SOLVED: Trojan virus EZ Drummer 3

[joeshane]

When i installed EZ Drummer 3 I was notified that it had a trojan virus.  Anyone else have this notification?

EZdrummer version: 3.0.0
Operating system: Windows 10

• This post was modified 3 years, 1 month ago by Erik Phersson.

Topic

[propianist]

Yes!!!  I got exactly the same problem.

Please look at my forum thread I posted about 30 minutes ago!

Topic: EZD3 “standalone is not installed” | Toontrack

It seems my installation failed (I tried re-downloading repeatedly and it still hasn’t worked yet.) and left me with no standalone EXdrummer 3.exe program because that file appeared to have a severe virus, and Windows 10 was automatically blocking and quarantining that file, thus saving my computer from disaster, but failing to install the program.

I still haven’t found any solution to this?????

The corrupt file in question was downloaded directly from Toontrack Product Manager.

Operating system: Windows 10

[propianist]

I re-posted my earlier message below here, to avoid splitting the topic / replies across 2 threads…

 

So today I downloaded and installed and authorized everything for EZdrummer 3 content correctly, using Toontrack Product Manager, as instructed, but so far it’s only working as a VST3i plugin from within Reaper.

Toontrack Product Manager > Show Details says “standalone is not installed” in red letters.  (SEE ATTACHED SCREENSHOT)

If I click the brand new EZD3 shortcut icon on my Windows 10 desktop, to launch the standalone software, it tries to do something for a split second then gives me error messages saying it can’t find the file “EZdrummer Software Installer.msi”  (SEE ATTACHED SCREENSHOT) and then clicking OK gives further pop-up error messages about the path not being found, and an “Error 1706: No valid source could be found for product EZdrummer 3 Software” and so basically it crashes and won’t launch the program.

I searched the file system manually and I couldn’t find that file “EZdrummer Software Installer.msi” anywhere either so it wasn’t lying about that.

I have tried to re-downloading / validating / re-installing EZD3 again from Toontrack Product Manager, which does appear to unzip a file called “EZdrummer Software Installer.msi” when it goes through it’s routine of installing, but every time it says finished installing successfully, we just end up back at the same place again, with no standalone having been installed.  Only the VST3i plugin works, but standalone does not.

If I manually look inside the folder “C:/Program Files / Toontrack / EZdrummer 3” where the standalone .exe program should be located, it is not there, and I’ve just got the “EZdrummer 3 operation manual.pdf” only.

I do already have EZdrummer 2 installed (latest v2.3.3 and all updates) and that is still working fine, along with my eleven purchased EZX expansions.

I also looked through my Windows 10 Security history for earlier this afternoon and found this entry for “EZdrummer 3.exe” saying that it contained a trojan virus and so Windows has automatically blocked and quarantined it.  (SEE ATTATCHED SCREENSHOT)

Can anybody help or advise please?

In the last 2 weeks since hearing about EZdrummer 3, I have invested 716 Euro / £624 GBP so far buying into Toontrack’s EZdrummer ecosystem, and I was expecting this thing to work and install easily without hassle.

Richard

 

EZdrummer version: 3.0.0
Operating system: Windows 10

[Jeff Thurston]

I installed upgrade without much problem. I noticed there were two (2) new files in the Product Manager. One was the install for the upgrade, and the other was the data content. I installed the upgrade first, then the content. Then rebooted and a new icon EZD3 was on the desktop. It opened the standalone ok. As far as the virus talk, I use Bitdefender, so I left it running during the download. It showed no notifications of malicious content in the downloads.

EZdrummer version: 3.0.0
Operating system: Windows 10

[propianist]

Hi Doughead,

I’m glad it worked for you.

But myself and Joe Shane (posting above) have both witnessed the same issue today.

Theory… I live in the UK.  And perhaps you live in USA, Australia or some other region of the world, etc.   I think it’s true that internet downloads can sometimes be directed to use different servers (for the sake of speed) which are more local to the geographical region / continent, so maybe your files were downloaded from a different server, versus the files we have downloaded from another server, elsewhere in the world, which seem to have a virus (according to Windows Defender.)

Every time I re-download and re-install again, it does the exact same problem.  I don’t know how to fix that.

EZdrummer version: 3.0.0
Operating system: Windows 10

[Erik Phersson]

I can assure you that there are no viruses in our software. There seems to be lots of reports of “false positive” on that particular virus from Microsofts Defender for some reason. If you do a Google on “wacatac.b!ml false positive” you can read about them.

However, we will check what we can do to eliminate this issue as soon as possible.

Erik Phersson - Toontrack
Head Of Development

• The post has been modified 2 times, last modified 3 years, 1 month ago by Erik Phersson.

1

Thanked by: TREVOR TINBERG

[propianist]

Thank you Erik very much for your reply.  Please keep us updated ASAP.

I’m sure you can understand the concern though.

If Windows 10 itself blocks a downloaded .exe file and quarantines it because of a severe virus threat, should I or anyone really feel 100% safe to “Restore” that file, manually override the Windows Defender security, ignore the warnings and just go ahead and run that .exe anyway?!  What if it does seriously mess up my computer with something nasty?!

I’m sure everybody else would feel the same way in this situation – we’ve all got a lot of valuable / personal / important stuff on the go to risk anything bad happening.

Doughead – for instance, if your own Bitdefender  had detected a trojan virus in EZdrummer 3.exe what would you choose to do then?  Ignore and install anyway, or let your protection software do it’s thing, quarantine the file, and get on the Toontrack forum looking for help and answers?

Erik,

You can talk about “false positives” and you’re right, there may indeed be many cases of that out there, but surely there are also many cases of real virus causing real problems too, and who’s to say which is real and which isn’t?  I’m certainly not taking any risks with my own main music computer which has several thousands worth of expensive software already installed.  Would you run the risk on your own personal PC at home if faced with this choice?

Toontrack can’t expect people to just ignore a severe virus warning from Windows 10, and trust you that everything will be okay.  That’s not good enough.

Perhaps Toontrack could re-upload another fresh copy of the 749MB file in question to the servers again later today ASAP for everyone’s benefit, so that affected users who haven’t got it working yet can re-download it again officially using Toontrack Product Manager, click the Install button, and watch the process complete 100% successfully and actually work without seeing any virus warning messages.  That’s the only answer.

Seriously Toontrack must be able to deliver a final working software & installer that doesn’t (even accidentally) trip the Windows 10 Defender, or else something is going wrong.

Richard

EZdrummer version: 3.0.0
Operating system: Windows 10

[Erik Phersson]

I totally understand your concerns and I certainly would never try to persuade you to do something that you are uncomfortable with.

However, Windows Defender being overly cautious is something we as a developer have no real control over. We can only try on so many systems and computers before we release our software. If this false positive had happened during testing before release, which it didn’t, we would certainly have reported it to Microsoft so that they could have removed the alleged “threat” from the profiles in their databases.

Uploading a new copy of the software would not solve the problem since it would be exactly that, a copy. It would still trigger the warning for the few unfortunate.

As I wrote earlier, we will check into what we can do and try to resolve this issue as soon as we can.

Erik Phersson - Toontrack
Head Of Development

[propianist]

Thanks again Erik for your further reply.  Thank you for trying to get this fixed ASAP.

I think that I should not fall into a category of “few unfortunates” just by being a person who uses Windows 10 in the normal standard way it works.

Am I alone?

Surely 99.9% of other people also let Windows 10 run its normal default background security / virus protection settings, and have never tried or needed to change or circumvent them.  That’s just the normal state of affairs, and any software designed for Windows 10 should expect it and not fight against it.

It shouldn’t require any special tricks or workarounds to install this software, should it?

EZdrummer version: 3.0.0
Operating system: Windows 10

[Erik Phersson]

I understand that this is frustrating for you and I apologize for that.

There are very few users, to my knowledge, that have run into this issue. I do not, at the time, know why most people can install just fine and a few can not but we will investigate and try to get it sorted as soon as possible.

Erik Phersson - Toontrack
Head Of Development

• The post has been modified 2 times, last modified 3 years, 1 month ago by Erik Phersson.

[propianist]

Thank you Erik.

You wrote, “Uploading a new copy of the software would not solve the problem since it would be exactly that, a copy. It would still trigger the warning…” meaning that your software would still contain the same exact code as before, therefore might still look like a virus again to Windows Defender.

But what I find impossible to understand is WHY your drum software should otherwise trigger the security block, if it is 100% clean and safe?  Can anyone please explain that?  Again and again Windows Defender thinks that download .exe contains a virus, so why does it keep on seeing that there?

Whatever unique DNA fingerprint it is that Windows Defender is recognising, must be a very specific, very precise code DNA fingerprint which matches that specific known trojan virus called “wacatac.b!ml” or whatever, which Windows can positively detect and identify and categorise as being that particular trojan virus, out of the millions of other possible trojan virus it knows about.  It seems so ultra precise, so ultra complicated, so like an impossible-to-duplicate DNA fingerprint, that I literally cannot believe its a chance trillion-billion-to-one type co-incidence or fluke that EZdrummer 3.exe standalone application just happens to include such amazingly similar lines of code doing some other innocent function like playing a ride cymbal, which were so indistinguishable in form and function and appearance to a very specific known trojan virus code that it actually fooled the bang-up-to-date advanced anti-virus protection built into Windows 10, which could not tell the difference between the malicious virus it already knows about and your innocent code which plays drum audio and MIDI.

That can’t be correct, can it? It can’t be a fluke accident that Defender needed to block this software installer. Surely if Windows can positively identify that actual specific virus code, then it must be there inside the downloaded files somewhere.

If you are saying “I can assure you that there are no viruses in our software” – then please explain why would EZdrummer 3.exe content ever be confused with / identified as this trojan virus in the first place? How else could your software be triggering this Windows Defender security explicit warning so precisely? That’s what I can’t understand.

I don’t pretend to understand trojan viruses or how they work at all – but common sense tells me there’s no smoke without fire, and something must be wrong somewhere for the security alert to keep being triggered.  It keeps finding something that is cause for concern, therefore the file isn’t safe to trust.

I would like it really if you could re-upload the 749MB file online again  (perhaps from a different location) and re-name that new version 1.0.1 so everyone can see that’s a fresh copy, and the changelog can just say “minor updates for Windows 10 install” etc.  It’s one thing we can rule out, having a brand new file to download and try fresh.

Thank you,

Richard

EZdrummer version: 3.0.0
Operating system: Windows 10

[Neb]

 

What I find impossible to understand is WHY your drum software should otherwise trigger the security block, if it is 100% clean and safe?  Can anyone please explain that?  Again and again Windows Defender thinks that download .exe contains a virus, so why does it keep on seeing that there?

You’re right to be careful, but you also have to use a lot of common sense when interpreting what the anti-virus software is telling you.

Anti-virus look for ‘exact match’ signatures in the files – like fingerprints. But these signatures are not 100% unique, and false positives can happen.

Anti-virus also look ‘heuristically’, which is where they try to parse the code and guess what the software does. Some AV are better than this than others, and produce less false positives. They usually provide ‘intensity’ or ‘strictness’ settings for this reason – you have to decide yourself whether you want to receive more, or less, false positives. Defender doesn’t have particularly good or accurate heuristics.

It’s also possible that you already have a virus, trojan, malware, or rootkit on your machine, and it is injecting something into your download once it is on your machine. This is actually very possible, considering that EZD3 was downloaded many thousands of times yesterday, and there seems to be only a handful of people complaining about virus warnings. Injecting nasty things into innocent executables is the very definition of virus – it’s how they keep a machine infected.

Compared to that, the possibility of someone infecting the files either in-house at Toontrack or on the file-server is very remote.

My advice is to reinstall, and when defender gives the warning about ‘EZdrummer 3.exe’, allow it on your machine for now by taking it out of quarantine; it is only ‘dangerous’ if you run it. Then locate it on your hard drive, and upload it to virustotal.com. It will be scanned by dozens of anti-virus vendors, and you will get a good idea of whether it actually is infected or not. You will also see that several vendors (usually the cheaper, smaller, less well-known companies) give a few false positives.

On the other hand, if most of the popular AV companies are reporting the same virus/trojan, then you are right to be worried. But as I said before, the most likely problem by a large margin, is that you are already infected by something.

Good luck!

EZdrummer version: 3.0.0
Operating system: Windows 10

Beginner-level Guitarist/Drummer/Mixer. EZD2|3 / EZKeys1|2 / EZMix3.
Desktop - Ryzen 5 4650G @ 3.7GHz | 16Gb DDR4 | 1TB SSD | Win10 Pro.
Reaper | Roland Rubix 4x4 interface | Arturia Minilab II controller.

2

Thanked by: propianist and lp958

[Jeff Thurston]

Hi folks,

It might be that Windows Defender is assumed to be the culprit but perhaps. like Neb points out, other demons are at work. As Propianist asked me, “what would I do if my BitDefender gave me a warning?” I would probably check out the file it screens and quarantines further. I am assuming that like Bitdefender, the Windows Defender stores the file in quarantine and gives the warning. Thus one is warned not to run it.

On the other hand, if you cannot even download it, then I would not think that Windows Defender is the culprit. I would instead aim towards the web browser in use and the “level of security” that it is set at.  If it is a high level of security, then it will aggressive search out problems.

In this case, try switching from whatever Web Browser you ARE using to Chrome, Opera, Firefox or whatever. Then see what happens. Alternatively, lower the current level of security of the browser to ‘intermediate’ of whatever is medium to reduce the aggressiveness of heuristics just as Neb pointed out.

Lastly, if I were having this issue I would download it, store it and then download another trial virus software and run it on the file.

Hope these ideas help.

EZdrummer version: 3.0.0
Operating system: Windows 10

[propianist]

Hi Neb,
Thanks for your reply.
Good suggestions, I agree with them all, except where you say it’s most likely that I already have this virus running rampant on my computer.
I would disagree with that because my Windows security & virus protection settings are all working successfully every day and doing their job, protecting my system, and all threats are getting 100% blocked and removed. Hence that’s why I cannot install or run the standalone program for EZD3, because it’s flagged as a threat.

Obviously if I had inadvertently allowed the May 3rd file of EZdrummer3.exe standalone program to run, with a suspected trojan virus warning, then I might have activated some malicious code, but I didn’t run it because Windows Defender already blocked it. So that virus (if there was one) shouldn’t have got into my system.

I’ve got controlled folder access switched on, and all Windows security updates installed up-to-date, and everything is working fine and I’ve got no current threats reported . I’ve done regular quick scans and full scans too, and everything is good and working fine. I’ve kept any nasties away by being hyper-vigilant and not taking risks with anything.

I haven’t experienced any virus or malware problems before, and I haven’t seen Windows Defender react like that with Severe warning to any of the other Toontrack installers that I’ve encountered over my previous installations of EZDrummer 2 and 11 other EZX expansions purchased recently.
I’m sure Windows Defender may not be as amazing as some of the expensive commercial anti-virus packages on the market, but if Windows Defender tends towards being over-zealous, and blocks absolutely anything even slightly suspect, even giving false positives sometimes, that still seems like a sensible “better safe than sorry” method to me.
As I say, I haven’t ever had any problems using it for several years, so I believe it must be working well.

Hi Doughead,

Thanks for your reply.
You’re suggesting trying different web browsers like Chrome or Firefox, and talking as if I’ve downloaded something bad from some dodgy unknown website.
But I didn’t download anything from the web.
The file in question we’re talking about isn’t a web download, it is the main standalone program of EZ drummer 3 which was unpacked and installed automatically by the official Toontrack installer, from within the Toontrack Product Manager utility itself.
Like everybody else, I tried to install on May 3rd but it didn’t work because Windows Defender deleted it automatically.
The actual EZdrummer3.exe standalone program created inside the folder C:/Program Files/ Toontrack/EZdrummer3 is the file which Windows said was infected with a virus and blocked it from running.

I still haven’t got this EZD3 program working standalone on my computer.  The Toontrack Product Manager says it is not installed.

I’ve paid good money for it, same as everyone else, but Windows 10 won’t allow me to install or run it.

Nothing else before or since has ever triggered this specific “wacatac.b!ml” trojan virus warning on my computer. The only time I’ve seen it is May 3rd, trying to install EZD3 standalone.

EZdrummer version: 3.0.0
Operating system: Windows 10

[Neb]

If the file was infected on the server you downloaded from, don’t you think there would be more users reporting this (as in, hundreds of reports)? Why are you seemingly alone in this problem? By the way, I use default Defender on a default Windows install too.

Since you’re alone, you’re really going to have to temporarily allow the file as an exception in Defender (which is completely harmless as long as you don’t run it), which you can do right now without running the installer again because the file should have been quarantined, not deleted (unless you manually deleted it from quarantine).

Then test it (and the installer executable too) with other anti-virus software. The easiest way is to open virustotal.com in your browser and drag the executables into it – you will see the results from about thirty AV vendors instantly. You can quarantine the file again straight afterwards to make you feel safe.

Once you’ve got a consensus clearly indicating that it is infected, then you should download and install on another computer and do the same test. If it’s clean this time, then either your computer is infecting the file, or it’s a Defender false positive due to your security settings. However, if it’s also infected, then it may be the file on the server, and you should send the infected file to Toontrack, with links to your Virustotal results.

Until you do this, I don’t understand what you expect anyone to do? Writing retorts in the forum about your disappointments is not going to get you anywhere. You need to be taking action and stop acting so helpless. Sorry to be blunt.

Beginner-level Guitarist/Drummer/Mixer. EZD2|3 / EZKeys1|2 / EZMix3.
Desktop - Ryzen 5 4650G @ 3.7GHz | 16Gb DDR4 | 1TB SSD | Win10 Pro.
Reaper | Roland Rubix 4x4 interface | Arturia Minilab II controller.

[Olof Hermansson]

From https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus?view=o365-worldwide :

1. Open Windows Security.
2. Select Virus & threat protection and then click Protection history.
3. In the list of all recent items, filter on Quarantined Items.
4. Select an item you want to keep, and take an action, such as restore.

Then, before you start it – so before it could do any harm if it really is infected by a virus – verify that it has the correct checksum (MD5 hash):

1. Open Command Prompt. (You can find it by typing “cmd” in the Start menu.)
2. Paste certutil -hashfile "C:\Program Files\Toontrack\EZdrummer 3\EZdrummer 3.exe" MD5 to the Command Prompt window and hit Enter.

If it shows the following MD5 hash, the standalone file is correct and is safe to use:

f14dfcde23c73fe59386dd62a3396095

If it shows something else, please post a screenshot.

Note for the future: the above MD5 is only for EZdrummer 3.0.0, it will be different for each version.

Olof Hermansson - Toontrack
Coder

[Author]

Replies