Openfire 5.0.4 uninstall.exe is reported as malware by antivirus

teob · May 12, 2026, 2:17pm

Hello!

We just upgraded to Openfire 5.0.4 using java version17.0.17 Eclipse Adoptium – OpenJDK Server VM. The OS is Windows Server Standard 2022. The file uninstall.exe in the installation directory of the server is reported as having been infected with the Gen:Variant.Fugrafa.346571 malware by the antivirus application we are using (Bitdefender). We also submitted the file to the VirusTotal website and got 8 hits identifying the same malware in the file. Has anyone else reported this?

guus · May 12, 2026, 2:34pm

Hi, no - this is the first time I hear about this. Can you provide a fingerprint (like a sha checksum) of the file that you are using please?

teob · May 13, 2026, 7:17am

Hello!! Thanks for your quick reply. The file hash is 91D4A9A466010D6DC25459BB98CAF91124B5C49E8A0811B4D070686264D7F323

teob · May 13, 2026, 9:28am

Hi again!! We just rescanned this specific file again and this time the number of hits increased to 10

guus · May 13, 2026, 9:49am

Thanks for the additional reports and data points. We’ve started investigating this further internally.

So far, our findings suggest that this is likely a false positive related to the generated Windows uninstaller, but we are continuing to verify that carefully before drawing final conclusions.

A few observations from our investigation so far:

The detections appear to be limited to the generated uninstall.exe binary.
The 64-bit uninstaller currently appears clean in VirusTotal scans, while the 32-bit variant receives heuristic detectiosn from a subset of vendors.
The reported hashes match files generated by our official build pipeline, which makes accidental local infection less likely.
The detection names are generic heuristic classifications (for example Gen:Variant.Fugrafa.* ) rather than identification of a known malware family.
We have not observed suspicious runtime behavior or indications that Openfire itself or its Java components are compromised.

We’ve also contacted the maintainer of install4j (the installer technology we use) to ask for their opinion and to learn if similar false positives have recently been reported elsewhere.

One thing worth noting is that VirusTotal results can fluctuate over time. An increase from 8 to 10 detections does not necessarily indicate that a file has “become more malicious”. It can also reflect heuristic engines synchronizing signatures or reputation data between vendors.

We absolutely take reports like this seriously and are continuing to investigate. If we find any evidence of an actual compromise, we will communicate that immediately. At this time, however, the evidence we have points much more strongly toward an antivirus false positive than toward a real malware infection.

We’ll continue to post updates as we learn more.

teob · May 13, 2026, 10:40am

Hello again!! Thank you very much for your time and effort! We will submit the file to Bitdefender for false positive verification and get back to you when they reply. A false positive is our feeling as well, but we have to make sure.

guus · May 13, 2026, 2:41pm

We’ve now heard back from the maintainer of install4j (the installer technology used to generate the Openfire Windows installer and uninstaller). Their assessment aligns with what we suspected internally: this is very likely a heuristic false positive rather than evidence of an actual malware infection.

According to their explanation, the generated uninstall.exe is a native Windows launcher that starts a bundled JVM and then executes the Java-based uninstaller. Unfortunately, that execution pattern can resemble techniques used by malware packers, which occasionally causes heuristic antivirus engines to flag the file.

Importantly:

install4j 12.0.2 (the version we used to generate the file) did not introduce known structural changes that would explain a genuine compromise;
the reported detections are generic heuristic classifications, not identification of a known malware family;
our investigation so far has not uncovered signs of malicious behavior or tampering in Openfire itself.

One important finding from this investigation is that our Windows installers are currently not Authenticode-signed. Signed executables carry verifiable publisher identity, which substantially reduces these kinds of heuristic detections. We are now evaluating what would be needed to add proper Windows code signing to future releases. However, for a largely self-funded, open source project, this may prove to be challenging.

We’ll continue monitoring the situation and will provide additional updates if new information emerges, but at this point the available evidence strongly supports this being an antivirus false positive rather than an actual malware infection.

Reporting the affected file to antivirus vendors (starting with Bitdefender) as a false positive for review will likely help reduce future false reports. Thank you for initiating that!

teob · May 14, 2026, 6:17am

Hi again,

Bitdefender analyzed the file we submitted and replied that it was indeed a false positive. They have already updated their definitions database and now the file is not detected as malicious. Thank you very much for your time and effort in investigating this again!

guus · May 14, 2026, 6:44am

Ah, that’s good news. Thanks!