Antivirus false positive on ransomware and keylogger for MikTex & TexStudio?

[Wrichik Basu]

TL;DR Summary

Is my antivirus giving false warnings while installing TexStudio and MikTex?

I decided to set up $\LaTeX$ in my PC, windows 7, 32 bit. The pc has a legal version of QuickHeal Internet Security antivirus.

I downloaded TexStudio and MikTex. When I started installing TexStudio, QuickHeal said that the installer file was a potential keylogger, and put it into quarantine.

I couldn't find any evidence online of something similar happening with others, so I set the antivirus to exclude the installer, and could successfully install TexStudio.

When I started installing MikTex, while the installation was half-way through, QuickHeal said that there was a ransomware in MikTex files, and stopped the installation. The only way to install now is to switch off the antivirus completely during the installation process, and then setting it to exclude the MikTex folder.

Can anyone confirm these are false warnings? I know that QuickHeal isn't a very good antivirus, but my father isn't ready to discard it before the license expires. I got similar warnings when I installed Frizing. Is there a chance that the installer file is getting corrupt while downloading? Or are these just false warnings that I can overlook?

 

[jedishrfu]

Dont be too quick to turn your settings off as you may be among the first of many.

Recently, some common repositories have been infected with malware. Apparently these malware dolls have decided to destroy their own source of free code.

 

[jedishrfu]

Here's some dated discussion on latex being infected or not and some false alarms due to files with names that match known malware but weren't.

https://tex.stackexchange.com/questions/134656/full-version-of-tex-live-malware-checked

 

[jedishrfu]

And here's a cautionary article on it:

https://www.usenix.org/system/files/login/articles/73506-checkoway.pdf

 

[Wrichik Basu]

I am actually helpless, I think. Keeping in mind your links @jedishrfu, perhaps it will not be safe to continue with the installation of MikTex (I can uninstall TexStudio too). But again, so many people in the science community are using these, and they haven't complained.

Is there any place where I can upload the files for a check? QuickHeal doesn't seem to have such a service.

By the way, can such problems exist in the portable version as well?

 

[DrClaude]

Can you get a specific indication which file(s) is getting flagged?

 

[Rive]

Is there any place where I can upload the files for a check? QuickHeal doesn't seem to have such a service.

I think they have something (I don't know if it is active or not).
Generally, switching off the protection during install is not a good idea. Uninstall would not be any help, by now any half-decent malware would dig in itself. Just try to do a system check with different security software.
Maybe, done by a different machine (with moving the HDD).

 

[sysprog]

It's most likely that you're getting false positives, but just in case, you could try doing what I did:

Direct download for TeXstudio:
https://sourceforge.net/projects/texstudio/files/2.12.14/texstudio-2.12.14-win-qt5.exe/download
I didn't see a checksum there, so I also checked the page at: https://fossies.org/windows/misc/texstudio-2.12.14-win-qt5.exe/
and found checksums, and other useful information, including the github link below:

I then downloaded the same file from:
https://github.com/texstudio-org/texstudio/releases/download/2.12.14/texstudio-2.12.14-win-qt5.exe
Then, after checking the byte count:

I ran WinMerge (an open-source freeware file comparison utility) to verify that the file contents were identical.

You can find that utility here:
http://winmerge.org/downloads/index.phpThat page has a link for the SHA-256 checksums for WinMerge.

I don't think anyone's going to corrupt the same file on both sourceforge and github. I ran the installer on a test machine and it ran fine. Then I launched the program, it loaded fine.

If you run it before installing MikTex, you'll get a warning with a link for installing it or a similar product so you can save your pages to PDF.

For MikTex, the direct download is here:
https://miktex.org/download/ctan/systems/win32/miktex/setup/windows-x64/basic-miktex-2.9.7031-x64.exe
The https://miktex.org/download page has the SHA-256 hash for verifying the file.

Here's a link to a tutorial page (with links to free utilities), that explains how to use the SHA-256 hash to verify the file: https://www.maketecheasier.com/verify-md5-sha-1-sha-256-checksum-windows10/

Bottom line: The files I got from the above sources were not corrupted and had no malware. Once you do the same verification for your copies, I think you can safely whitelist them in your AV product.

 

[Wrichik Basu]

Can you get a specific indication which file(s) is getting flagged?

Nope, QuickHeal deleted the corrupt file before I could do anything, and aborted the installation. The deletion is not present in the reports.

 

[sysprog]

Nope, QuickHeal deleted the corrupt file before I could do anything, and aborted the installation. The deletion is not present in the reports.

Quarantined usually isn't the same as simply deleted. QuickHeal may have 'moved' the file to a quarantine folder. If so, you may be able to find it there.

 

[Wrichik Basu]

Quarantined usually isn't the same as simply deleted. QuickHeal may have 'moved' the file to a quarantine folder. If so, you may be able to find it there.

The texstudio.exe (suspected keylogger) is still in quarantine, but for MikTex (suspected ransomware), the antivirus completely deleted the file.

By the way, I am working to try out your method.

 

[sysprog]

The texstudio.exe (suspected keylogger) is still in quarantine, but for MikTex (suspected ransomware), the antivirus completely deleted the file.

By the way, I am working to try out your method.

I don't know your AV product, but it could be that it misinterpreted the numerous \ characters in $\TeX$ and $\LaTeX$ code as something trying to do something outlandish with directories -- that's just speculation on my part. If the product has blacklisted the file name, you might, after making sure you have a legitimate version, rename a copy of the file before trying again. You could also try the portable version, or use the command line install with the zip version.

 

[Wrichik Basu]

@sysprog This time, I verified the hash with MD5_and_SHA_Checksum_Utility. The matching was ok, and I installed both MikTex and TexStudio, without any threat.

But QuickHeal says that the main executable file of MikTex is a keylogger, and has quarantined it (see the last file in the list):

Same for texstudio:

I believe I can set the antivirus to exclude these files, right? Seems like false positives.

 

[sysprog]

Here's a link to a list of files in the MikTex distribution: https://miktex.org/Package/Browse/miktex-qt5-bin-x64

Qt5Core.dll is on the list.

I think it's safe to say that if you got it from mktex.org, it's not a keylogger, it's a legitimate file.

However, the Qt platform is used by other applications, and your AV product may recognize that the Qt5Core.dll file is registered to another product in the system registry, and therefore decide that your install is trying to tamper with another product's files. Speculation again: the Qt5core.dll file being common to multiple products, its name may have been used before as part of an exploit, and your AV product may have it flagged accordingly.

Python 3.5.0 |Anaconda 2.4.0 (64-bit) has the Qt platform, and consequently uses Qt5Core.dll.

You could do a global search for that file name, and check whether it's already there as part of another product.

As long as the MikTex version of Qt5Core.dll is installed only within its the MikTex directory structure, I think it's safe to whitelist it in your AV product.

For your recent installs of the 2 products, it may suffice to just hit the restore button on those files, and follow through with allowing it past any warnings.

The Properties dialog for my just-installed copy of texstudio.exe looks like this:

If yours matches that on the created/modified date/time, and on the byte count (there could be a small variance in the size on disk due to different device characteristics), I'd say it's safe to restore it from the quarantine.

 

[Wrichik Basu]

Thanks @sysprog. Restored the files from quarantine. TexStudio is opening properly. I downloaded a .tex file from APS. It opened properly, but when I complied it, there was a problem, "Qt path not found". According to this source, it is the Qt of MikTex. I'll see what I can do and let you know tomorrow.

 

[sysprog]

I installed MikTex, and located the Qt5 files. I noticed while watching the install window that it uses a Unix-style install procedure (adapted for Windows), in which some of the earlier-installed components are passed control to install some of the later ones. I therefore suspect that the intervention of your AV product, which rendered Qt5Core.dll unavailable during the install, was not remediable by merely restoring that library from quarantine, as it was needed for the completion of part of the Qt5 platform subset of the MikTex install.

Here's a Windows Explorer image of the main relevant directory, showing the Qt5 files:

Please note that there should be 601 files in that directory. There is also a profile file that should have been updated to contain the Qt5 path, and I think that the flawed install process prevented that update from being done correctly.

I recommend that you de-install both MikTex and TeXstudio, then whitelist them in your AV product, then re-install them, MikTex first (because TeXstudio will try to find MikTex already installed).

 

[Wrichik Basu]

I recommend that you de-install both MikTex and TeXstudio, then whitelist them in your AV product, then re-install them, MikTex first (because TeXstudio will try to find MikTex already installed).

I also thought that blacklisting of the files could hamper the installation. But you know what? The antivirus is now malfunctioning. No matter how much I tell it to exclude those files and folders, it won't listen. The moment I open TexStudio, it will quarantine the .exe file. And as I open the MikTex console, it will quarantine the Qt file. But now I cannot take it out of quarantine, God knows why. I am asking QuickHeal to restore the files, but it won't.

I will try installation tomorrow by turning the antivirus off completely. I'll keep in mind the order you specified. If it doesn't work even after that, I'll leave it. It's becoming rather frustrating. I spent an hour trying to tell QuickHeal to exclude that folder, but it just won't listen. Even restart of pc didn't solve the problem.

I will keep you posted on the situation.

 

[Wrichik Basu]

Sorry, but the installation attempt was a failure. I switched off the antivirus, but as MikTex was being installed, it blocked the setup wizard:

And then stopped the installation before I could do anything.

I tried again, now it gave a different error:

Basically MikTex wants an empty directory. Windows has denied the setup wizard access to C:\Program Files. If I ask it to install in any other directory, it is giving an error that the directory is not empty. If I make an empty folder and ask it to install there, it is giving the above error.

It seems I have no luck with my PC. Maybe after some months when I buy a laptop, I can try there.

But @sysprog thanks for helping me out to quite a great extent, and also to others for their suggestions.

I am trying to install the portable version, but I have no idea if that would work.

Update: No, it didn't work.

 

[sysprog]

If your Quick Heal product is issuing messages that way, it obviously isn't effectively turned off.

I think the simplest next step would be to start in Safe Mode, which won't start the AV program, and then run the install.

I'm actually kinda ticked off that your AV product is getting in the way of your access to some of the benefit of Prof. Knuth's wonderful work as the originator of $\TeX$.

Here's a photo of him playing his custom-built pipe organ in 2018:

 

[Wrichik Basu]

I think the simplest next step would be to start in Safe Mode, which won't start the AV program, and then run the install.

Good idea. Will try that. Should I choose Safe mode with networking or simply safe mode?

But then again, there is a chance of the antivirus putting the .dll and .exe files into quarantine (as I said, it is not listening to me even if i ask it to do otherwise). Nevertheless, I will try your method.

 

[sysprog]

I recommend without networking. Just bring up what you need for the purpose of getting your install done. The installer wanting to go to the net to make sure you have the most recent version of everything can be denied and disregarded and the install will still complete successfully.

 

[Ampulla]

Do not turn your anti-virus off too quickly. There's no way the software gives a false warning. Everything has a reason. If your downloading is not from the official website, you should scan your computer once again. It's an experience I got from Techgara.

 

[sysprog]

Do not turn your anti-virus off too quickly.

That's good general advice.

There's no way the software gives a false warning.

That's not true; there are many ways for a false warning to occur.

Everything has a reason.

I don't disagree with that; however, that doesn't mean that a diagnostic program is incapable of misdiagnosis.

If your downloading is not from the official website, you should scan your computer once again. It's an experience I got from Techgara.

It looks to me like you're presenting 'drive-by' general advice without having read the thread in it's entirety. It's well-understood here that in general, it's worthwhile to try to keep any errors on the side of caution. In this matter, @Wrichik Basu has painstakingly ensured that the software is from an authoritative source, and is not corrupted.

 

[Ampulla]

That's good general advice.
That's not true; there are many ways for a false warning to occur.

I don't disagree with that; however, that doesn't mean that a diagnostic program is incapable of misdiagnosis.
It looks to me like you're presenting 'drive-by' general advice without having read the thread in it's entirety. It's well-understood here that in general, it's worthwhile to try to keep any errors on the side of caution. In this matter, @Wrichik Basu has painstakingly ensured that the software is from an authoritative source, and is not corrupted.

Sorry for just skimming the first post xD

 

[sysprog]

Sorry for just skimming the first post xD

That's ok, I'm sure you were just trying to be helpful in maybe keeping someone from getting harmed by malware.
Welcome aboard PF, the Physics Forums, from a member who's comparatively new here, too. The forums are well-disciplined, and the Staff members and Science Advisors here, along with the members in general, are very loyally devoted to the PF mission. Thanks for being here as a member.

 

[sysprog]

But then again, there is a chance of the antivirus putting the .dll and .exe files into quarantine (as I said, it is not listening to me even if i ask it to do otherwise). Nevertheless, I will try your method.

Assuming your Windows OS is not corrupted, Safe Mode won't start the AV product, so the AV product will have no chance of interfering with your installs.

 

[Wrichik Basu]

@sysprog Tried in Safe mode, but got this error:

This seems to be a well-known bug over the internet, with no fix unfortunately.

Same error came in Normal mode too (I bypassed the ransomware alert) when I tried later.

 

[sysprog]

Try installing into a directory path that doesn't include spaces in any of the directory (folder) names.

@sysprog Tried in Safe mode, but got this error:

View attachment 243294

This seems to be a well-known bug over the internet, with no fix unfortunately.

Same error came in Normal mode too (I bypassed the ransomware alert) when I tried later.

I suggest that you try copying the installer file into a newly created directory/folder, such as C:\temp01, and when running the installer, specify another newly created directory/folder, such as C:\MikTeX, with no spaces in the directory/folder name, as the target directory/folder. Also ensure that the original installer filename is not changed, including by a (1) or (2) index being inserted into it due it being a subsequent download of the file. If you encounter the problem again, please move the alert box aside before making a screenshot and posting it, so that the content of the window behind it is visible.

 

[James Demers]

I trust you've cloned the drive, and put the clone away in a drawer.

TexStudio comes up clean with just about every other antivirus scanner out there:
https://www.virustotal.com/en/file/...4a7255993b26e42684d949a456415e21fd4/analysis/
It's also hard to believe that you'd get so many roadblocks from a false postiive. I would download the installer from a different source, and try again. If that works, notify the original source ASAP.

 

[sysprog]

I trust you've cloned the drive, and put the clone away in a drawer.

Of course it's a good idea to make some kind of reliable backup.

TexStudio comes up clean with just about every other antivirus scanner out there:
https://www.virustotal.com/en/file/...4a7255993b26e42684d949a456415e21fd4/analysis/

The VirusTotal site that you linked to looks like a useful resource; however, a TexStudio install is not at issue at this juncture; the MikTeX product install is, and the MikTeX installer passes the tests there too. I think it's worth noting that QuickHeal, the AV product in question in this thread, is not on the list of AV engines there.

It's also hard to believe that you'd get so many roadblocks from a false postiive. I would download the installer from a different source, and try again. If that works, notify the original source ASAP.

That seems like a wrong remedy to me. I think that @Wrichik Basu has already adequately verified the authenticity of the installers of both programs, and has now encountered another problem that is probably not related directly to his AV product. I think that his current obstacle may be related to his prior MikTeX install attempts having produced some residual detritus that is interfering with his most recent attempt.

 

[Wrichik Basu]

I suggest that you try copying the installer file into a newly created directory/folder, such as C:\temp01, and when running the installer, specify another newly created directory/folder, such as C:\MikTeX, with no spaces in the directory/folder name, as the target directory/folder. Also ensure that the original installer filename is not changed, including by a (1) or (2) index being inserted into it due it being a subsequent download of the file. If you encounter the problem again, please move the alert box aside before making a screenshot and posting it, so that the content of the window behind it is visible.

Followed your advice word by word. Got the same error:

 

[sysprog]

I had previously not been able to replicate your problem; however, I had been using the 64-bit version. Using the 32-bit version, I was able to replicate the problem when running with (other than the install directory) the default options. When I switched from 'for all users' to 'this user only', the install ran successfully.

 

[Wrichik Basu]

I had previously not been able to replicate your problem; however, I had been using the 64-bit version. Using the 32-bit version, I was able to replicate the problem when running with (other than the install directory) the default options. When I switched from 'for all users' to 'this user only', the install ran successfully.

Thanks, could finally install MikTex properly (I installed in safe mode).

MikTex wants to set the PATH variable to its own bin folder. The variable already has the jdk address. I know I can set multiple addresses with the delimiter ;, but MikTex is not taking this. It wants to be the sole address in the PATH variable.

Any idea how I can keep both addresses (jdk and miktex) in PATH?

 

[sysprog]

Yay! You fixed it! Now you can write $\TeX$ and ftp://ftp.dante.de/tex-archive/info/intro-scientific/scidoc.pdf ($\leftarrow$nice writeup there) stuff to your heart's content. I've rarely had to address any PATH issues since the '80s. Here's a link to a tutorial on modifying the Windows PATH: https://www.h3xed.com/windows/how-to-add-to-and-edit-windows-path-variable

 

[Dr-Flay]

If you are having problems with installing for different types of user, make sure you right-click and run the installer as Admin.When having problems with an AV and installers, simply excluding the installer or folder it is in will not help, as the unpacked files are not the installer, they are new files in a new location.
You have to disable the AV temporarily. If it is still complaining, you didn't actually disable it.

At the end of the install process and before enabling the AV again you can exclude the new program folder.
The problem is that you now lose all protection of the contents of that folder so in future it could be full of malware.

Looking at your picture of the quarantined files it seems to have issue with Qt files in other software, so has obviously borked them or certain features. Either that or you have had a lot of bad downloads.
Looking at Quick Heal ratings, I would say go and buy a magic 8-ball or some lucky heather from a passing gypsy, as it may do much better.
https://www.av-comparatives.org/vendors/quick-heal/Perhaps that is unfair as the AV-Test site does show it has improved this year, but it is up and down like a yo-yo.
https://www.av-test.org/en/antivirus/home-windows/manufacturer/quick-heal/I would suggest you put it to your father that continuing to use it till the end of the current payment is incredibly unwise and downright risky. Sometimes you need to cut your losses and run.
You can get top class protection for free with either Bitdefender, Avira or Kaspersky. They stay in the top 5 more than any others all year long, so you cannot lose out by comparison.
(General rule of thumb) all the best AV offer a free version as they know you are likely to pay for the full thing after using it.
Bad AV do not have free versions or offer a free trial period to force you to buy.

Whatever AV (or OS) you use you should have a VirusTotal or similar extension in your browser for a second opinion, so that all your downloads are scanned my multiple engines (bare in mind VT can be at most 1 month out of date).
You can use the official VT extension https://support.virustotal.com/hc/en-us/articles/115002700745-Browser-Extensions
or alternatives such as https://add0n.com/virus-checker.html and https://www.opswat.com/free-tools/secure-online-downloading
These allow testing of files before you get them or automatically upon finishing download.

If you are not confident in the AV you have it is worth adding more protection the system so that malware can be stopped or do less harm.
https://www.novirusthanks.org/products/osarmor/ (Free)
The tools on that site are useful for all Windows users, with or without AV protection.