I'm a first time user of KeePass. I downloaded KeePass 2.35 and went through the installation and set up process. About 2/3 of updating my database, my Malwarebytes' regular scan popped up with a potential threat warning - something that has never happened before. It told me it wanted to quarantine 17 items. The threat was listed as: Trojan.KeyProwlerKeyLogger and found inside the new KeePass application folder.
I quarantined this folder, reinstalled KeePass, sure enough Malwarebyte picked it up again. Should I be concerned?
I can't find any information online. and don't know if Malwarebytes is being over cautions or there is indeed a security breach.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Did you get KeePass from the KeePass home page (keepass.info)?
Check that KeePass.exe is the real product by right clicking on it and selecting Properties > Digital Signatures. It should look like the attached screen shot.
If those things check out it may be a false positive.
I have done as suggested and the information is the same. The only slight difffernece is the Timestamp. Yours has 10:00 mine is 10:11 Other than that it's the same.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I went back to my download folder and saw that I had installed 'KeePass Password Safe 1.32 Setup' from the same link before installing version 2.35. I ran this through virustotal.com and saw this come up.
Hi Dominik, thank you for replying. What about this makes it a clear false positive? I'm not being pedantic, I would just like to understand more about this issue.
If the file hashes of the downloaded file match the published hashes, then the file is the same file that was released by the developer a month ago and has not a modified by a third party (e.g. a malicous attacker).
The official keepass download site is https. However, the keepass.info website is http. Its download page of keepass.info provides a link to the https download site. When you download keepass you can navigate directly to the https download site, or use the http links on keepass.info to be redirected to the https download site. During the download you can verfiy, by inspecting the URL, that the download is from the official https download site.
Last edit: wellread1 2017-02-05
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The http issue is a non-issue IMO. It is up to the user to confirm that security software checks out before attempting to use it, which is what you are doing.
cheers, Paul
p.s. If you are going to post the same question on more than one site you should do everyone the courtesy of mentioning it in your posts. http://www.excelguru.ca/node/7
Last edit: Paul 2017-02-06
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I wouldn't be so quick to dismiss this issue as a false positive, or assume that everything is 100% a-OK because a checksum matches. It would be worthwhile to doublecheck the checksums on the website to make sure those haven't been altered as well. This happened to Linux Mint. The website was hacked and the ISOs were infected.. AND the attacker altered the checksums to match the infected ISOs.
It's honestly a little concerning how dismissive of a reaction this is getting.
Last edit: Adam 2017-02-17
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Multiple accounts would have to be compromised e.g. keepass.info (where the integrity hashes are kept) and sourceforge.net or possibly one of its mirrors (where the KeePass program files are kept)
KeePass would have to have been infected from the release date or very soon after. A virus scan of a recent download by a service like Virus Total reports the date and time of the first analysis. In the case of KeePass-2.35-Setup.exe this data is 2017-01-09 13:11:55 UTC which is the release date. A recently infected file would show a more recent first scan date.
This happened to Linux Mint. The website was hacked and the ISOs were infected... AND the attacker altered the checksums to match the infected ISOs.
"Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it" (my emphasis).
An alert person would have observed they were downloading from a suspicious site. The post does not say that the published checksums were altered, only that the checksums of the infected ISO are different than an authentic ISO. The blog did post the correct checksums, presumably for convenience. One would have to investigate further than I did to determine whether the hackers actually altered the published checksums.
Last edit: wellread1 2017-02-17
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I wouldn't be so quick to dismiss this issue as a false positive, or assume that everything is 100% a-OK because a checksum matches. It would be worthwhile to doublecheck the checksums on the website to make sure those haven't been altered as well. This happened to Linux Mint. The website was hacked and the ISOs were infected.. AND the attacker altered the checksums to match the infected ISOs.
I'm more confident with the digital signature (using SHA-256!) that's on the file itself. Windows wouldn't show it as a valid signature if the file had been tampered with. So either the file was originally infected during Dominik's build process, or it's a false positive. While we should certainly not trust Dominik blindly, I'm sure by now considering the popularity of KeePass that we'd know by now if every build Dominik releases has an embedded trojan.
Although that does bring up an interesting point...I find myself wondering, what sort of protections do you use to ensure your build machine isn't compromised, Dominik?
It's honestly a little concerning how dismissive of a reaction this is getting.
I'm not really concerned because I trust Dominik, and I trust from the digital signature that Dominik built the installer executable. As far as I can tell there is one antivirus product on Virus Total (Rising) which I'd never even heard of before now, plus MalwareBytes, finding this. While I know MalwareBytes to be a quality product: well, sometimes mistakes are made. I give very little credence to Rising's result, especially considering the rest of the antivirus out there is not catching anything.
All of this was pointed out and I'm not clear what other things you'd like someone to look at for more evidence.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm a first time user of KeePass. I downloaded KeePass 2.35 and went through the installation and set up process. About 2/3 of updating my database, my Malwarebytes' regular scan popped up with a potential threat warning - something that has never happened before. It told me it wanted to quarantine 17 items. The threat was listed as: Trojan.KeyProwlerKeyLogger and found inside the new KeePass application folder.
I quarantined this folder, reinstalled KeePass, sure enough Malwarebyte picked it up again. Should I be concerned?
I can't find any information online. and don't know if Malwarebytes is being over cautions or there is indeed a security breach.
here is a screenshot of what my Malwarebyte tells me
Did you get KeePass from the KeePass home page (keepass.info)?
Check that KeePass.exe is the real product by right clicking on it and selecting Properties > Digital Signatures. It should look like the attached screen shot.
If those things check out it may be a false positive.
cheers, Paul
Hi Paul,
I have done as suggested and the information is the same. The only slight difffernece is the Timestamp. Yours has 10:00 mine is 10:11 Other than that it's the same.
I went back to my download folder and saw that I had installed 'KeePass Password Safe 1.32 Setup' from the same link before installing version 2.35. I ran this through virustotal.com and saw this come up.
The installer is also digitally signed. If it checks out then it's a false positive - although it's worth scanning you machine just in case.
cheers, Paul
I'm unsure why it would flag up in the first place if it is indideed a false positive. I can;t seem to find similar issues on this forum.
Upload the files to Virus Total to triple check.
https://www.virustotal.com/en/
cheers, Paul
I did. As mentioned, the 1.32 comes up with one Torjan error
This clearly is a false positive. I've reported it to Rising; let's hope they fix it soon.
Thanks and best regards,
Dominik
Hi Dominik, thank you for replying. What about this makes it a clear false positive? I'm not being pedantic, I would just like to understand more about this issue.
Also, if it helps, I posted this issue on reddit with some interesting responses about the http: https://www.reddit.com/r/security/comments/5s5pbi/malwarebytes_tells_me_i_got_a_trojan_keylogger/
Last edit: Laura Nole 2017-02-05
If the file hashes of the downloaded file match the published hashes, then the file is the same file that was released by the developer a month ago and has not a modified by a third party (e.g. a malicous attacker).
The official keepass download site is https. However, the keepass.info website is http. Its download page of keepass.info provides a link to the https download site. When you download keepass you can navigate directly to the https download site, or use the http links on keepass.info to be redirected to the https download site. During the download you can verfiy, by inspecting the URL, that the download is from the official https download site.
Last edit: wellread1 2017-02-05
The http issue is a non-issue IMO. It is up to the user to confirm that security software checks out before attempting to use it, which is what you are doing.
cheers, Paul
p.s. If you are going to post the same question on more than one site you should do everyone the courtesy of mentioning it in your posts.
http://www.excelguru.ca/node/7
Last edit: Paul 2017-02-06
I wouldn't be so quick to dismiss this issue as a false positive, or assume that everything is 100% a-OK because a checksum matches. It would be worthwhile to doublecheck the checksums on the website to make sure those haven't been altered as well. This happened to Linux Mint. The website was hacked and the ISOs were infected.. AND the attacker altered the checksums to match the infected ISOs.
It's honestly a little concerning how dismissive of a reaction this is getting.
Last edit: Adam 2017-02-17
keepass.info (where the integrity hashes are kept) and
sourceforge.net or possibly one of its mirrors (where the KeePass program files are kept)
A virus scan of a recent download by a service like Virus Total reports the date and time of the first analysis. In the case of KeePass-2.35-Setup.exe this data is 2017-01-09 13:11:55 UTC which is the release date. A recently infected file would show a more recent first scan date.
The Mint linx blog post hack report said:
"Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it" (my emphasis).
An alert person would have observed they were downloading from a suspicious site. The post does not say that the published checksums were altered, only that the checksums of the infected ISO are different than an authentic ISO. The blog did post the correct checksums, presumably for convenience. One would have to investigate further than I did to determine whether the hackers actually altered the published checksums.
Last edit: wellread1 2017-02-17
It is also worth pointing out that https does not protect you if the account for the https site is one that is compromised.
Last edit: wellread1 2017-02-17
I'm more confident with the digital signature (using SHA-256!) that's on the file itself. Windows wouldn't show it as a valid signature if the file had been tampered with. So either the file was originally infected during Dominik's build process, or it's a false positive. While we should certainly not trust Dominik blindly, I'm sure by now considering the popularity of KeePass that we'd know by now if every build Dominik releases has an embedded trojan.
Although that does bring up an interesting point...I find myself wondering, what sort of protections do you use to ensure your build machine isn't compromised, Dominik?
I'm not really concerned because I trust Dominik, and I trust from the digital signature that Dominik built the installer executable. As far as I can tell there is one antivirus product on Virus Total (Rising) which I'd never even heard of before now, plus MalwareBytes, finding this. While I know MalwareBytes to be a quality product: well, sometimes mistakes are made. I give very little credence to Rising's result, especially considering the rest of the antivirus out there is not catching anything.
All of this was pointed out and I'm not clear what other things you'd like someone to look at for more evidence.