Description: Microsoft Defender today reported a Trojan Rand32/cerber in soffice.bin. Defender killed soffice.bin. LibreOffice could'nt be started again. Is it a fals true reported from Defender or did I take the Trojan from LibreOffice's home? Actual Results: LibreOffice is dead Expected Results: LibreOffice is dead Reproducible: Always User Profile Reset: No Additional Info: User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Windows Defender this morning reported Libreoffice 5.1.5.2 as having the Cerber Trojan virus which it quarantined. This makes Libreoffice inoperable. I also have the 5.1 help pack installed. After having Defender remove the virus I chose to use the windows 10 app repair feature for Libreoffice which reinstalled the app. on the first run Defender again reports a new instance of the ransom:win32/cerber Trojan and again deactivates it. It shows the Trojan as contained in file:C:\Program Files (x86)\LibreOffice 5\program\soffice.bin the link to more information about this Trojan is provided by Defender as https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Ransom%3aWin32%2fCerber&threatid=2147709928&enterprise=0 The virus and spyware definitions used by Defender are 1.231.39.0 created on 10-20-2016 at 432am.
I can confirm this. soffice.bin is move in quanrantine by Windows Defender. I have checked my downloaded msi hash wich is the same as official site. Workaround is to restore and add it in Windows defender's exclusion list. Regards.
I uninstalled LibreOffice 5.1.1.1 and installed 5.2.2.2. soffice.bin seems to be the same because of the amount of bytes. But soffice.bin of version 5.2.2.2 is not killed by Defender. An older Version of LibreOffice, somewhat like 4.x.x.x also gets not attacked by the Defender! So it seems be a specific problem of Version 5.1.1.1 Regards
*** This bug has been marked as a duplicate of bug 103356 ***
I too replaced Libreoffice 5.1.5.2 with 5.2.2.2 and rescanned with the same version of windows defender and did not get a positive. I also updated defender to the next virus definition 1.231.50 and did not get any more positives either. At this point I think the only thing that can be concluded for sure is that either 5.1.5.2 has a time delayed virus (my install has been on the computer for about 2.5 weeks) which defender is correctly identifying or windows defender is falsely reporting a positive. Too bad Microsoft does not allow us to update and then downgrade our virus definitions. if they did we could tell whether Libreoffice or Defender is the cause. A this point its all up to the developers at Libreoffice to test their 5.1.5.2 STILL installer and find out if there is something hiding in their or not. It would be a first if there is as I have been using this stuff for 5+ years with no virus issues.
I think it premature to label this resolved as no one has tested the STILL installer at Libreoffice or taken this version of STILL off the download page. So I will move the status down to verified.