Hi, I was not able to download Anki on my laptop at work, and the IT team told that the app did not pass safety test due to presence of the malicious behaviours found by the Falcon-Crowdstrike (licenced sandbox). However, these findings can be false positives; thus, IT request that I get it confirmed with the vendor (developer) of Anki as to whether this is a false positive that can be ignored without endangering company security and to explain why this is being detected.
It looks like https://www.hybrid-analysis.com (powered by Falcon Sandbox) doesn’t allow to upload files bigger than 100 MB, but it seems to rely on VirusTotal to some extent and I guess it’s about “Backdoor.Androm.bdka” being detected by Jiangmin.
https://www.virustotal.com/gui/file/22f923b2e78be53b4e738da8315b85a9838dcaf46cf3279cf06aa9357f6fc470
It seems to start happening since anki-2.1.55-windows-qt6.exe.
2.1.54 - https://www.virustotal.com/gui/file/f42ad7a5d8135e184350dcc7373f54f326a42960a65072424d39cca04bd702e4
2.1.55 - https://www.virustotal.com/gui/file/1dce28567a37ed3d47ae024e92ed71c0e769a0cc955e9259fdba477f9e6383d6
23.10 (the latest beta) - https://www.virustotal.com/gui/file/d0539a1f52817b3d658ea2a7dd8e9c5b08f8e3767225c40b32feb6af1531a923
For 2.1.66 the Relations tab shows nothing as VirusTotal says that “Other files stored inside the file being studied”, but for 2.1.55 and the latest beta, they both list the ‘uninstall.exe’ as potentially malicious. To double-check it, I uploaded the ‘uninstall.exe’ file from the Anki’s installation folder to VirusTotal and it was detected as “Backdoor.Androm.bdka” by Jiangmin while other security vendords didn’t find anything suspicious.
The uninstall.exe file is being automatically generated by NSIS (Nullsoft Scriptable Install System) from the .nsi template provided by Anki to create an executable for Windows (and uninstaller).
It’s not uncommon for the uninstaller to be detected as malware.
For example, two other security vendors flagged the ‘uninstall.exe’ in the latest release of qutebrowser as potentially malicious.
https://www.virustotal.com/gui/file/c8ad9eb20b6d3844c8eb39803d1eac61f91cf73f4167534f88fb487f6c0f4268
A few similar cases where other programs were detected by Jiangmin.
- https://www.reddit.com/r/antivirus/comments/gp7v18/virus_total_virus_in_vlc_jiangmin_antivirus_engine/
- Restic 0.10.0 for Windows and Jiangmin: false positive? - #3 by MichaelEischer - Getting Help - restic forum
- VirusTotal false positive - Ask Wireshark
- Is this Malware or what? - General Windows PC Help - Malwarebytes Forums
Also:
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.