Windows Security reports Electrum installer infected

[tenusertwo]

Windows Security reports Electrum installer ( electrum-3.3.3-setup.exe ) infected with  Trojan:Win32/Ludicrouz.V
Is it a known issue ?

Windows deleted the file, so I can't double check with checksum. But I downloaded it from electrum.org so pretty sure it's the good one.

screenshot of the report :
https://imgur.com/a/3VqlAxS


Edit:
easy to reproduce.
just download electrum-3.3.3-setup.exe ,
right click on it -> Scan with Windows Defender

Edit2:
I realized Windows did not only delete the installer file, but the whole electrum installation.

[NeuroticFish]

I don't know if it helps, but I just checked the official electrum setup 3.3.3 with virustotal and 5 of 67 antivirus do detect it as trojan/malware. Similar result is also for the portable version.

For the setup I've read somewhere that it's caused by the pyinstaller which is used by many malware.


Edit: if you are certain your system is clean, you should also check the signature to make sure you downloaded the right setup.

[TryNinja]

It’s just a false-positive.

Don’t worry. That’s most likely just a false positive. Electrum shows as a trojan to a few AVs out there. If you downloaded from electrum.org then you are safe. But, make sure to verify the file signatures before running it.

Here is an tutorial on how to verify the file signature: https://bitcointalk.org/index.php?topic=5105901.0

I made a post talking about this yesterday:

Lucius, yeah, just seen that thread.

ThomasV, could you, please, write here in sticky thread MD5 / SHA-1 / signature of real Electrum 3.3.3 ?

Just verify the signatures.

Electrum is commonly acussed as a trojan by a few random AV’s. But that’s just a false-positive. It happens all the time.

Here is Electrum’s “official” explanation:

"Anti-virus" software uses shitty heuristics to detect malware. PyInstaller is a convenient tool to package python apps. We use PyInstaller. Malware authors use PyInstaller. Everything that uses PyInstaller is detected as malware.

Anti-virus software have (and always had) false positives, and some of them tag Electrum as malware. This is out of our control. This does not mean that Electrum is or contains malware.

The Windows binaries are signed using the native Windows signing scheme by an entity named Electrum Technologies GmbH. They are also signed using GPG by @ecdsa (ThomasV). The GPG key fingerprint is 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6.

If you trust the developers of the project, you can verify the GPG signature, and ignore any anti-virus warnings.

If you don't trust the developers with not backdooring the binaries, you can (1) build binaries yourself; or (2) you can run from source. Some of the binaries are built reproducibly, so you can also check that those match.

More: https://github.com/spesmilo/electrum/issues/3198#issuecomment-458949319

[HCP]

Edit:
easy to reproduce.
just download electrum-3.3.3-setup.exe ,
right click on it -> Scan with Windows Defender

I cannot reproduce this?

I even redownloaded the electrum-3.3.3-setup.exe from electrum.org (checked the digital signature)... and tried scanning with Windows Defender... it doesn't complain about the file or show any viruses/trojans.

I know several users have seen Windows Defender complaining about the Electrum installers, so I am now wondering if my Windows Defender is working properly.

[nc50lc]

I don't know if it helps, but I just checked the official electrum setup 3.3.3 with virustotal and 5 of 67 antivirus do detect it as trojan/malware. Similar result is also for the portable version.

Hah! Scan the older versions and you'll get more false positives than that and we've been using it for years.Obviously false-positives from those "super-aggressive" antivirus software.

Example: Electrum v3.1.3 (Windows Installer Version) https://www.virustotal.com/#/file/4f2e0b548e1a8e7b8cc37b55ef4fdc663f93d20008f5b7948ed8cfafbce9b4c9/detection

AhnLab-V3: Malware/Gen.Generic.C2472072
Comodo: Malware@#3cz97x1rl7u5q
Fortinet: Riskware/TorJok
Kaspersky: not-a-virus:NetTool.Win32.TorJok.aic
MAX: malware (ai score=76)
Palo Alto Networks: generic.ml
Sophos AV: Generic PUA DO (PUA)
Trapmine: malicious.moderate.ml.score
ZoneAlarm: not-a-virus:NetTool.Win32.TorJok.aic

I never heard of those AV aside from Kapersky which is known for its aggressiveness.
My antivirus never detected anything from it so...

[NeuroticFish]

My antivirus never detected anything from it so...

Mine either. Somehow I thought that's obvious that if only 5 of 67 find it then it's a false positive...
But in such cases I can't blame people if they want to be super sure (and check with ThomasV key), especially with the late madness with Electrum..