See the attached screenshot.
Quite shocking to find a password stealer when installing yeoman.
This looks like a simple false positive from Windows Defender. Coincidentally, part of the optipng compiled binary happens to have the same bytes as a piece of virus that Windows Defender has on file. Double check that you have the correct download from the correct location, and check the key so you know you have an intact download, but otherwise nothing to worry about. Just one more reason not to use Windows ;)
The archive optipng-0.7.4-win32.zip and the executable optipng.exe (version 0.7.4) have the following checksums:
$ md5sum optipng-0.7.4-win32.zip optipng.exe
$ sha1sum optipng-0.7.4-win32.zip optipng.exe
If either the MD5 or the SHA1 are mismatches, then the files on your system are infected from elsewhere. But if the checksums are matching, then, indeed (as Ian mentioned) it's a false positive, and that's possibly because of the UPX compression of the executable. Other false positives have also been reported in the past, due to UPX compression.
I am working for an AV company and a cursory check of the binary at https://github.com/yeoman/node-optipng-bin/blob/master/vendor/win/optipng.exe (the only revision according to the history) does not indicate that this is malware. Yes, I used IDA, a disassembler, to actually look over a few potential indicators.
Also, the file hash of the (UPX'd) binary matches the one from the project download area.
# The one from the download area
$ sha1sum optipng.exe
# The one from Github (above link)
$ sha1sum optipng.ex_
The download I used for verification:
$ sha1sum optipng-0.7.4-win32.zip
I would presume that this therefore was a false positive and likely has been fixed by Microsoft. If it hasn't, report it. Also @Cosmin, Microsoft is quite conservative with detections, so I wouldn't assume they detect it because you used UPX ;)
Thanks, Oliver, for your analysis. Although I wouldn't flatly assume that UPX => false AV positive, I did, however, think that UPX messes up some information and might confuse AV software. This is based on what I had randomly read on random forums, not on actual knowledge.
I am glad this is finally sorted out, thank you very much for that. I am closing the defect as "invalid".
Log in to post a comment.
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.