Hi! I checked the hash of lasts libreoffice(windows version) on Tria.ge and i found that was reported malicious/suspicious activity here(ver. 25.8.2).
It’s also reported by TrendMicro Apex One Antivirus, you can found the logs attached that reports “Unhautothorized File Encryption”.
Please can you make a check?
Thanks.
segnalazione_apex.pdf (205.1 KB)
LibreOffice can encrypt some of its own document types (odt, ods, odp, odg) and its own StarBasic libraries if you tell it to do so.
Hi Villeroy,
thank you for your reply, but why only the last versions was reported (25.8.x) this activity on installation,
and the other branchs is clean (25.2.6-25.2.7)?
The are some differences?
Thanks.
A new feature may be responsible for this. I don’t know for sure.
ODF Wholesome Encryption
ReleaseNotes/24.8 - The Document Foundation Wiki
A check of what?
They did a “behavioral” check. It is not “we detected a virus”, it is “we decided that installer testing which drives exist on the system is malware”:
Yes, there are several items in the “report”. Anyway, without details provided by those who made the checks, there is nothing to discuss.
And it’s not about LibreOffice itself, it’s about the MSI - so unrelated to the new features.
Yes, but in virusTotal Site and Tria.ge are reported Mitre Signatures, Sigma Rules and other suspicious activity.
I repeat that in the other version (25.2.x) these threats did not manifest themselves. Why?
Thanks.
Sigh. Did you read it?
LibreOffice has always required system-level installation.
What is your point here?
Let me guess. Maybe they detect that LibreOffice is installing updater? It is a service. And yes, it’s a new feature, but indeed, it is an installer-related feature. ReleaseNotes/25.8 - The Document Foundation Wiki may be relevant. If so, and they started to detect what changed there in 25.8, then it’s fun - because we already installed a system service in earlier versions, but made a change to improve security in 25.8, and now they worry 
