False positive: Kaspersky / ESET NOD32 currently flagging syncthing.exe as infected

Since June 30, I believe, Kaspersky is flagging Syncthing as “not-a-virus”, but deletes the executable every time I try to restore and run it. Below are the exact details Kaspersky gives me.

"Deleted legal software that can be used by criminals to damage your computer or personal data not-a-virus:NetTool.Win32.TorJok.aa C:******\syncthing.exe Low "

1 Like

You should report it to your AV vendor.

Sorry, I should have said that. I have reported it to Kaspersky. I was just curious if anyone else with Kaspersky was having the same issue.

I’ve heard similar.

I reported this to Kaspersky on 1st July with ticket ID KLAN-6471820464. Other than the auto-reply I’ve had nothing back. Perhaps, with you as a paying customer, they’ll actually put some effort into resolving the problem?

1 Like

I’m still encountering the same behavior with Kaspersky Endpoint Security 10 for Windows.

I’ve reported it today as well but this can take time, obviously.

My workaround currently is to downgrade to syncthing version 0.14.29 (with the file syncthing-windows-amd64-v0.14.29.zip). This version is not removed by Kaspersky (as of now), v.30, .31, and .32rc2 are removed.

I hope Kaspersky doesn’t add v.29 to their signature database…

Sadly the same thing with ESET Endpoint Antivirus. 0.14.29 works fine, updating to 0.14.32 fails because antivirus recognizes it as a troyan.

Eset have confirmed both the 32- and 64-bit Windows builds of 0.14.32 will no longer be detected in the next release of their detection engine.

1 Like

I wonder if it’s something stupid like more malware being written in Go and their signatures actually triggering on parts of the runtime, or something like that.

Just a heads up. Nod32 has been flagging the Windows x64 build of syncthing.exe (v0.14.32-rc.2) as an infection for the past 36 hours or so. It’s reporting it as ‘a variant of Generik.BVOAMLP trojan’. I’ve just sent off a false positive report to samples@eset.com, so hopefully they will investigate and fix their definitions soon.

As this isn’t a bug a such, I thought it best to let you guys know here rather than on GitHub.

4 Likes

Thanks, that was the right thing.

It looks like they’ve fixed it in their latest definitions as its no longer being flagged as infected.

1 Like

Yes, I reported it as well. It was already fixed when they took on my ticket… I created the ticket on Sunday evening.

It seems the issue is back. File gets deleted by Nod32 using definitions from 2017/07/11.

Confirmed fixed with Eset virus definitions 15729.

2 Likes

It’s been over a month and Kaspersky is still blocking syncthing. I’ve reported the issue a number of times to Kaspersky, but so far there has been no progress. Is anyone else still having issues?

I got an autoreply but nothing else from Kaspersky. They have been detecting most, if not all, of the versions (release and full) since this one.

Time to vote with your wallet.