Antivirus false positive on ransomware and keylogger for MikTex & TexStudio?

Wrichik Basu

Gold Member
2018 Award
972
803
Summary
Is my antivirus giving false warnings while installing TexStudio and MikTex?
I decided to set up ##\LaTeX## in my PC, windows 7, 32 bit. The pc has a legal version of QuickHeal Internet Security antivirus.

I downloaded TexStudio and MikTex. When I started installing TexStudio, QuickHeal said that the installer file was a potential keylogger, and put it into quarantine.

I couldn't find any evidence online of something similar happening with others, so I set the antivirus to exclude the installer, and could successfully install TexStudio.

When I started installing MikTex, while the installation was half-way through, QuickHeal said that there was a ransomware in MikTex files, and stopped the installation. The only way to install now is to switch off the antivirus completely during the installation process, and then setting it to exclude the MikTex folder.

Can anyone confirm these are false warnings? I know that QuickHeal isn't a very good antivirus, but my father isn't ready to discard it before the license expires. I got similar warnings when I installed Frizing. Is there a chance that the installer file is getting corrupt while downloading? Or are these just false warnings that I can overlook?
 
10,442
3,962
Dont be too quick to turn your settings off as you may be among the first of many.

Recently, some common repositories have been infected with malware. Apparently these malware dolls have decided to destroy their own source of free code.
 
10,442
3,962
Here's some dated discussion on latex being infected or not and some false alarms due to files with names that match known malware but weren't.

 

Wrichik Basu

Gold Member
2018 Award
972
803
I am actually helpless, I think. Keeping in mind your links @jedishrfu, perhaps it will not be safe to continue with the installation of MikTex (I can uninstall TexStudio too). But again, so many people in the science community are using these, and they haven't complained.

Is there any place where I can upload the files for a check? QuickHeal doesn't seem to have such a service.

By the way, can such problems exist in the portable version as well?
 

DrClaude

Mentor
6,856
2,987
Can you get a specific indication which file(s) is getting flagged?
 
1,230
600
Is there any place where I can upload the files for a check? QuickHeal doesn't seem to have such a service.
I think they have something (I don't know if it is active or not).
Generally, switching off the protection during install is not a good idea. Uninstall would not be any help, by now any half-decent malware would dig in itself. Just try to do a system check with different security software.
Maybe, done by a different machine (with moving the HDD).
 
595
239
It's most likely that you're getting false positives, but just in case, you could try doing what I did:

Direct download for TeXstudio:

I didn't see a checksum there, so I also checked the page at: https://fossies.org/windows/misc/texstudio-2.12.14-win-qt5.exe/
and found checksums, and other useful information, including the github link below:

I then downloaded the same file from:

Then, after checking the byte count:

243160


I ran WinMerge (an open-source freeware file comparison utility) to verify that the file contents were identical.

You can find that utility here:
That page has a link for the SHA-256 checksums for WinMerge.

I don't think anyone's going to corrupt the same file on both sourceforge and github. I ran the installer on a test machine and it ran fine. Then I launched the program, it loaded fine.

If you run it before installing MikTex, you'll get a warning with a link for installing it or a similar product so you can save your pages to PDF.

For MikTex, the direct download is here:
The https://miktex.org/download page has the SHA-256 hash for verifying the file.

Here's a link to a tutorial page (with links to free utilities), that explains how to use the SHA-256 hash to verify the file: https://www.maketecheasier.com/verify-md5-sha-1-sha-256-checksum-windows10/

Bottom line: The files I got from the above sources were not corrupted and had no malware. Once you do the same verification for your copies, I think you can safely whitelist them in your AV product.
 

Wrichik Basu

Gold Member
2018 Award
972
803
Can you get a specific indication which file(s) is getting flagged?
Nope, QuickHeal deleted the corrupt file before I could do anything, and aborted the installation. The deletion is not present in the reports.
 
595
239
Nope, QuickHeal deleted the corrupt file before I could do anything, and aborted the installation. The deletion is not present in the reports.
Quarantined usually isn't the same as simply deleted. QuickHeal may have 'moved' the file to a quarantine folder. If so, you may be able to find it there.
 

Wrichik Basu

Gold Member
2018 Award
972
803
Quarantined usually isn't the same as simply deleted. QuickHeal may have 'moved' the file to a quarantine folder. If so, you may be able to find it there.
The texstudio.exe (suspected keylogger) is still in quarantine, but for MikTex (suspected ransomware), the antivirus completely deleted the file.

By the way, I am working to try out your method.
 
595
239
The texstudio.exe (suspected keylogger) is still in quarantine, but for MikTex (suspected ransomware), the antivirus completely deleted the file.

By the way, I am working to try out your method.
I don't know your AV product, but it could be that it misinterpreted the numerous \ characters in ##\TeX## and ##\LaTeX## code as something trying to do something outlandish with directories -- that's just speculation on my part. If the product has blacklisted the file name, you might, after making sure you have a legitimate version, rename a copy of the file before trying again. You could also try the portable version, or use the command line install with the zip version.
 

Wrichik Basu

Gold Member
2018 Award
972
803
@sysprog This time, I verified the hash with MD5_and_SHA_Checksum_Utility. The matching was ok, and I installed both MikTex and TexStudio, without any threat.

But QuickHeal says that the main executable file of MikTex is a keylogger, and has quarantined it (see the last file in the list):

MikTex.JPG


Same for texstudio:

Capture.JPG


I believe I can set the antivirus to exclude these files, right? Seems like false positives.
 
595
239
Here's a link to a list of files in the MikTex distribution: https://miktex.org/Package/Browse/miktex-qt5-bin-x64

Qt5Core.dll is on the list.

I think it's safe to say that if you got it from mktex.org, it's not a keylogger, it's a legitimate file.

However, the Qt platform is used by other applications, and your AV product may recognize that the Qt5Core.dll file is registered to another product in the system registry, and therefore decide that your install is trying to tamper with another product's files. Speculation again: the Qt5core.dll file being common to multiple products, its name may have been used before as part of an exploit, and your AV product may have it flagged accordingly.

Python 3.5.0 |Anaconda 2.4.0 (64-bit) has the Qt platform, and consequently uses Qt5Core.dll.

You could do a global search for that file name, and check whether it's already there as part of another product.

As long as the MikTex version of Qt5Core.dll is installed only within its the MikTex directory structure, I think it's safe to whitelist it in your AV product.

For your recent installs of the 2 products, it may suffice to just hit the restore button on those files, and follow through with allowing it past any warnings.

The Properties dialog for my just-installed copy of texstudio.exe looks like this:

243169


If yours matches that on the created/modified date/time, and on the byte count (there could be a small variance in the size on disk due to different device characteristics), I'd say it's safe to restore it from the quarantine.
 
Last edited:

Wrichik Basu

Gold Member
2018 Award
972
803
Thanks @sysprog. Restored the files from quarantine. TexStudio is opening properly. I downloaded a .tex file from APS. It opened properly, but when I complied it, there was a problem, "Qt path not found". According to this source, it is the Qt of MikTex. I'll see what I can do and let you know tomorrow.
 
595
239
I installed MikTex, and located the Qt5 files. I noticed while watching the install window that it uses a Unix-style install procedure (adapted for Windows), in which some of the earlier-installed components are passed control to install some of the later ones. I therefore suspect that the intervention of your AV product, which rendered Qt5Core.dll unavailable during the install, was not remediable by merely restoring that library from quarantine, as it was needed for the completion of part of the Qt5 platform subset of the MikTex install.

Here's a Windows Explorer image of the main relevant directory, showing the Qt5 files:

243183


Please note that there should be 601 files in that directory. There is also a profile file that should have been updated to contain the Qt5 path, and I think that the flawed install process prevented that update from being done correctly.

I recommend that you de-install both MikTex and TeXstudio, then whitelist them in your AV product, then re-install them, MikTex first (because TeXstudio will try to find MikTex already installed).
 

Wrichik Basu

Gold Member
2018 Award
972
803
I recommend that you de-install both MikTex and TeXstudio, then whitelist them in your AV product, then re-install them, MikTex first (because TeXstudio will try to find MikTex already installed).
I also thought that blacklisting of the files could hamper the installation. But you know what? The antivirus is now malfunctioning. No matter how much I tell it to exclude those files and folders, it won't listen. The moment I open TexStudio, it will quarantine the .exe file. And as I open the MikTex console, it will quarantine the Qt file. But now I cannot take it out of quarantine, God knows why. I am asking QuickHeal to restore the files, but it won't.

I will try installation tomorrow by turning the antivirus off completely. I'll keep in mind the order you specified. If it doesn't work even after that, I'll leave it. It's becoming rather frustrating. I spent an hour trying to tell QuickHeal to exclude that folder, but it just won't listen. Even restart of pc didn't solve the problem.

I will keep you posted on the situation.
 

Wrichik Basu

Gold Member
2018 Award
972
803
Sorry, but the installation attempt was a failure. I switched off the antivirus, but as MikTex was being installed, it blocked the setup wizard:

Capture2.JPG


And then stopped the installation before I could do anything.

I tried again, now it gave a different error:

Capture3.JPG


Basically MikTex wants an empty directory. Windows has denied the setup wizard access to C:\Program Files. If I ask it to install in any other directory, it is giving an error that the directory is not empty. If I make an empty folder and ask it to install there, it is giving the above error.

It seems I have no luck with my PC. Maybe after some months when I buy a laptop, I can try there.

But @sysprog thanks for helping me out to quite a great extent, and also to others for their suggestions.

I am trying to install the portable version, but I have no idea if that would work.

Update: No, it didn't work.
 
Last edited:
595
239
If your Quick Heal product is issuing messages that way, it obviously isn't effectively turned off.

I think the simplest next step would be to start in Safe Mode, which won't start the AV program, and then run the install.

I'm actually kinda ticked off that your AV product is getting in the way of your access to some of the benefit of Prof. Knuth's wonderful work as the originator of ##\TeX##.

Here's a photo of him playing his custom-built pipe organ in 2018:

Knuth-vivian20181019A.jpg
 

Wrichik Basu

Gold Member
2018 Award
972
803
I think the simplest next step would be to start in Safe Mode, which won't start the AV program, and then run the install.
Good idea. Will try that. Should I choose Safe mode with networking or simply safe mode?

But then again, there is a chance of the antivirus putting the .dll and .exe files into quarantine (as I said, it is not listening to me even if i ask it to do otherwise). Nevertheless, I will try your method.
 
Last edited:
595
239
I recommend without networking. Just bring up what you need for the purpose of getting your install done. The installer wanting to go to the net to make sure you have the most recent version of everything can be denied and disregarded and the install will still complete successfully.
 
Do not turn your anti-virus off too quickly. There's no way the software gives a false warning. Everything has a reason. If your downloading is not from the official website, you should scan your computer once again. It's an experience I got from Techgara.
 
595
239
Ampulla said:
Do not turn your anti-virus off too quickly.
That's good general advice.
There's no way the software gives a false warning.
That's not true; there are many ways for a false warning to occur.
Everything has a reason.
I don't disagree with that; however, that doesn't mean that a diagnostic program is incapable of misdiagnosis.
If your downloading is not from the official website, you should scan your computer once again. It's an experience I got from Techgara.
It looks to me like you're presenting 'drive-by' general advice without having read the thread in it's entirety. It's well-understood here that in general, it's worthwhile to try to keep any errors on the side of caution. In this matter, @Wrichik Basu has painstakingly ensured that the software is from an authoritative source, and is not corrupted.
 
That's good general advice.
That's not true; there are many ways for a false warning to occur.

I don't disagree with that; however, that doesn't mean that a diagnostic program is incapable of misdiagnosis.
It looks to me like you're presenting 'drive-by' general advice without having read the thread in it's entirety. It's well-understood here that in general, it's worthwhile to try to keep any errors on the side of caution. In this matter, @Wrichik Basu has painstakingly ensured that the software is from an authoritative source, and is not corrupted.
Sorry for just skimming the first post xD
 
595
239
Sorry for just skimming the first post xD
That's ok, I'm sure you were just trying to be helpful in maybe keeping someone from getting harmed by malware.
Welcome aboard PF, the Physics Forums, from a member who's comparatively new here, too. The forums are well-disciplined, and the Staff members and Science Advisors here, along with the members in general, are very loyally devoted to the PF mission. Thanks for being here as a member.
 

Want to reply to this thread?

"Antivirus false positive on ransomware and keylogger for MikTex & TexStudio?" You must log in or register to reply here.

Physics Forums Values

We Value Quality
• Topics based on mainstream science
• Proper English grammar and spelling
We Value Civility
• Positive and compassionate attitudes
• Patience while debating
We Value Productivity
• Disciplined to remain on-topic
• Recognition of own weaknesses
• Solo and co-op problem solving
Top