Known issue: Windows Defender flagging products as Trojans

Hayo_NI · 2023-03-27T10:07:18+00:00

There was an error rendering this rich post.

Hi all, PM of Native Access here.

Just wanted to let you all know we're aware that Windows Defender is deleting installers and flagging it as a Trojan, and are investigating the matter. We'll keep you posted on what we find and what actions we're taking.

To start with, we've assessed that many products are affected, but not all users experience the same issues with these products. Manually installing the products is working fine, but running the installers from Native Access is causing problems (both Native Access 1 and Native Access 2). We're currently looking into the tech that might be the cause, and are looking to see if there's anything we released that might've caused the installers to suddenly be flagged by the Windows Defender.

Please bear with us while we resolve the matter. In the meantime, we recommend you reach out to our support team here so we can help you get started. Apologies for the inconvenience.

Find more posts tagged with

Native Access

Native Access 2

Guitar Rig 6

Kontakt 7

ntkdaemon

Accepted answers

Hayo_NI

Hey all, just a daily update post for now on the state of affairs:

We're confident that there was no attack and we're confident that the NTK Daemon, Native Access 2, and all our product installers are malware/virus-free after running them through manual checks. It seems as though Windows Defender is continuing to make updates and less users are reporting issues, and it's apparent that these are false positives. Exactly why the installers are being flagged remains unknown, as the flagging can be sporadic.

We're going to wait it out one more day to see if there's more progress on Windows Defender side, and if the reporting trend rises again, we'll take some actions. For now, we recommend the following:

Update your Windows Defender to the latest version and see if that solves the installer issue.
If you're still experiencing issues but feel confident in the information we've disclosed here, then navigate to your Windows Defender history and allow the installer that got marked by pressing Allow on the entry, and try running the installer again.
If you don't feel confident to permit anything through Windows Defender, you can reach out to support here.

I'll return tomorrow afternoon with another update. Thanks for bearing with us!

All comments

infoomse

So from that I understand that you are not shure if this is a virus or not!

Andrew Koenig

It sounds like even if there is a malware problem in the Native Access installation process, it is possible to install the products directly, bypassing Native Access, without raising any red flags with Windows Defender.

The Sarge

@Hayo_NI

thanks for info, here an info you & your tech-team can need:

it´s NOT an pure Native-Access-Issue, because the same alert is within the IK-Product-Manger from IKM-Italy (and I don´t think that you´ve given them the NA-Code ;) )

there is a little chance, that you and they got the same attack, but for logical would be an MS-problem

regards from Germany

The Sarge!

Hayo_NI

Thanks @The Sarge!

@Andrew Koenig in the meantime, yes please use the link above and customer support will help you bypass Native Access if youre experiencing any issues.

@infoomse We aren't done diagnosing everything but we've scanned our product installers and we're convinced there's no malware or virus in them. Seems like it's a Windows thing but we still have some angles we're investigating.

We're also trying to find a good workaround but the ones we found are inconvenient thus far.

zzz00m

I'm not even seeing the latest Massive X 1.4.3 update here in Native Access 1, on Windows 10.

Do I need to update to Native Access 2 to get current updates?

LostInFoundation

@Hayo_NI

THANK YOU for taking the time to give us some information/instructions.

Some more of this interactions more frequently and we could even start to think to be followed by a real support

The Sarge

https://community.native-instruments.com/discussion/comment/60285#Comment_60285

same here, so what to do now?

Terrafinale

I had the "failed to install" error due to defender flagging installers as malware yesterday. Stopped the installation. I tried today to install and everything went smoothly.

Defender is no longer flagging. Time to jam!

Thank you

nico5

https://community.native-instruments.com/discussion/comment/60284#Comment_60284

This is the kind of post I've been waiting for, because

"... we've scanned our product installers and we're convinced there's no malware or virus in them"

explains why you haven't paused the Native Access updates distribution

"Seems like it's a Windows thing but we still have some angles we're investigating."

explains why you haven't simply called it a false positive, and why you've not yet said what made it happen.

"We're also trying to find a good workaround but the ones we found are inconvenient thus far."

explains why there's no official solution so far.

So thank you for this informative post! 👍️

And a small additional note:

Since Defender actually flags the product specific installer packages, and not Native Access, many individuals (including me) have been searching and posting in the appropriate product specific sub-forum/category, rather than the NATIVE ACCESS category.

For example in my case, I clicked the Install All button, and the installers for Komplete Kontrol and Massive X completed successfully, but then the Maschine 2 installer threw the error. So my natural instinct did not associate the issue with something common to Native Access, but with something rather specific to Maschine. And so I only looked in the Maschine forum without realizing that this issue was also happening on other installers for some other users.

So to make life easier for your users, it might be great, if you made this thread (and relevant followups) also visible in the each of the affected individual product categories. Or if that's not possible, maybe have a sticky post pointing to this thread in each relevant product category.

Thanks again!

Hayo_NI

Thanks @nico5. We're starting to narrow it down to how we build our installers, but aren't quite done investigating on a solution. We have no reason to believe any of the installers are malicious but please do keep making use of the support link if you're hesitant to allow the installers to go through. Otherwise, simply "Allow" them in the Windows Defender and try again. We'll link the other community sections to this post in the morning.

For those asking about Massive X updates, I'm seeing them in Native Access 2, so try upgrading. If you're having issues there, reach out to support as well.

Thank you all for your patience!

nico5

Thanks for your kind reply @Hayo_NI

Just as an update to how things have evolved on my particular system - AMD Ryzen 7900x, Win 10H2 (OS Build Build 19045.2673):

up to and including yesterday, Microsoft Defender flagged and quarantined the Machine 2 installation via Native Access, and Native Access' installation failed
today (maybe after another Defender definitions update - or just by chance), Defender still flagged and quarantined the installation zip file, but interestingly enough, the installation of the Maschine 2 update went ahead and apparently succeeded. (This is consistent with one or two other users' experience I've read over the last couple of days). One explanation might be that on a modern multi-core and multi-thread system there's a racing condition between the anti-virus and the de-compression and sometimes one happens first and sometimes the other. This could make a difference if the .zip file does trigger Microsoft Defender's flagging, while the extracted .exe file does not. -- So I continued to confirm or deny that theory:
I retrieved the quarantined zip file and extracted it via 7zip to a separate folder.
Then I ran the extracted Maschine 2 2.17.0 Setup PC.exe through a manual Microsoft Defender scan. It returned: 0 threats found and 3368 files scanned. -- ahhh - the installer does look clean!
And just while I was at it, I also decompressed the .exe file (also using 7zip) and initiated yet another Microsoft Defender scan on the resulting folder. It returned 0 threats found and 2780 files scanned. Fewer files presumably because I have a number of extensions like .png files excluded from scanning. - it confirms that all of the now fully decompress installer files are deemed clean.
Then I compressed the previously decompressed .exe file again (using 7zip "normal" compression) and initiated a Microsoft Defender scan on the resulting zip file. It returned 0 threats found and 3369 files scanned. Presumably the extra file is the zip file itself. -- this seems to further confirm that the problem might be a the final compression to zip with very specific parameters causes the flagging, while other compression parameters do not.
Then I compressed the .exe file again, but with the regular Windows compression via right clicking on the file and initiated a Microsoft Defender scan on the resulting zip file. It also returned 0 threats found and 3369 files scanned. Again, presumably the extra file is the zip file itself. -- More strengthening of evidence that it's just the parameters of the final compression algorithm ends up generating something in the final .zip file that trigger Defender's flagging.

So to me it looks like something the the final compression to zip creates a string that sets off Defender's alert. But the .exe and the files it includes are deemed entirely clean. -- So now I'm satisfied enough that indeed this is a false alarm by Microsoft Defender.

Just as a final test, I ran another scan on my system after the successful install of the Maschine update and the scan came back entirely clean. -- So now I truly share your evaluation that the installer is just fine.

Of course, this may all be already obvious to you and the technical team working on this.

However, I still documented my findings and thinking here, since it may help other readers of this thread to come to their own conclusion or even run a similar sequence of tests on their own system.

I generally try to explain how I came to a conclusion, rather than saying "everything is fine" or being silent for too long. I just think it makes it easier for readers to follow along and maintain trust.

MyStudioOne

Exact same issue installing latest version of Trimble Sketchup pro. Had to turn off Defender to install. Seems like a windows issue for sure...

Hayo_NI

Hey all, just a daily update post for now on the state of affairs:

We're going to wait it out one more day to see if there's more progress on Windows Defender side, and if the reporting trend rises again, we'll take some actions. For now, we recommend the following:

Update your Windows Defender to the latest version and see if that solves the installer issue.
If you're still experiencing issues but feel confident in the information we've disclosed here, then navigate to your Windows Defender history and allow the installer that got marked by pressing Allow on the entry, and try running the installer again.
If you don't feel confident to permit anything through Windows Defender, you can reach out to support here.

I'll return tomorrow afternoon with another update. Thanks for bearing with us!

zzz00m

I found one file in my Windows Defender log and quarantine from last week. It had nothing to do with NI or Native Access, as it was a zip file containing drivers for my motherboard. It had been dormant on my hard drive for over two years. Somehow Windows Defender identified it as the same trojan and quarantined it.

So this lines up with other observations that the recent Defender trojan alerts were hit or miss, and affected applications from other vendors as well.

A precaution before running an executable file restored from quarantine, is to submit the file(s) to VirusTotal for analysis (650MB max file size). https://www.virustotal.com/gui/home/upload

"VirusTotal inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal. VirusTotal offers a number of file submission methods, including the primary public web interface, desktop uploaders, browser extensions and a programmatic API. The web interface has the highest scanning priority among the publicly available submission methods."

[Deleted User]

No formatter is installed for the format not-found

Quick links

Unanswered questions