Kaspersky treats Syncthing as virus (false positive)


(Erich Heer) #1

This is a false positive.

// edit by @calmh


Kaspersky treats Syncthing as virus and deletes the EXE. After Re-Install happens exactly the same.


(Jakob Borg) #2

Unless you’ve gotten an infected binary from somewhere, I’d say Kaspersky is wrong.

Also, please stop using v0.11.3. It’s very old, even for the v0.11 branch, surely quite buggy, and extremely unsupported.


(theoky) #3

My Kasperskies (both versions: Endpoint Security 10 and internet security 2016) recognize the current version v0.13.7 as Trojan.Win32.Ebowla.ad, as well. Got the binaries from the github releases via autoupdate.

So let’s hope that the signature DB of Kaspersky is wrong and that they fix it soon.


(Adam Piggott) #4

Please report this false positive to Kaspersky. Maybe that way they’ll be less likely to incorrectly categories Syncthing later.


(theoky) #5

Submitted the url of the current windows release to the virusdesk of kaspersky.

Additionally, found this thread: http://forum.kasperskyclub.ru/index.php?showtopic=50669

But my “Google Russian” is not giving me much insight :unamused:


(Erich Heer) #6

version 11.3 <=> 13.7 that is a bit strange. I usually do the updates and I think that I used 13.? before.

Now I deleted the Syncthing folder and old data/downloads. Then I did the download again directly from SYNCTHING (win32).

Download was fine but as soon as I extracted/started SYNCTHING the Kaspersky popped up. First trying the repair and then deleting the SYNCTHING.EXE now with version 13.7 but with the same TROJAN.WIN32.EBOWLA.AD


(Erich Heer) #7

I just opened a support case with Kaspersky and put the syncthing-windows-386-v0.13.7.zip as attachment.


(Jakob Borg) #8

I’ve rebuilt a v0.13.7 binary on a clean Windows VM and it’s the exact same size as the official v0.13.7 download. There are a number of one byte differences along the way that I’m not 100% sure of why, but there’s no space for any malware to hide in the official download. I feel quite secure in saying that this is a false alarm.


(Koshy George) #9

Same here Kaspersky reports it as TROJAN.WIN32.EBOWLA.AD, got kaspersky to delete it, redownloaded it from the syncthing website kaspersky reported it as Virus again. Deleted it and removed it from all my machines Linux and all, just to be on the same side.


(Jakob Borg) #10

Again, this is a false positive.


(Jakob Borg) #11

(Jakob Borg) #12

(Jakob Borg) #13

Resolved as of now when refreshing Virustotal at least;

https://www.virustotal.com/en/file/e0cd618146663a554f3c5aaad69032f164c4993fc6919506edaaca4a78ee77a8/analysis/1466435029/

(“AegisLab” and “Jiangmin” are still confused, but hey can’t win every battle.)


(Jakob Borg) #14