Microsoft Defender today reported a Trojan Rand32/cerber in soffice.bin. Defender killed soffice.bin. LibreOffice could'nt be started again.
Is it a fals true reported from Defender or did I take the Trojan from LibreOffice's home?
LibreOffice is dead
LibreOffice is dead
User Profile Reset: No
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Windows Defender this morning reported Libreoffice 18.104.22.168 as having the Cerber Trojan virus which it quarantined. This makes Libreoffice inoperable. I also have the 5.1 help pack installed. After having Defender remove the virus I chose to use the windows 10 app repair feature for Libreoffice which reinstalled the app. on the first run Defender again reports a new instance of the ransom:win32/cerber Trojan and again deactivates it. It shows the Trojan as contained in file:C:\Program Files (x86)\LibreOffice 5\program\soffice.bin
the link to more information about this Trojan is provided by Defender as https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Ransom%3aWin32%2fCerber&threatid=2147709928&enterprise=0
The virus and spyware definitions used by Defender are 22.214.171.124 created on 10-20-2016 at 432am.
I can confirm this.
soffice.bin is move in quanrantine by Windows Defender.
I have checked my downloaded msi hash wich is the same as official site.
Workaround is to restore and add it in Windows defender's exclusion list.
I uninstalled LibreOffice 126.96.36.199 and installed 188.8.131.52. soffice.bin
seems to be the same because of the amount of bytes. But soffice.bin of
version 184.108.40.206 is not killed by Defender.
An older Version of LibreOffice, somewhat like 4.x.x.x also gets not
attacked by the Defender!
So it seems be a specific problem of Version 220.127.116.11
*** This bug has been marked as a duplicate of bug 103356 ***
I too replaced Libreoffice 18.104.22.168 with 22.214.171.124 and rescanned with the same version of windows defender and did not get a positive. I also updated defender to the next virus definition 1.231.50 and did not get any more positives either.
At this point I think the only thing that can be concluded for sure is that either 126.96.36.199 has a time delayed virus (my install has been on the computer for about 2.5 weeks) which defender is correctly identifying or windows defender is falsely reporting a positive.
Too bad Microsoft does not allow us to update and then downgrade our virus definitions. if they did we could tell whether Libreoffice or Defender is the cause.
A this point its all up to the developers at Libreoffice to test their 188.8.131.52 STILL installer and find out if there is something hiding in their or not. It would be a first if there is as I have been using this stuff for 5+ years with no virus issues.
I think it premature to label this resolved as no one has tested the STILL installer at Libreoffice or taken this version of STILL off the download page. So I will move the status down to verified.