Hi Sorry if this is the wrong section but I just installed Komodo Edit on Windows and Windows defender came up saying it had found trojan ranbyus in the Komodo Edit files. Just thought you should know.
1 Like
Some more info:
TrojanSpy: Win32/Ranbyus
In C:\Program Files (x86)\ActiveState Komodo Edit 9\lib\mozilla\python\komodo\krypt\hash\MD4.pyd
and also windows\installers\23de369.msi>media.cab>core.file._lib_mozilla_python_komodo_Crypto_Hash_MD4.pyd
Yeah, I got it too. Microsoft Security Essentials caught it on W7 and Windows Defender on W10.
file:C:\Program Files\ActiveState Komodo Edit 9\lib\mozilla\python\komodo\Crypto\Hash\MD4.pyd
It looks serious enough to raise a big red flag.
There are no viruses in Komodo, its funny that windows thinks that a hash algorithm is a virus. Anyway that should be fixed.
thats good to know. thanks for the response!
We actually have systems in place to ensure we donāt ship with false positives like this, not sure why this slipped through. @careyh can you look into this?
To clarify: we do NOT ship with any sort of virus or trojan, this is a false positive.
OK. So, with that MD4.pyd file gone (both Defender and MSE zapped it) , are there any side effects to be expected? Or should I re-install?
Yes it will likely break in certain places. For now you should simply whitelist the file until we are able to provide a fix.
What version of windows are you using by the way?
First confirm that the download you got matches the MD5SUMS we provide with the Komodo installers. If they match then please report this as a false positive to Windows Defender. There isnāt anything we can do about it on our end.
- Carey
Iām running it on one old W7 and on one more recent W10 machine.
Unfortunately I have allowed the file to be removed in both cases, so whitelisting is not an option at this point.
If the manure hits the fan I guess Iāll just reinstall in one place and copy the file over to the other, unless you can provide me with a copy of MD4.pyd.
Thanks for your quick response!
You can always re-download or re-install, you should still be able to whitelist.
Please also check your MD% sums as per @careyhās post. Also, could you tell us where you obtained your copy of Komodo from?
There isnāt anything we can do about it on our end.
That may get you some annoyed user feedback.
I have always downloaded Komodo from the komodoide site. The issue only arose after an automatic update. I wouldnāt know how to checksum-check those.
Fair enough but there really isnāt anything we can do other than what weāve already done which is scan releases before they are shipped and generate and provide MD5SUMS on those checked files (so you can confirm they are the same file we provided).
If the virus scanner heuristics decide that a binary file matches some pattern that they are scanning for then all we can do it alert them do theyāre mistake. Since we canāt reproduce the issue, we need you to report it as safe since youāve confirmed with us (as you should) that it is. Iām not passing the buck. Iām just letting you know that there isnāt actually anything we can do. Iām DEFINITELY not saying that YOU have donāt anything wrong by telling us, that is for certain 
.
Automatic update bits are generated and check-summed at build time and will fail if those checksums are wrong so you can rest assured that you have the files we intended you to have.
- Carey
@cheshiredesigner, can you confirm how you got onto the effected release? Was it auto-update as well?
- Carey
Hi again. Iām not blaming anyone here. As a software developer all Iām saying is: āif this happens to me, why shouldnāt it happen to everybody else?ā. And that is something to worry about.
Anyway, I found a Komodo-Edit-9.3.0-16396.msi in my download directory that I must have downloaded manually on November 4. It gave me no problems. I vaguely remember Komodo (version before that) saying that I should download it manually because an update could not be done. I have seen that before, so I was not surprised or worried.
That was v9.3.0. A few days ago Komodo Edit (w10) told me that an upgrade 9.3.1 was available, and I let it run the show. Windows defender cut in after installation had completed.
Right now I just did a clean install of Komodo Edit on yet another W10 laptop. This version was downloaded this morning from āhttp://komodoide.com/download/edit-win32/#ā.
The MD5 checksum matches.
WIndows Defender here, too, finds the MD4.pyd to be a problem.
Thanks for doing the followup of downloading and checking the checksums.
I downloaded the installer again, updated my Windows Defender and I do now get a warning from Windows Defender.
Iāve checked previous builds and newer builds. Non of those builds set off Windows Defender. The source for those files is the same but are compiled at build time so they vary when checked with md5sum. Frustratingly (hey that is a word!) enough, that one build seems to have somehow triggered Windows Defender.
If you could try reporting the issues as a false positive from your PC we would appreciate that. I will be doing the same here.
Weāre already planning to do a release soon so this will be resolved then.
Apologies for this hassle!
-
Carey
Hi, Sorry for not responding sooner. I downloaded it form the Komodo website as a full new install, not an update. Iāve also let windows defender remove the file (currently not had anything break since doing that) but will redownload tonight and white list it.
Windows 8.1 here.
1 Like
Done!
Frustratingly, a post must be at least 10 chars long. 
Thanks for helping out!
1 Like