0

NextDNS agent 2.0.1 now detected as malware

I am not sure what changed but the official exe download from the site is now detected as malware. I have used the .exe for many months without issue until today. It appears that 13 AV companies are now detecting it as malware. It was automatically removed from my computer.  

Update: windows smartscreen is now blocking downloads of this as well

https://www.virustotal.com/gui/file/7e6f1f73fd290083ff31202287c68dbc80865bb64f7bc58e9fd0b3e14c211ce7/detection

17 replies

null
    • mmhmm
    • 4 yrs agoSun, January 3, 2021 at 8:36 AM UTC
    • Reported - view

    I am having the same problem. Both Windows Defender & Antivirus software are detecting it as malware. It seems the app has been recently updated and there might be some bug in it.

    I am using YogaDNS software with NextDNS settings for the time being the issue is resolved.

    • Tony
    • 4 yrs agoSun, January 3, 2021 at 8:49 AM UTC
    • Reported - view

    A virustotal scan of the Windows exe does not look great. More than likely a large false positive. Lets hope.

    • Andrew_T
    • 4 yrs agoSun, January 3, 2021 at 1:10 PM UTC
    • Reported - view

    I noticed that this has happed on my Win10 system today.  Getting the following in the event logs;

     

    Log Name:      Microsoft-Windows-Windows Defender/Operational
Source:        Microsoft-Windows-Windows Defender
Date:          3/01/2021 21:39:11
Event ID:      1116
Task Category: None
Level:         Warning
Keywords:
User:          SYSTEM
Computer:      XXXXXXXXXXXX
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
 For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:MSIL/Masslogger.VN!rfn&threatid=2147767997&enterprise=0
     Name: Trojan:MSIL/Masslogger.VN!rfn
     ID: 2147767997
     Severity: Severe
     Category: Trojan
     Path: file:_C:\Program Files (x86)\NextDNS\NextDNS.exe
     Detection Origin: Local machine
     Detection Type: Concrete
     Detection Source: Real-Time Protection
     User: NT AUTHORITY\SYSTEM
     Process Name: C:\Windows\Temp\NextDNS Upgrader 2.0.1.exe
     Security intelligence Version: AV: 1.329.1515.0, AS: 1.329.1515.0, NIS: 1.329.1515.0
     Engine Version: AM: 1.1.17700.4, NIS: 1.1.17700.4

    Looks to be the latest NextDNS agent update that is the issue.

     

    Let hope it gets sorted soon.
     

    • Vincent_van_Duijnhoven
    • 4 yrs agoSun, January 3, 2021 at 6:06 PM UTC
    • Reported - view

    Same here with Bitdefender. Classified as: Trojan.GenericKD.35766253

    https://i.imgur.com/8SOPlTL.png

    • Artem_Lipatov
    • 4 yrs agoSun, January 3, 2021 at 6:42 PM UTC
    • Reported - view

    +1 BitDefender here. is this a false positive or we are really dealing with malware??? NextDNS, please respond

    • Lector
    • 4 yrs agoSun, January 3, 2021 at 6:51 PM UTC
    • Reported - view

    +1 BitDefender as well. As others said, VirusTotal results also very alarming, almost as alarming as the lack of response from NextDNS 😞 

      • Nash
      • 4 yrs agoSun, January 3, 2021 at 7:13 PM UTC
      • Reported - view

      Lector I am going to leave the app in the bitbucket where windows defender ATP  put it until someone provides an update about this.

      • olivier
      • 4 yrs agoSun, January 3, 2021 at 8:25 PM UTC
      • Reported - view

      Lector answered here already: https://help.nextdns.io/t/m1htpar/windows-reporting-nextdns-2-0-1-as-trojanmslmasslogger-vnrfn

      • Lector
      • 4 yrs agoMon, January 4, 2021 at 1:59 AM UTC
      • Reported - view

      Olivier Poitrey thanks! I'd imagine pinning your answer to a place highly visible would help others same as myself to quickly realize is a false positive? In any case, thanks for your answer, and for the product as well.  

      • Mohammad_Nofil
      • 4 yrs agoMon, January 4, 2021 at 2:52 AM UTC
      • Reported - view

      Olivier Poitrey hello Sir, 

      Do you know this IP 124.108.23.14, is this IP your block page IP. We sometimes get this IP when nextdns blocks a domain.

      Thanks,

      Nofil

      • olivier
      • 4 yrs agoMon, January 4, 2021 at 4:45 AM UTC
      • Reported - view

      Mohammad Nofil yes it is one of our IPs.

      • Vincent_van_Duijnhoven
      • 4 yrs agoMon, January 4, 2021 at 7:25 AM UTC
      • Reported - view

      Olivier Poitrey At the same time as NextDNS, BitDefender also blocked the following file:  C:\Program Files\Common Files\Autodesk Shared\cao20cht.tlb. How is that related to NextDNS? Also a false positive then?

      • olivier
      • 4 yrs agoMon, January 4, 2021 at 8:29 AM UTC
      • Reported - view

      Vincent van Duijnhoven it’s not. From my small experience anti virus tools are meh...

    • Yuguo
    • 4 yrs agoMon, January 4, 2021 at 11:46 AM UTC
    • Reported - view

    Well some info from VirusTotal may be the reason for this:

     . Also something microsoft probably doesn't like 😂

    • Ryan
    • 4 yrs agoThu, January 28, 2021 at 11:49 PM UTC
    • Reported - view

    Any news on if there has been a compromise to the app?  Carbon Black is flagging it now too likely because they leverage virus total, who thinks there is a problem.

    https://www.virustotal.com/gui/file/0eacb4bac59dc8011163d8127666c813cfd3eac1d973386cb6fc6ce3cf16764b/detection

    • Sebastien_LECOCQ
    • 4 yrs agoThu, March 4, 2021 at 8:52 AM UTC
    • Reported - view

    Next DNS  Could we have an official confirmation that we can run the Windows installer safely and bypass any warning from smartscreen and antivirus ... Thanks in advance ...

      • olivier
      • 4 yrs agoThu, March 4, 2021 at 9:34 AM UTC
      • Reported - view

      Sébastien LECOCQ you can. We are working on getting a better code signing certificate, as windows security seems to be something you just buy... Our windows client is fully open source and is indeed free of malware.

Login to reply

Content aside

  • 4 yrs agoThu, March 4, 2021 at 9:34 AM UTCLast active
  • 17Replies
  • 1033Views
  • 13 Following