 Nov 2016, 12:03

Hi,

the file has been reclasified.

Regards,

Locked

Return to “Consumer - Archive Issues”