[GH-ISSUE #4065] [BUG]: Webroot SMD #2591

Closed
opened 2026-02-22 18:30:22 -05:00 by yindo · 2 comments
Owner

Originally created by @likeahoss on GitHub (Jun 28, 2025).
Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/4065

How are you running AnythingLLM?

AnythingLLM desktop app

What happened?

Why do NSIS files detected as malware by Webroot SMD engine?

  • $PLUGINSDIR/WinShell.dll
  • $PLUGINSDIR/INetC.dll
  • $PLUGINSDIR/nsExec.dll

Why isn't the exe digitally signed?

Are there known steps to reproduce?

https://metadefender.com/results/file/bzI1MDYyOGdGVk9OVVJmUTZFYTk5WUNHMmNu_mdaas

Originally created by @likeahoss on GitHub (Jun 28, 2025). Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/4065 ### How are you running AnythingLLM? AnythingLLM desktop app ### What happened? Why do NSIS files detected as malware by Webroot SMD engine? - $PLUGINSDIR/WinShell.dll - $PLUGINSDIR/INetC.dll - $PLUGINSDIR/nsExec.dll Why isn't the exe digitally signed? ### Are there known steps to reproduce? https://metadefender.com/results/file/bzI1MDYyOGdGVk9OVVJmUTZFYTk5WUNHMmNu_mdaas
yindo added the possible bug label 2026-02-22 18:30:22 -05:00
yindo closed this issue 2026-02-22 18:30:22 -05:00
Author
Owner

@anytrace-ai-support-engineer-yc-s25 commented on GitHub (Jun 28, 2025):

Summary of the issue

This is a false positive. It is likely caused by a combination of a bad heuristic implemented by Webroot and a lack of a publisher signature; some heuristics implement a high risk score for DLLs that are unsigned and transient (dropped in a temp dir at runtime).

Verified steps

mkdir -p ~/tmp/nsis_ref
cd ~/tmp/nsis_ref

# Download the official NSIS 3.0.4 ZIP that electron-builder fetches
curl -LO https://repo.huaweicloud.com/electron-builder-binaries/nsis-3.0.4/nsis-3.0.4.zip

# 
7z e nsis-3.0.4.zip \
   'electron-userland-electron-builder-binaries-fac48dd/nsis/Plugins/x86-unicode/nsExec.dll'

shasum -a 256 nsExec.dll

output

5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962  nsExec.dll

This matches the SHA from the metadefender link you posted.

Next steps for @likeahoss

You can ignore this.

Next steps for Multiplex-Labs

  1. Report this false positive to the security vendors.
  2. Consider adding a publisher signature to

@timothycarambat @Mintplex-Labs

If you'd like Anytrace (YC S25) to keep investigating your support tickets, reach out to taira@anytrace.ai to discuss how we can keep supporting your team!

@anytrace-ai-support-engineer-yc-s25 commented on GitHub (Jun 28, 2025): ### Summary of the issue This is a false positive. It is likely caused by a combination of a bad heuristic implemented by Webroot and a lack of a publisher signature; some heuristics implement a high risk score for DLLs that are unsigned and transient (dropped in a temp dir at runtime). ### Verified steps ``` mkdir -p ~/tmp/nsis_ref cd ~/tmp/nsis_ref # Download the official NSIS 3.0.4 ZIP that electron-builder fetches curl -LO https://repo.huaweicloud.com/electron-builder-binaries/nsis-3.0.4/nsis-3.0.4.zip # 7z e nsis-3.0.4.zip \ 'electron-userland-electron-builder-binaries-fac48dd/nsis/Plugins/x86-unicode/nsExec.dll' shasum -a 256 nsExec.dll ``` **output** ``` 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962 nsExec.dll ``` This matches the SHA from the [metadefender link you posted](https://metadefender.com/results/file/YnpJMU1EWXlPR2RHVms5T1ZWSm1VVFlSaFlZbWxWZlFu). ### Next steps for @likeahoss You can ignore this. ### Next steps for Multiplex-Labs 1. Report this false positive to the security vendors. 2. Consider adding a publisher signature to ### @timothycarambat @Mintplex-Labs If you'd like Anytrace (YC S25) to keep investigating your support tickets, reach out to taira@anytrace.ai to discuss how we can keep supporting your team!
Author
Owner

@timothycarambat commented on GitHub (Jun 29, 2025):

@likeahoss - see this doc

Its a big notice at the top - we know it is unsigned. Oddly enough that AI reply is mostly correct as to why

@timothycarambat commented on GitHub (Jun 29, 2025): @likeahoss - see [this doc](https://docs.anythingllm.com/installation-desktop/windows#install-using-the-installation-file) Its a big notice at the top - we know it is unsigned. Oddly enough that AI reply is mostly correct as to why
yindo changed title from [BUG]: Webroot SMD to [GH-ISSUE #4065] [BUG]: Webroot SMD 2026-06-05 14:47:26 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#2591