Malware warning
Hi, I am getting the same malware warning as this user: https://forums.zotero.org/discussion/82669/malware-warning. I have followed the recommended steps from dstillman (uninstall Z, scan system for malware, disk cleanup for the Temp directory, and reinstalled Z) and got the same message. Defender is removing the .tmp file - or I can't see it when I manually open the folder.
In this case, the affected .tmp file is file: C:\Users\[user name]\AppData\Local\Temp\ZOT3283.tmp
It comes up with some attempts to insert references but not all. This includes files with no attached pdf or saved webpage in Zotero.
Is it related to the Word plugin? What else can I try?
In this case, the affected .tmp file is file: C:\Users\[user name]\AppData\Local\Temp\ZOT3283.tmp
It comes up with some attempts to insert references but not all. This includes files with no attached pdf or saved webpage in Zotero.
Is it related to the Word plugin? What else can I try?
All Defender says is "Threat Detected", with the description Exploit:O97M/CVE-2012-0158.PI!MSR and asks for action (options are quarantine, remove, ignore). It lists the affected item (the .tmp files mentioned above). Category is listed as "exploit" and alert level is listed as "severe".
Defender offers a "learn more" link here: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Exploit:O97M/CVE-2012-0158.PI!MSR&threatid=2147751701
but that link doesn't really help much
https://nvd.nist.gov/vuln/detail/CVE-2012-0158
My guess is that, when Zotero inserts RTF into the document, it ends up producing an RTF snippet in the temp directory, and Windows Defender thinks it's this exploit from 2012 that can spread through RTF documents. This obviously doesn't happen for the vast majority of users, so I'm not sure what's different about your system that's causing it to occur.
I'm sorry - I don't know what to do from here
Word 2005 (Build 12827.20336)
I suspect it has to do with the Security Intelligence update in Defender, which updated this morning to v.1.319.76.0. The issues began after that.
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide
This is with MS Defender 1.319.1877.0 on Windows 10 19041.388, running Word 365 (version 2006 build 13001.20384) and Zotero 5.0.88, inserting a reference that reads "Grabbe 1979:400–401; Gero 1991".
I can suppress the error by adding the exploit to the allowed threats list in Windows Security, but this is not an attractive option!
I've been able to reproduce the trigger reliably using the Grabbe 1979 reference (see the log dump) along with a page range (whether to that individual item or another one after it).
I don't like to move to another tool, but with a non working Word companion it seems to be useless for me.
Thanks, Daniel
the same happened to me
but after updating windows defender it stopped