riskware/deleter - 1Password-4.6.0.583.exe - False Positive? [Yes, it is a false positive]

g01
g01
Community Member
edited July 2015 in 1Password 4 for Windows

When updating 1Password, the executable that gets downloaded is now is being flagged as Riskware/Deleter by FortiClient Antivirus. Did something change?

Possibilities I can think of include:

  • Changes in 1Password
  • Changes to Fortinet's antivirus algorithms
  • The executable was compromised somehow

I've updated before, but it hasn't in the past. My current version is 4.5.0.575


1Password Version: 4.6.0.583
Extension Version: Not Provided
OS Version: Windows 7
Sync Type: Not Provided
Referrer: forum-search:riskware

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited July 2015

    @g01: No major changes to the app itself. However, we did recently strengthen the security checks the updater does to validate the server, connection, and download, so I wonder if that might upset "security" software that wants to inspect the connection directly — which simply won't work. Unfortunately false positives are all too common. :(

    I've reported this so we can reach out to the vendor to see what's going on. In the mean time, just download the latest version of 1Password directly from https://agilebits.com/downloads if your security software will not let you do so using the updater. Thanks for bringing this to our attention! :)

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited July 2015

    @g01: And also be sure to reach out to the company yourself, as we've found they are often more receptive to their customers. But be sure to let them know that they can contact us directly at support+windows at agilebits dot com if they have any questions or require technical details. :)

  • Hi @g01,

    Just to update you, we've contacted them before but they said they would only take reports from their customers, so we can't be proactive here with the false positive reports. Please do email them as soon as you can.

  • Hi @g01,

    We have an update for you. We've reported a similar false-positive detection with version 4.6.0.585 to Fortinet today.
    After checking the files, Fortinet has concluded that this was indeed a false-positive and they have issued an update to their detection signatures. It should propagate to their customers' systems soon.

    The Fortinet support has asked us to relay a request to our shared customers: If you find a false-positive in the future, please mark it as such in the FortiClient or FortiGuard when you the threat notification.

    Cheers!

This discussion has been closed.