I usually just quickly run executables through a virustotal scan, but this time I also gave hybrid-analysis a go, and it turns out that the latest download version, the 2.1.3 for Windows, comes up as malicious.
Yes, that’s a false positive. For the installer we use a software called NSIS, which is widely used. And looking at that strange report most of this seems to be based on what the installer does.
We have changed a few things in the installer, maybe this just rose the threshold since more of the heristics now find something. E.g. we fixed detection of a running Picard instance (might trigger “Application Window discovery”), enabled uninstall of older versions (might trigger things like “Query Registry”, “File deletion” and “File and Directory Discovery”) and checking if install folder is “Program Files (x86)” (again “File and Directory Discovery”).
IMHO marking this as malware based on the reported characteristics is mostly non-sense, because if an installer needs to do it’s job it needs to do all these things. I just wonder how they get the idea of “Email Collection”?