client icon indicating copy to clipboard operation
client copied to clipboard
verified publisher icon keybase

Bitdefender ransomware issue

Open jansuvak opened this issue 6 years ago • 11 comments

Keybase GUI Version: 3.2.2-20190411231308+5262f90fd9

The application is blocked by Bitdefender Total Security - ransomware remediation.

Putting the app on the exceptions lists solved the issue for me.

Ransomware behavior remediated 4 minutes ago

Feature: Ransomware remediation

The process C:\Users...\AppData\Local\Keybase\keybaserq.exe manifests ransomware behavior and was blocked. Your files have been protected from being altered.

jansuvak avatar May 06 '19 08:05 jansuvak

I've contacted Bitdefender and they're currently "analyzing" the file. As soon as I hear back from them I'll leave a comment here.

pzduniak avatar May 16 '19 19:05 pzduniak

Same problem here !

juanmigutierrez avatar May 17 '19 04:05 juanmigutierrez

I'll keep this open until they respond to us.

pzduniak avatar May 17 '19 11:05 pzduniak

Me too. Looking for an update...

XenonofArcticus avatar May 21 '19 09:05 XenonofArcticus

According to BitDefender this file will not be detected in a few updates (I don't know what's an "update" either). I emphasised that we sign our binaries with an EV certificate from a trusted vendor so our software shouldn't be detected, but they claim it's not (I've checked multiple builds many times, we sign everything).

If you run into this again I would definitely recommend reporting it to BitDefender rather than us, especially if you're paid customers. There's not much that we can do about antivirus companies randomly deciding that we're ransomware.

pzduniak avatar May 24 '19 16:05 pzduniak

@pzduniak according to VirusTotal and Windows, keybaserq.exe is NOT signed. This is the file that Bitdefender is complaining about.

It does not complain about the main keybase.exe (without the rq) as it IS signed.

  • keybaserq.exe: https://www.virustotal.com/gui/file/5f7dcff9f081b75f0aeb230dc4642d5d3d57bc0d5ddadad9b125c9e8dbef0722/details

keybaserq-exe_not_signed

  • keybase.exe: https://www.virustotal.com/gui/file/c1f6be59089e68fff2a9b956bfd8c0a0dd4030bc63941fec011f97a4eccc55a8/details

keybase-exe_signed

and side-by-side in Windows, keybaserq.exe does not have a Digital Signatures tab like keybase.exe does.

keybaserq-keybase-win

dustinschultz avatar Apr 17 '20 23:04 dustinschultz

Unfortunately this is still an issue. I just had it happen to me. I've set up an exception for keybaserq.exe, but obviously this is not ideal.

lord-aerion avatar Aug 20 '20 11:08 lord-aerion

@pzduniak same issue as dustin, the keybaserq.exe does not have a digital signature section. Does this indicate it's unsigned? When you open it up on your computer does it have a digital signature section?

caleb15 avatar Dec 17 '21 22:12 caleb15

Bumping this back up @pzduniak any updates?

MoffySky avatar Feb 20 '24 21:02 MoffySky

Malwarebytes just flagged and quarantined the keybaserq.exe file on my system. haven't seen this previously. image malwarebytes-keybaserq.txt

therevoman avatar Mar 04 '24 15:03 therevoman

Now detected by 7 AV engines. This file really should be signed.

https://www.virustotal.com/gui/file/69feba321acb012881ad8c855668eb7e7791ab59d67093bc46abbb6fceec37f4

ericlaw1979 avatar May 28 '24 23:05 ericlaw1979