Kaspersky antivirus flagging JetBrains IntelliJ IDEA SonarLint plugin files as a threat

When scanning SonarLint’s plugin folder for viruses with Kaspersky, it will detect two possible threats.

Versions used:

  • OS: Windows 10 Pro Version 21H1
  • IDE: JetBrains IntelliJ IDEA Ultimate 2021.2.3
  • Plugin: SonarLint 6.2.0.39326

File paths:

  • ~\AppData\Roaming\JetBrains\IntelliJIdea2021.2\sonarlint\plugins\71c88a33975800d6afea70bd08c09c15\sonar-cfamily-plugin-6.19.0.30153.jar
  • ~\AppData\Roaming\JetBrains\IntelliJIdea2021.2\sonarlint\plugins\71c88a33975800d6afea70bd08c09c15\sonar-cfamily-plugin-6.19.0.30153.jar//static/build-wrapper-win-x86.zip//build-wrapper-win-x86///static/build-wrapper-win-x86.zip//build-wrapper-win-x86-64.exe

The detected type of the threat:

Workaround:

  • Add the files to your exclusion list of your antivirus

Hello @anon34920745 and welcome to the community!
Thank you for this detailed report and thanks for providing workaround as well. I’m not sure we can do much on our side. To me it looks like a false positive on Kaspersky’s side. But we will take this unfortunate behaviour into account. May be at some point it could be fixed somehow.
Have a great day!

Hi @Kirill_Knize ,

I received the same warning multiple times today.

I’m not sure we can do much on our side.

It would be good if you checked with Kaspersky in order to

  1. make sure it’s really a false positive alert !
  2. make them fix it, so that thousands of SonarLint users don’t have to configure some workaround

Hi,

One problem here is that when SonarLint load its plugins, it has to copy them to a separate “cache” directory. This cache directory is never purged, so the content will grow as you update SonarLint. We have a ticket to track this issue.
All that to say that this file: ~\AppData\Roaming\JetBrains\IntelliJIdea2021.2\sonarlint\plugins\71c88a33975800d6afea70bd08c09c15\sonar-cfamily-plugin-6.19.0.30153.jar is pretty old, and can be safely removed. FYI latest SonarLint version embeds version 6.27 of the cfamily plugin.

Regarding false positive of antivirus softwares, we had similar cases with Windows Defender, and they have a public form online where as a software vendor you can submit your case.
For Kaspersky, I found this article, but since we don’t have Kaspersky to reproduce, can you please provide the following informations:

  • The version of your operating system
  • Name and version of your Kaspersky application
  • The databases update date in the Kaspersky application
  • a screenshot of the error message

Thanks

Hello there

Excuse my late reply. Thank you for explaining the situation! I noticed that the folder containing the false positive is now empty (~\AppData\Roaming\JetBrains\IntelliJIdea2021.2\sonarlint\plugins\71c88a33975800d6afea70bd08c09c15\). I have also run the file scan again, just to make sure, and haven’t gotten any threats. Did a recent plugin update remove these old files?

I decided to not include my system information as it seems to have been resolved. If you’d still like me to provide the information you requested, I’ll gladly do so.

Thanks

Not a change from our side. Maybe Kaspersky putting the file in quarantine?

You are correct. They got moved to quarantine even though I explicitly told it not to do so. They still get detected as a threat. Here’s the info you requested earlier:

  • Operating system: Windows 10 Pro 21H2 19044.1387
  • Kaspersky: 21.3.10.391 (g)
  • Kaspersky virus database release date: Most recent (Today, 26/11/2021 22:51:00)

Error messages:

Event: Disinfection not possible
User: ***
User type: Active user
Component: Virus Scan
Result: Not processed
Result description: Not processed
Type: Trojan
Name: VHO:Trojan.Win32.Convagent.gen
Precision: Heuristic Analysis
Threat level: High
Object type: File
Object name: sonar-cfamily-plugin-6.19.0.30153.jar
Object path: C:\Users\***\AppData\Roaming\JetBrains\IntelliJIdea2021.2\sonarlint\plugins\71c88a33975800d6afea70bd08c09c15
MD5: 71C88A33975800D6AFEA70BD08C09C15
Reason: Logged
Event: Malicious object detected
User: ***
User type: Active user
Component: Virus Scan
Result: Detected
Result description: Detected
Type: Trojan
Name: VHO:Trojan.Win32.Convagent.gen
Precision: Heuristic Analysis
Threat level: High
Object type: File
Object name: sonar-cfamily-plugin-6.19.0.30153.jar
Object path: C:\Users\***\AppData\Roaming\JetBrains\IntelliJIdea2021.2\sonarlint\plugins\71c88a33975800d6afea70bd08c09c15
MD5: 71C88A33975800D6AFEA70BD08C09C15
Reason: Cloud Protection
Event: Disinfection not possible
User: ***
User type: Active user
Component: Virus Scan
Result: Not processed
Result description: Not processed
Type: Trojan
Name: VHO:Trojan.Win32.Convagent.gen
Precision: Heuristic Analysis
Threat level: High
Object type: File
Object name: build-wrapper-win-x86-64.exe
Object path: C:\Users\***\AppData\Roaming\JetBrains\IntelliJIdea2021.2\sonarlint\plugins\71c88a33975800d6afea70bd08c09c15\sonar-cfamily-plugin-6.19.0.30153.jar//static/build-wrapper-win-x86.zip//build-wrapper-win-x86
MD5: 68982075A9F16EF5EC982A2FDF4587C2
Reason: Logged
Event: Malicious object detected
User: ***
User type: Active user
Component: Virus Scan
Result: Detected
Result description: Detected
Type: Trojan
Name: VHO:Trojan.Win32.Convagent.gen
Precision: Heuristic Analysis
Threat level: High
Object type: File
Object name: build-wrapper-win-x86-64.exe
Object path: C:\Users\***\AppData\Roaming\JetBrains\IntelliJIdea2021.2\sonarlint\plugins\71c88a33975800d6afea70bd08c09c15\sonar-cfamily-plugin-6.19.0.30153.jar//static/build-wrapper-win-x86.zip//build-wrapper-win-x86
MD5: 68982075A9F16EF5EC982A2FDF4587C2
Reason: Cloud Protection

Small update on this thread. Since the file that has been wrongly detected as a malware is an old file you can safely remove, I won’t bother Kaspersky support with this case. Anyway thanks for your report, we will have a better understanding on how to report similar case in the future if that happen again.