0

NextDNS agent 2.0.1 now detected as malware

I am not sure what changed but the official exe download from the site is now detected as malware. I have used the .exe for many months without issue until today. It appears that 13 AV companies are now detecting it as malware. It was automatically removed from my computer.  

Update: windows smartscreen is now blocking downloads of this as well

https://www.virustotal.com/gui/file/7e6f1f73fd290083ff31202287c68dbc80865bb64f7bc58e9fd0b3e14c211ce7/detection

17 replies

null
    • mmhmm
    • 3 yrs ago
    • Reported - view

    I am having the same problem. Both Windows Defender & Antivirus software are detecting it as malware. It seems the app has been recently updated and there might be some bug in it.

    I am using YogaDNS software with NextDNS settings for the time being the issue is resolved.

    • Tony
    • 3 yrs ago
    • Reported - view

    A virustotal scan of the Windows exe does not look great. More than likely a large false positive. Lets hope.

    • Andrew_T
    • 3 yrs ago
    • Reported - view

    I noticed that this has happed on my Win10 system today.  Getting the following in the event logs;

     

    Log Name:      Microsoft-Windows-Windows Defender/Operational
    Source:        Microsoft-Windows-Windows Defender
    Date:          3/01/2021 21:39:11
    Event ID:      1116
    Task Category: None
    Level:         Warning
    Keywords:
    User:          SYSTEM
    Computer:      XXXXXXXXXXXX
    Description:
    Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
     For more information please see the following:
    https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:MSIL/Masslogger.VN!rfn&threatid=2147767997&enterprise=0
         Name: Trojan:MSIL/Masslogger.VN!rfn
         ID: 2147767997
         Severity: Severe
         Category: Trojan
         Path: file:_C:\Program Files (x86)\NextDNS\NextDNS.exe
         Detection Origin: Local machine
         Detection Type: Concrete
         Detection Source: Real-Time Protection
         User: NT AUTHORITY\SYSTEM
         Process Name: C:\Windows\Temp\NextDNS Upgrader 2.0.1.exe
         Security intelligence Version: AV: 1.329.1515.0, AS: 1.329.1515.0, NIS: 1.329.1515.0
         Engine Version: AM: 1.1.17700.4, NIS: 1.1.17700.4

    Looks to be the latest NextDNS agent update that is the issue.

     

    Let hope it gets sorted soon.
     

    • Vincent_van_Duijnhoven
    • 3 yrs ago
    • Reported - view

    Same here with Bitdefender. Classified as: Trojan.GenericKD.35766253

    https://i.imgur.com/8SOPlTL.png

    • Artem_Lipatov
    • 3 yrs ago
    • Reported - view

    +1 BitDefender here. is this a false positive or we are really dealing with malware??? NextDNS, please respond

    • Lector
    • 3 yrs ago
    • Reported - view

    +1 BitDefender as well. As others said, VirusTotal results also very alarming, almost as alarming as the lack of response from NextDNS 😞 

      • Nash
      • 3 yrs ago
      • Reported - view

      Lector I am going to leave the app in the bitbucket where windows defender ATP  put it until someone provides an update about this.

      • olivier
      • 3 yrs ago
      • Reported - view
      • Lector
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey thanks! I'd imagine pinning your answer to a place highly visible would help others same as myself to quickly realize is a false positive? In any case, thanks for your answer, and for the product as well.  

      • Mohammad_Nofil
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey hello Sir, 

      Do you know this IP 124.108.23.14, is this IP your block page IP. We sometimes get this IP when nextdns blocks a domain.

      Thanks,

      Nofil

      • olivier
      • 3 yrs ago
      • Reported - view

      Mohammad Nofil yes it is one of our IPs.

      • Vincent_van_Duijnhoven
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey At the same time as NextDNS, BitDefender also blocked the following file:  C:\Program Files\Common Files\Autodesk Shared\cao20cht.tlb. How is that related to NextDNS? Also a false positive then?

      • olivier
      • 3 yrs ago
      • Reported - view

      Vincent van Duijnhoven it’s not. From my small experience anti virus tools are meh...

    • Yuguo
    • 3 yrs ago
    • Reported - view

    Well some info from VirusTotal may be the reason for this:

     . Also something microsoft probably doesn't like 😂

    • Ryan
    • 3 yrs ago
    • Reported - view

    Any news on if there has been a compromise to the app?  Carbon Black is flagging it now too likely because they leverage virus total, who thinks there is a problem.

    https://www.virustotal.com/gui/file/0eacb4bac59dc8011163d8127666c813cfd3eac1d973386cb6fc6ce3cf16764b/detection

    • Sebastien_LECOCQ
    • 3 yrs ago
    • Reported - view

    Next DNS  Could we have an official confirmation that we can run the Windows installer safely and bypass any warning from smartscreen and antivirus ... Thanks in advance ...

      • olivier
      • 3 yrs ago
      • Reported - view

      Sébastien LECOCQ you can. We are working on getting a better code signing certificate, as windows security seems to be something you just buy... Our windows client is fully open source and is indeed free of malware.

Content aside

  • 3 yrs agoLast active
  • 17Replies
  • 939Views
  • 13 Following