Bug 122379 - windows defender detects Trojan:Win32/Spursint.F!cl in LibreOffice_6.1.4_Win_x64_helppack_fr.msi
Summary: windows defender detects Trojan:Win32/Spursint.F!cl in LibreOffice_6.1.4_Win_...
Status: RESOLVED WORKSFORME
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
6.1.4.1 rc
Hardware: All All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2018-12-30 15:45 UTC by noel
Modified: 2019-01-16 07:47 UTC (History)
5 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description noel 2018-12-30 15:45:35 UTC 
Description:
Hi,
May I trust LibreOffice_6.1.4_Win_x64 if a trojan is detected in the help pack?
I download them from :
http://download.documentfoundation.org/libreoffice/stable/6.1.4/win/x86_64/LibreOffice_6.1.4_Win_x64_helppack_fr.msi
and from 
https://www.libreoffice.org/donate/dl/win-x86_64/6.1.4/fr/LibreOffice_6.1.4_Win_x64.msi

Thank you very much



Steps to Reproduce:
1.download in/from a windows computer under W10 V 1809 with edge
2.
3.

Actual Results:
smartscreen complain. And if a force the download, windows defender delete the msi file

Expected Results:
good downlaod


Reproducible: Always


User Profile Reset: No



Additional Info:
from windows defender :
webfile: C:\Users\noel\Downloads\LibreOffice_6.1.4_Win_x64_helppack_fr.msi|https://mirror.cyberbits.eu/tdf/libreoffice/stable/6.1.4/win/x86_64/LibreOffice_6.1.4_Win_x64_helppack_fr.msi|pid:4784,ProcessStart:131906539640813010

file: C:\Users\noel\Downloads\LibreOffice_6.1.4_Win_x64_helppack_fr.msi->libreoffice1.cab->bookmarks.js

containerfile: C:\Users\noel\Downloads\LibreOffice_6.1.4_Win_x64_helppack_fr.msi
Comment 1 V Stuart Foote 2018-12-31 22:32:03 UTC 
We would need to know the actual mirror your download came from.

Otherwise you should verify the HASH value(s) of your download. Dispose of if it does not match the published HASH (any or all SHA256, SHA1, or MD5) and review the Properties -> Digital Signatures of these signed installers. If they don't match, or look suspect delete and download again until they do.


https://downloadarchive.documentfoundation.org/libreoffice/old/6.1.4.2/win/x86_64/LibreOffice_6.1.4.2_Win_x64_helppack_fr.msi.mirrorlist

https://downloadarchive.documentfoundation.org/libreoffice/old/6.1.4.2/win/x86_64/LibreOffice_6.1.4.2_Win_x64.msi.mirrorlist
Comment 2 noel 2019-01-01 10:57:13 UTC 
hello,

i download from :
https://mirror.cyberbits.eu/tdf/libreoffice/stable/6.1.4/win/x86_64/LibreOffice_6.1.4_Win_x64_helppack_fr.msi

Each time i put this link in the bar address of Edge, i get "warning : virus".

Please, can you try this link?
Thank you
Comment 3 V Stuart Foote 2019-01-01 15:21:23 UTC 
OK, confirmed. Using the mirror indicated.  Overriding the Edge download, a local Windows Defender AV scan hits on Win32/Spursint.F!cl and then deletes the installer package before I can check HASH.

identifies this path in the package:

file: C:\Users\vsfoote\Downloads\LibreOffice_6.1.4_Win_x64_helppack_fr.msi->libreoffice1.cab->bookmarks.js

Download same MSI directly from projectarchive and it scans clean and matches HASH.

Email sent to officesecurity@lists.freedesktop.org
Comment 4 Roman Kuznetsov 2019-01-02 15:53:38 UTC 
Mike, you have solved the same problem with Avast, or not the same?
Comment 5 Mike Kaganski 2019-01-16 07:47:40 UTC 
Well - downloading from the URL indicated in comment 2 today, I get the file that has checksums identical to those at http://downloadarchive.documentfoundation.org/libreoffice/old/6.1.4.2/win/x86_64/LibreOffice_6.1.4.2_Win_x64_helppack_fr.msi.mirrorlist

I use Windows Defender, and it doesn't throw any detections (possibly because of signatures updated since comment 3, or maybe the mirror now has the proper file?).

So either the mirror is fixed, or that was a false positive.

Closing WORKSFORME.