0

NextDNS agent 2.0.1 now detected as malware

I am not sure what changed but the official exe download from the site is now detected as malware. I have used the .exe for many months without issue until today. It appears that 13 AV companies are now detecting it as malware. It was automatically removed from my computer.  

Update: windows smartscreen is now blocking downloads of this as well

https://www.virustotal.com/gui/file/7e6f1f73fd290083ff31202287c68dbc80865bb64f7bc58e9fd0b3e14c211ce7/detection

17replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • I am having the same problem. Both Windows Defender & Antivirus software are detecting it as malware. It seems the app has been recently updated and there might be some bug in it.

    I am using YogaDNS software with NextDNS settings for the time being the issue is resolved.

    Like
  • A virustotal scan of the Windows exe does not look great. More than likely a large false positive. Lets hope.

    Like
  • I noticed that this has happed on my Win10 system today.  Getting the following in the event logs;

     

    Log Name:      Microsoft-Windows-Windows Defender/Operational
    Source:        Microsoft-Windows-Windows Defender
    Date:          3/01/2021 21:39:11
    Event ID:      1116
    Task Category: None
    Level:         Warning
    Keywords:
    User:          SYSTEM
    Computer:      XXXXXXXXXXXX
    Description:
    Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
     For more information please see the following:
    https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:MSIL/Masslogger.VN!rfn&threatid=2147767997&enterprise=0
         Name: Trojan:MSIL/Masslogger.VN!rfn
         ID: 2147767997
         Severity: Severe
         Category: Trojan
         Path: file:_C:\Program Files (x86)\NextDNS\NextDNS.exe
         Detection Origin: Local machine
         Detection Type: Concrete
         Detection Source: Real-Time Protection
         User: NT AUTHORITY\SYSTEM
         Process Name: C:\Windows\Temp\NextDNS Upgrader 2.0.1.exe
         Security intelligence Version: AV: 1.329.1515.0, AS: 1.329.1515.0, NIS: 1.329.1515.0
         Engine Version: AM: 1.1.17700.4, NIS: 1.1.17700.4

    Looks to be the latest NextDNS agent update that is the issue.

     

    Let hope it gets sorted soon.
     

    Like
  • Same here with Bitdefender. Classified as: Trojan.GenericKD.35766253

    https://i.imgur.com/8SOPlTL.png

    Like
  • +1 BitDefender here. is this a false positive or we are really dealing with malware??? NextDNS, please respond

    Like
  • +1 BitDefender as well. As others said, VirusTotal results also very alarming, almost as alarming as the lack of response from NextDNS 😞 

    Like
      • Nash
      • Nash
      • 8 mths ago
      • Reported - view

      Lector I am going to leave the app in the bitbucket where windows defender ATP  put it until someone provides an update about this.

      Like
      • Lector
      • Lector
      • 8 mths ago
      • Reported - view

      Olivier Poitrey thanks! I'd imagine pinning your answer to a place highly visible would help others same as myself to quickly realize is a false positive? In any case, thanks for your answer, and for the product as well.  

      Like
    • Olivier Poitrey hello Sir, 

      Do you know this IP 124.108.23.14, is this IP your block page IP. We sometimes get this IP when nextdns blocks a domain.

      Thanks,

      Nofil

      Like
    • Mohammad Nofil yes it is one of our IPs.

      Like
    • Olivier Poitrey At the same time as NextDNS, BitDefender also blocked the following file:  C:\Program Files\Common Files\Autodesk Shared\cao20cht.tlb. How is that related to NextDNS? Also a false positive then?

      Like
    • Vincent van Duijnhoven it’s not. From my small experience anti virus tools are meh...

      Like 1
  • Well some info from VirusTotal may be the reason for this:

     . Also something microsoft probably doesn't like 😂

    Like
  • Any news on if there has been a compromise to the app?  Carbon Black is flagging it now too likely because they leverage virus total, who thinks there is a problem.

    https://www.virustotal.com/gui/file/0eacb4bac59dc8011163d8127666c813cfd3eac1d973386cb6fc6ce3cf16764b/detection

    Like
  • Next DNS  Could we have an official confirmation that we can run the Windows installer safely and bypass any warning from smartscreen and antivirus ... Thanks in advance ...

    Like 1
    • Sébastien LECOCQ you can. We are working on getting a better code signing certificate, as windows security seems to be something you just buy... Our windows client is fully open source and is indeed free of malware.

      Like
Like Follow
  • 6 mths agoLast active
  • 17Replies
  • 638Views
  • 13 Following