nw.js icon indicating copy to clipboard operation
nw.js copied to clipboard

Published 20 hours ago verified publisher icon nwjs

Doplik trojan detected in v0.77 for Windows

Open dpage opened this issue 1 year ago • 7 comments

This is most likely a false positive, however Windows Defender (on some pgAdmin user's systems) and the Rising AV engine have started reporting that nw.exe from 0.77 for Windows contains the Doplik trojan. See https://www.virustotal.com/gui/file/cc93341040bf223c9e7bd37c7e6e7c0f5540d07d2f21c1e4c877090352f23abf

Can someone please confirm it's actually clean, and log with the appropriate vendors as a false positive as appropriate?

Thanks!

dpage avatar Jul 14 '23 08:07 dpage

image Same issue here, except, on an older version of NW.JS. I reported the false positive to Microsoft already, it affected my release version.

MistakingManx avatar Jul 17 '23 14:07 MistakingManx

Users of my app have just started reporting this issue today as well, but for an older version of nw.js (0.71.0) I was going to update my nw.js to hopefully mitigate it, but looks like it affects all versions. I also reported the false positive to Microsoft. Not sure what else I can do. Hope something is done about it.

prominentdetail avatar Jul 18 '23 05:07 prominentdetail

I'm getting this issue, too. What's going on? Why would it suddenly start affecting old versions as well? It's only Windows Defender that is blocking it. If I check it using Avast or AVG it's fine.

4demon avatar Jul 18 '23 13:07 4demon

I think if more of us report it to microsoft, maybe there will be a greater chance of getting it fixed. You can report it here: https://www.microsoft.com/en-us/wdsi/filesubmission

prominentdetail avatar Jul 18 '23 15:07 prominentdetail

I've had this issue for years. scanners gonna do what they want. Ended up just putting in instructions to add exceptions before install. It is annoying but I don't know what you can do when malware creators are free to use nw.js as well. This also happens to electron, but they might have more people filing submissions and VS Code uses it.

This also happens to PyInstaller made executables. Also Microsoft Defender runs on other operating systems and NWJS get quarantined on Mac for example.

Sometimes you can get flagged less often if you sign all your executables. https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool

Once signed, from my understanding your certificate gets something like a reputation score depending on how many other systems it is installed on.

If anyone has any better solution that would be great, I've not thought of any. Maybe if you make your own custom build some more checksums might not get caught? But that is a lot of effort for maybe no return.

bluthen avatar Jul 18 '23 17:07 bluthen

Sometimes you can get flagged less often if you sign all your executables. https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool

My understanding is that you need a signing certificate, which costs at least $400/yr Seems pretty expensive to me.

prominentdetail avatar Jul 18 '23 18:07 prominentdetail

The same thing is happening to me, even after packing the nw.js exe with a paid version of the Enigma Protector (64 bit) I've reported the false positive to Microsoft as well.

I'm using nw.js 0.74.0 I haven't tried with a certificate yet, but I might go that route if this isn't corrected at some point.

BuggyTheBug avatar Jan 01 '24 18:01 BuggyTheBug