Malware warning

djfmay
Hi, I am getting the same malware warning as this user: https://forums.zotero.org/discussion/82669/malware-warning. I have followed the recommended steps from dstillman (uninstall Z, scan system for malware, disk cleanup for the Temp directory, and reinstalled Z) and got the same message. Defender is removing the .tmp file - or I can't see it when I manually open the folder.
In this case, the affected .tmp file is file: C:\Users\[user name]\AppData\Local\Temp\ZOT3283.tmp

It comes up with some attempts to insert references but not all. This includes files with no attached pdf or saved webpage in Zotero.

Is it related to the Word plugin? What else can I try?
  • djfmay
    Correction - each time, it is a slightly different .tmp file, though still beginning with the descriptor ZOTetcetc.temp
  • dstillman
    What exactly are you doing in Zotero when this pops up?
  • djfmay
    I have Zotero and Word open. I go to insert a reference into a word document, use the plugin to insert the reference straight from Zotero, and I get 2 error messages. The first is a generic error message from Zotero that recommends some basic troubleshooting steps. The second is the notification from Windows defender
  • dstillman
    It's likely some sort of false positive from Windows Defender, being triggered by temporary files created as Zotero inserts citations, but I'm not sure we can tell you more than that. What exactly does it say it's finding?
  • djfmay
    Thanks - I really like Zotero and the plugin has been immensely helpful, so I hope you're right! Any thoughts on what I could do other than virus scans, reinstalls?

    All Defender says is "Threat Detected", with the description Exploit:O97M/CVE-2012-0158.PI!MSR and asks for action (options are quarantine, remove, ignore). It lists the affected item (the .tmp files mentioned above). Category is listed as "exploit" and alert level is listed as "severe".

    Defender offers a "learn more" link here: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Exploit:O97M/CVE-2012-0158.PI!MSR&threatid=2147751701

    but that link doesn't really help much
  • dstillman
    OK, so it's triggering the same rule as the other thread. Would you mind making a copy of one of the .tmp files and emailing it to support@zotero.org with a link to this thread?
  • dstillman
    Basically, though, it thinks it's this:

    https://nvd.nist.gov/vuln/detail/CVE-2012-0158

    My guess is that, when Zotero inserts RTF into the document, it ends up producing an RTF snippet in the temp directory, and Windows Defender thinks it's this exploit from 2012 that can spread through RTF documents. This obviously doesn't happen for the vast majority of users, so I'm not sure what's different about your system that's causing it to occur.
  • djfmay
    This is weird - I have searched for the .tmp files and looked manually but can't find them. I have also tried to redo the process but 'allow' the files, just to copy it and send to you, but still can't see it. Perhaps Defender is simply deleting them immediately regardless of my action? Or in the course of inserting the citation (when 'allowed', the citation inserted correctly), the .tmp file is erased?

    I'm sorry - I don't know what to do from here

  • dstillman
    Can you find the .tmp file before clicking Ignore? If you let it insert, the temp files will certainly disappear.
  • djfmay
    I have tried multiple times and sadly not.
  • jatwood777
    As of this morning I'm receiving the same Defender warning, and am unable to enter any citations in a Word document. I've tried reinstalling/temp wiping but continue to have the ZOT****.tmp flagged for Exploit:O97M/CVE-2012-0158.PI!MSR. Defender seems to delete the files before I can access them.
  • dstillman
    What exact versions of Windows and Word is this?
  • jatwood777
    Win 10 10.0.19041
    Word 2005 (Build 12827.20336)

    I suspect it has to do with the Security Intelligence update in Defender, which updated this morning to v.1.319.76.0. The issues began after that.
  • dstillman
    You should report it to Microsoft as a false positive.
  • jasminlukkari
    I'm having this Windows defender warning too now. I am able to add a reference without page numbers, but as soon as I try to add page numbers I get the malware warning. This happens only with one book so far and only in one file, i.e. I can add that reference and page numbers without warning in another file.
  • John Percival
    edited July 20, 2020
    I just experienced this too. Does anyone know if there is any way to grab a copy of the offending file for analysis? @dstillman, I'd happily use the MS reporting tool for false positives if you could help me secure a copy of the file
    https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide

    This is with MS Defender 1.319.1877.0 on Windows 10 19041.388, running Word 365 (version 2006 build 13001.20384) and Zotero 5.0.88, inserting a reference that reads "Grabbe 1979:400–401; Gero 1991".

    I can suppress the error by adding the exploit to the allowed threats list in Windows Security, but this is not an attractive option!
  • John Percival
    This document contains a lengthy discussion of the exploit, which may provide some insight into why Zotero is triggering this: https://www.sophos.com/en-us/medialibrary/PDFs/technical papers/CVE-2012-0158-An-Anatomy-of-a-Prolific-Exploit.PDF
  • John Percival
    edited July 20, 2020
    I've just shared a debug log of updating the problematic reference with Windows Security blocking the first attempt, and then with Windows Security protection suppressed, allowing the second attempt. Zotero Debug ID D1462121944

    I've been able to reproduce the trigger reliably using the Grabbe 1979 reference (see the log dump) along with a page range (whether to that individual item or another one after it).
  • chappy72
    Any update so far? I have the same MS Defender error now, every time I want to insert a citation in Word (Win 10, 2004, Zotero 5.0.92, Word 365).

    I don't like to move to another tool, but with a non working Word companion it seems to be useless for me.

    Thanks, Daniel
  • John Percival
    My offer to assist in any way still stands, but I need dev input to tell me what info they need... I'm happy to attempt a report to MS as a false positive, but I have not been able to capture the problematic file so I can report it.
  • dino97
    Update your windows defender
    the same happened to me
    but after updating windows defender it stopped
  • John Percival
    I can confirm that this is no longer triggering a warning on my computer either. Seems like Defender update has sorted it.
Sign In or Register to comment.