Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[JimH]

Starting around the beginning of 2024, we've seen far more "false positive" problems with Windows Defender.  Here are some things you can do to help.

Download New Definitions from Microsoft
https://www.microsoft.com/en-us/wdsi/defenderupdates

(Windows Defender is also called Microsoft Defender)

Submit a file to Microsoft
https://www.microsoft.com/en-us/wdsi/filesubmission

Configure Windows Defender
https://yabb.jriver.com/interact/index.php/topic,114101.0.html

You can upload a file here to get a report from multiple antivirus programs
https://www.virustotal.com/gui/home/upload

[JimH]

Please report what you find.  Both problems and solutions.  Please include the full version of MC.  32.0.56, for example.

[comox]

I never use MC's update feature. I always manually download updates with Edge.

For many months, every time I click the download link I am warned that the MC exe "could harm my device" and I have to click the Keep button.

Then when I run the exe another warning pops up that "Windows protected your PC" and I have to click More Info, then Run Anyway.

I'm an old timer so don't care and trust JRiver but for potential new customers I suspect this harms sales.

P.S. I keep my system perfectly up to date.

[Awesome Donkey]

Edge is pretty bad not allowing MC downloads at the moment due to how integrated it is with Defender. The second popup is the SmartScreen feature (which is also integrated in Edge), usually it tends to pop up until a file has been out in the wild for a bit.

What baffles me a little bit is that MC's files have a digital signature using a certificate they bought (you can see this signature when right clicking on .exe and .dll files in MC's install directory). The really weird thing to me is how slowly Microsoft has been at trusting the certificate. It also baffles me a little that it seems to flag specific files as false positives, I believe it was JRWeb.exe or JRWorker.exe when I last encountered this. My first thought was maybe it's some sort of EXE packer/compression used on the executables themselves or the installer (UPX is a known example of a EXE packer) but now I'm not so sure.

My other thought is, is it the installer or is it the file(s) (like JRWeb.exe and JRWorker.exe, etc.) themselves triggering the false positive? If it's the files, maybe it's something about the name doing it?

[comox]

Edge is pretty bad not allowing MC downloads at the moment due to how integrated it is with Defender. The second popup is the SmartScreen feature (which is also integrated in Edge), usually it tends to pop up until a file has been out in the wild for a bit.

What baffles me a little bit is that MC's files have a digital signature using a certificate they bought (you can see this signature when right clicking on .exe and .dll files in MC's install directory). The really weird thing to me is how slowly Microsoft has been at trusting the certificate. It also baffles me a little that it seems to flag specific files as false positives, I believe it was JRWeb.exe or JRWorker.exe when I last encountered this. My first thought was maybe it's some sort of EXE packer/compression used on the executables themselves or the installer (UPX is a known example of a EXE packer) but now I'm not so sure.

I install a lot of software updates on a regular basis and only see this problem with JRiver so it's something unique to JRiver.

[Awesome Donkey]

I do have a theory potentially. Looking back at my forum posts from when it first started happening, it seems to be the JRWeb.exe file triggering it. Maybe they're simply flagging it on the name instead of some heuristics? Does JRWeb sound like some sort of trojan or something?

It still baffles me that a file digitally signed with a valid certificate could be constantly flagged as malware, even after it's been reported as a false positive multiple times.

[JimH]

Yes.

[zybex]

For many months, every time I click the download link I am warned that the MC exe "could harm my device" and I have to click the Keep button.
Then when I run the exe another warning pops up that "Windows protected your PC" and I have to click More Info, then Run Anyway.

This is how their system tracks app reputation. After many people click the "run anyway", the file become trusted. Sometimes.

[Manfred]

This is how their system tracks app reputation. After many people click the "run anyway", the file become trusted. Sometimes.

I had the same problem some time ago.  After clicking the "run anyway" it has never appeared again.

[EnglishTiger]

Along with MC32.exe AVG Internet Security also gets suspicious of JRService.exe, JRWeb.exe and JRWorker.exe. To get around AVG's dislike of MC32.exe I suspend it for 10 minutes while I install a new version of MC32 and start it running. Although it also gets suspicious of the 3 JRxxxx.exe files AVG's inbuilt analysis routines cut in when 1 of them is activated and in less than 30 secs declares them safe; it also submits the relevant.exe and it's findings to AVG Labs. The same happens for both MC32.exe and the 3 JRxxxx.exe files the next 2 times I open MC32 as either client or server. One thing I have noticed though is for the last 5 updates AVG has not been suspicious of JRService.exe.

I'm guessing that AVG Internet Security on the Mac works in a very different way because it has never found anything wrong when downloading, installing or running MC32 on the Mac Mini.

[comox]

Along with MC32.exe AVG Internet Security also gets suspicious of JRService.exe, JRWeb.exe and JRWorker.exe.

I remember being very suspicious of those too when I started to use JRiver. I've never seen a description of what they do.

[Hendrik]

I remember being very suspicious of those too when I started to use JRiver. I've never seen a description of what they do.

JRWeb is used to host the web browser for any views that show a website. Web Browsers should generally be sandboxed into their own process for security and stability - and thats what JRWeb does.
JRWorker primarily performs video import and thumbnailing, so it doesn't bog down MC itself. It has some other tasks like dealing with some handheld devices as well, but thats much more niche.
JRService is a light-weight system service that handles some remote control functions that require a system-wide component to intercept. From all those here, its probably the most niche.

[comox]

Thank you Hendrik.

[JimH]

JRWeb is used to host the web browser for any views that show a website. Web Browsers should generally be sandboxed into their own process for security and stability - and thats what JRWeb does.
JRWorker primarily performs video import and thumbnailing, so it doesn't bog down MC itself. It has some other tasks like dealing with some handheld devices as well, but thats much more niche.
JRService is a light-weight system service that handles some remote control functions that require a system-wide component to intercept. From all those here, its probably the most niche.

Added a link to your post on the wiki here:
https://wiki.jriver.com/index.php/JRWeb

[mpffffhhhh]

interesting, i never had any problems with jriver updates.
w10, always up to date