AxCrypt infected?

[Ralph]

I read a topic on here about a tampered AxCrypt file circulating.

I downloaded AxCrypt 2 today and scanned it on VirusTotal like I do with all my downloads and it suggests that the installation file is infected with <TrojanDropper.Daws.gpp>.

I know that this is probably a false positive as only 1 of 55 scanners (Jiangmin) reported it infected but it got me worried.

https://www.virustotal.com/en/file/8c6856038c15ff231e66521fc4cef210226083b6b134de64e36b31f149b22b48/analysis/

[SvanteSpectator]

Hello Ralph,

Thanks for the heads up. It does indeed to appear to be a false positive. Googling for ‘TrojanDropper.Daws.gpp’ finds other instances where ‘Jiangmin’ is the only only engine to report that threat for other files.

Fortunately virustotal also shows a SHA256 hash of the submitted sample, so I can confirm that your download was not tampered with – it’s the original from us. We publish current checksums here: https://forum.axcrypt.net/cryptographic-hashes-files/ .

I cannot stress how important it is that anyone who finds something suspicious, such as virus engine alerts or incorrect or suspicious digital signatures include:

– A sample of the file in question.
– A correct and full URL of where it was downloaded. (‘The AxCrypt site’ is not precise enough, the full URL as shown in the browser address bar, please!). I.e.: https://forum.axcrypt.net/download/ which is the official download page, or even  https://account.axcrypt.net/download/axcrypt-2-setup.exe which is the actual download itself.

[Ray]

Hi Ralph,

I noticed that VirusTotal detects the following for version 1.7.31.80.0

Is this a false positive?

—

3/64 detections

SHA-256 6a075e415a3c98e835997d0896aab2da5ba0565bd2bf4a6a7a05afdd8c25870a
File name AxCrypt-1.7.3180.0-Setup.exe
File size 3.16 MB
Last analysis 2018-03-26 21:22:59 UTC

CAT-QuickHeal Trojan.IGENERIC
ESET-NOD32 a variant of Win32/RiskWare.Meterpreter.C
Cyren W32/Trojan.RDFI-4164

—

 

 

—

Downlaoded from: http://www.axantum.com/Download/AxCrypt-1.7.3180.0-Setup.exe

[SvanteSpectator]

Hello Ray,

That’s a false positive, or as I’d like to call it irresponsible defamatory, slanderous, libellous and malicious. Get a refund for your “anti-virus”. The makers of anti-virus software will flag anything, from anyone, for any reason and will never ever take responsibility for their actions.

All of the above is dependent of course on that you have downloaded the correct software from our site, and that it’s digitally signed by us, “AxCrypt AB”, and not just any file named AxCrypt-1.7.3180.0-Setup.exe, but the link does appear almost ok although it can’t actually be used directly as a link. You will be redirected to the new download site. If you go to  http://www.axantum.com/AxCrypt/Downloads.html and download it, you’ll get the correct file.

[mike]

Hi – I got a “win32/candyopen” warning from windows defender for the below

C:\Program Files\Axantum\AxCrypt\AxCryptMessages.dll

and the msi package

\Axx apps\AxCrypt-1.7.2687.0-x64-en-US.msi

 

 

[Prabhukumar RModerator]

Hello mike,

Sorry for the delayed response.

Please use the latest legacy version(1.x). Latest legacy version does not have open candy.

You can download the latest legacy version(1.x) of AxCrypt app by using the URL: http://www.axantum.com/axcrypt/legacydownloads.html – If you are facing any issues while downloading, please clear the browser cache and cookies for the site.

If you are asking any other quires, you can feel free to contact our support via support@axcrypt.net .

[Richard Long]

Candyopen is detected on the version you just suggested to Mike. I tried all of these: 1.7.3180.0 (currently using), 1.7.2893.0 Beta MSI, 1.7.1878.0 Beta MSI and MSFT Defender reports CANDYOPEN in all of them. There are reasons I am not on version2, specifically I am committed to using timestamps that match the creation date of a file (historical backups) which version 2 removed and changed it to match the OPEN date. Thus, how do we get around the CANDYOPEN being detected? Is it false positive? Do we have a risk that came with the legacy packages and now need to live with it or find something to meet our requirements? Can you assure us that there is no risk? Can you explain CANDYOPEN and what in the legacy code is tripping it? Thank you.

 

[Richard Long]

May I add to previous post: Both NSFT Defender and MBytes detect this and allow quarantine or removal. BUT, is do either of these options, i.e., REMOVE or QUARANTINE, Acrypt will no longer work! You will not get an option to encrypt/decrypt any files. Only solution I found is to reinstall 1.7 (pick one, they all have CANDYOPEN and tell your system to accept the risk and ignore it. Thus, I believe the only clean way to resolve is to get a software patch to fix ACRYPT legacy or, in my case, allow files to be timestamped with creation date of embedded file and not changed every time it is opened. I requested this years ago when V2 came out. Has there been any thought and change?

[Prabhukumar RModerator]

Hello Richard Long,

Please use the latest legacy version(1.x) AxCrypt-1.7.3233.0-Setup.zip. The latest legacy version does not have open candy.

You can download the latest legacy version(1.x) of AxCrypt app by using the URL: http://www.axantum.com/axcrypt/legacydownloads.html 

In your system you are already installing the legacy version, Please remove the all legacy version then restart the system. now you can download the above version then install the same.Please check the same again.

Now you use the legacy version without any problem.

AxCrypt app(2.x) will not update the modified datetime of the encrypted files unless we update the file contents.

If we are any updates in the encrypted files, then AxCrypt will update the last modification datetime. Actually, we have added an additional colmun to kepp track the last modification datatime in the recent files list.

We are stopped developing new features and fixing issues for the legacy version(AxCrypt 1.x). we will not be actively developing 1.x, nor will support be a priority.we will suggest you to use the latest AxCrypt 2.x app.

If you are asking any other quires, you can feel free to contact our support via support@axcrypt.net .

[Richard Long]

Thank you Prabhukumar R. Version(1.x) AxCrypt-1.7.3233.0 after deletion of other versions. All is working fine. I will now do full Defender scan and see if it hiccups. I appreciate the quick response.

[Richard Long]

An additional instruction to your fix is that the SETUP file for 1.7.2893.0 Beta MSI was causing the continuous errors from Defender. The install file needs to be deleted from you system in addition to installing version(1.x) AxCrypt-1.7.3233.0-Setup.zip. Full scan choked before I deleted the install file despite deleting my old running version. After deleting the old install file itself, full scan finished cleanly.

Again, thanks for the help

Another tip for those wanting to CLEAR the MSFT Defender Protection History is to simply delete the files in folder C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service. I saw the tip to delete the folder itself, but it is protected and can’t be deleted. All but one file in the folder CAN be deleted.

[Author]

Posts