False positive: Kaspersky / ESET NOD32 currently flagging syncthing.exe as infected


(Me) #1

Since June 30, I believe, Kaspersky is flagging Syncthing as “not-a-virus”, but deletes the executable every time I try to restore and run it. Below are the exact details Kaspersky gives me.

"Deleted legal software that can be used by criminals to damage your computer or personal data not-a-virus:NetTool.Win32.TorJok.aa C:******\syncthing.exe Low "


(Audrius Butkevicius) #2

You should report it to your AV vendor.


(Me) #3

Sorry, I should have said that. I have reported it to Kaspersky. I was just curious if anyone else with Kaspersky was having the same issue.


(Jakob Borg) #4

I’ve heard similar.


(Adam Piggott) #5

I reported this to Kaspersky on 1st July with ticket ID KLAN-6471820464. Other than the auto-reply I’ve had nothing back. Perhaps, with you as a paying customer, they’ll actually put some effort into resolving the problem?


(theoky) #6

I’m still encountering the same behavior with Kaspersky Endpoint Security 10 for Windows.

I’ve reported it today as well but this can take time, obviously.

My workaround currently is to downgrade to syncthing version 0.14.29 (with the file syncthing-windows-amd64-v0.14.29.zip). This version is not removed by Kaspersky (as of now), v.30, .31, and .32rc2 are removed.

I hope Kaspersky doesn’t add v.29 to their signature database…


#7

Sadly the same thing with ESET Endpoint Antivirus. 0.14.29 works fine, updating to 0.14.32 fails because antivirus recognizes it as a troyan.


(Adam Piggott) #8

Eset have confirmed both the 32- and 64-bit Windows builds of 0.14.32 will no longer be detected in the next release of their detection engine.


(Jakob Borg) #9

I wonder if it’s something stupid like more malware being written in Go and their signatures actually triggering on parts of the runtime, or something like that.


(Thrnz) #10

Just a heads up. Nod32 has been flagging the Windows x64 build of syncthing.exe (v0.14.32-rc.2) as an infection for the past 36 hours or so. It’s reporting it as ‘a variant of Generik.BVOAMLP trojan’. I’ve just sent off a false positive report to samples@eset.com, so hopefully they will investigate and fix their definitions soon.

As this isn’t a bug a such, I thought it best to let you guys know here rather than on GitHub.


(Jakob Borg) #11

Thanks, that was the right thing.


(Thrnz) #12

It looks like they’ve fixed it in their latest definitions as its no longer being flagged as infected.


(Fraternl) #13

Yes, I reported it as well. It was already fixed when they took on my ticket… I created the ticket on Sunday evening.


(Sune1337) #14

It seems the issue is back. File gets deleted by Nod32 using definitions from 2017/07/11.


(Adam Piggott) #16

Confirmed fixed with Eset virus definitions 15729.


(Me) #17

It’s been over a month and Kaspersky is still blocking syncthing. I’ve reported the issue a number of times to Kaspersky, but so far there has been no progress. Is anyone else still having issues?


(Adam Piggott) #18

I got an autoreply but nothing else from Kaspersky. They have been detecting most, if not all, of the versions (release and full) since this one.

Time to vote with your wallet.