I know this is similar to a previous report last October about Desktop 14. And here it’s still McAfee doing the virus-reporting. However, the virus-ID is different here, and McAfee’s reaction seems somewhat different; so, I’m going to report this, as I don’t want a bug infecting me…
July 15, I downloaded Desktop version 15.0.266 for Windows (10). AFTER installation, McAfee suddenly reported that it had quarantined this file:
“C:\Program Files (x86)\Keyman\Keyman Desktop\sentry-0.4.9\crashpad-handler.exe”
The virus McAfee reported was:
JTI/Suspect.196612!15c799934aaf
Then, on July 29, I tried to download version 15.0.267 (probably updating from within the Keyman app?). As soon as I told Windows that yes, Keyman could modify my computer, I got a message from McAfee that it had just caught a “fileless” kind of malware trying to do something and had taken care of the problem. THAT WAS ALL, the install didn’t actually happen:
“We caught something trying to hijack one of your apps. Don’t worry, we took care of it.”
At which point, I clicked on Keyman Configuration, and Windows went through a minute or two of re-“configuring Keyman 15.0.266” for me. And – McAfee came back with the VERY SAME REPORT as before (see above, 2022-07-15) – reporting the same virus.
Yes, McAfee anti-virus software is causing us a bit of trouble at present. We’ve reported a false positive with crashpad-handler.exe, but have not yet heard back (which reminds me, I need to follow-up on this). You may also find it helpful to submit the crashpad-handler.exe file as a false positive, following the instructions at https://www.mcafee.com/support/?articleId=TS103032&page=shell&shell=article-view
McAfee anti-virus also seems to be the only anti-virus software that has been tripping up on Keyman – we haven’t seen reports of this with other anti-virus software for quite some time.
It’s frustrating but we’re pretty certain that the installer is virus free. The build systems are dedicated systems on a secured network, and the files are all signed at build time so there can be no chance of them being modified later.
I don’t know what they mean by “something trying to hijack one of your apps”? If there are any logs you can find that report what the “hijack” was, that might help us to determine the cause of the problem. As Keyman does interact with keyboard input with all apps, it is possible that they are seeing our hooks into the keyboard input queue and thinking that that is unwanted?
Thanks for letting us know, @bnevin. I’ve submitted the false positive report to McAfee again on that link, and hopefully we’ll have more success this time!
tab.