[TC11.55RC6] Virus warning

[Gokhan]

[TC11.55RC6] The CAB file inside the setup file is trigger a virus warning. If I extract the RAR file with WinRAR, it works normally, but when I open it with Total Commander, I get a virus alert. (Windows10 Virus & Threat protection)

[ghisler(Author)]

Not confirmed. Virustotal also finds nothing:
64-bit: https://www.virustotal.com/gui/file/9b59355b900e8a1cd4943979d5dd072d752e4bc3cd1ba4498530ac9e457266c8
32-bit: https://www.virustotal.com/gui/file/ae70ef4254eb3f7a7c4863ff25fef4839ebebb9ddd36aee259b22626819006b6
Combined: https://www.virustotal.com/gui/file/8f08df88c27db92943e7b6804a60acbef730c45b7c5027bf74c700e94e64b8b8

What virus is being reported?

[Horst.Epp]

Not confirmed.
The actual Windows Defender scans the whole setup with no viruses
and also opening the archive in TC shows no problems.
VirusTotal says
No security vendors flagged this file as malicious.

I guess your antivirus database is not actual.

[petermad]

2Gokhan

If I extract the RAR file with WinRAR

Do you mean the CAB file?

[Gokhan]

I restarted my computer and extracted the sample.rar file using WinRAR. There was no issue. Then, I tried with TC11.51, and again, I got a warning that the sample.rar file was infected with a virus, and Windows10 Virus & Threat Protection deleted it again.

Meanwhile, the "2025-06 Cumulative Update for Windows 10 Version 22H2 for x64-based Systems (KB5060533)" had downloaded in the background.

Now, I no longer get a warning when opening the RAR file.

However, when I try to access the CAB file inside the setup file "tc1155x64_rc6.exe" using Total Commander, I still get the following warning message:
-------------
Sample submission
Windows Defender Antivirus would like to check the following file to see if they are safe
-> C:\User\abc\AppData\Local\Temp\_tc\INSTALL.CAB
-------------
I had never received this warning with any previous versions.

[Dalai]

Where is the connection between this sample.rar file and TC's install.cab (or tc1155x64_rc6.exe)? What does the sample.rar file contain?

[Gokhan]

I previously worked with the 'sample.rar' file using older versions of Total Commander and never received any warnings. However, after getting the warning about the CAB file inside 'tc1155x64_rc6.exe,' I also started receiving consecutive warnings about 'sample.rar'.

The warning about submitting a sample is not triggered by 'tc1155x64_rc6.exe' itself, but rather by the CAB file inside it.

Windows Defender is no longer flagging sample.rar as a threat.

sample.rar contain docx files

[DRP535]

Turn off the worse than useless Windows Defender: problem solved

[Horst.Epp]

Turn off the worse than useless Windows Defender: problem solved

No, I have no such problem with Defender.
I was Ant+virus admin in large companies with all sort of solutions.
At home, I have Defender since a long time and there are fewer problems compared to 3rd party solutions.

[ghisler(Author)]

What you see in action is a so-called behavior based analysis: The scanner sees that an installation file (cab) gets unpacked to TEMP, and since it was taught that some virus downloaders do this, it flagged the process as suspicious. You will probably not get the error when you instead unpack the CAB file with F5 to some other directory. I do not currently get this warning with Windows Defender, so maybe they fixed it in the meantime.

Btw, a long time ago I changed the behavior of my installer for exactly this reason: Previously, the installer would unpack the CAB file and actual install.exe to TEMP, and then run install.exe from TEMP for the installation. This caused too many problems with virus scanners, so now the installer directly installs the files from itself without putting anything in TEMP. This is done by packing the CAB file with 0 compression so it can be accessed directly. Unfortunately there is no such workaround when opening inner archives, because most inner archives (e.g. tar.gz) are not just stored.

Since this isn't a Total Commander bug I could fix, I'm moving this thread to the English forum.

Moderator message from: ghisler(Author) » 2025-06-15, 07:47 UTC

Moved to English forum