Hi everyone,

Last week I installed the latest update to Winstep Nexus directly from the Winstep website. Shortly after installation, my antivirus flagged several PNG files in the Winstep folders as triggering a "ransomware" behavior alert.
The specific files were:

C:\Users\Public\Documents\Winstep\Icons\Samples\Network.png
C:\Users\Public\Documents\Winstep\Icons\Samples\Clock_11.png
C:\Users\Public\Documents\Winstep\NeXuS\Indicators\Leopard.png
C:\Users\Public\Documents\Winstep\Weather\Icons1\4.png
C:\Users\Public\Documents\Winstep\Icons\Samples\Clock.png

Today a new update was released, so I downloaded and installed it hoping the issue would be resolved. Unfortunately, the same ransomware alerts triggered again on the same files.

Has anyone else experienced this with the last two Nexus updates? I'm assuming it's a false positive since these are just icon/sample files, but the repeated alerts are concerning.

Any info or similar reports would be appreciated. Thanks!

Thanks for letting me know about the antivirus warning. I want to reassure you that the PNG files you’re seeing are completely safe and are part of the normal operation of the Winstep application. This is just *yet another* AV being lazy and throwing the baby out with the bathwater.

A bit of background may help explain why this is happening.

When Windows Vista was released, Microsoft introduced two new shared‑data locations: ProgramData and Public Documents. At the time, ProgramData was poorly documented, inconsistently implemented by Microsoft’s own tools, hidden by default and caused permission issues for many applications. Public Documents, on the other hand, was clearly intended for shared, non‑executable resources and was fully accessible to all user accounts without complications.

For that reason, Winstep chose Public Documents as the safest and most reliable place to store shared assets such as themes, icons, and PNG image files. These are simply visual resources — they cannot run code, install anything, or harm your system.

But then in 2017 the global ransomware outbreaks started to happen and many antivirus products became extremely aggressive with their detection heuristics. Some of them began flagging any application that wrote multiple files into Public Documents as “ransomware‑like behavior,” even when the files were harmless images. This resulted in a wave of false positives across many legitimate applications, including Winstep.

What you’re seeing now is the same kind of false alarm.
Your antivirus is misinterpreting normal file activity as something suspicious.

PNG files are just images — they cannot execute or encrypt anything.
You can safely allow or whitelist these files (but if you want to be totally sure upload them to VirusTotal.com)

If you have any questions or want help adjusting your antivirus settings, feel free to ask.

P.S. This is the reason why NEW installations of Winstep applications are now storing user data under ProgramData rather than under PublicDocuments. I got sick and tired of these type of issues.

Thanks for the quick reply, I wasn't worried about the files, knowing that they came from a reputable source.

Regarding your comment "NEW installations of Winstep applications are now storing user data under ProgramData rather than under PublicDocuments"; Would uninstalling Nexus and installing it fresh correct this without the need to whitelist the files in my AV?

Possibly, but only if the installer does not see a Public Documents\Winstep folder, otherwise it will assume this is a re-installation and go for Public Documents again...

Also you would have to move to C:\ProgramData\Winstep\ all the data in \Public Documents\Winstep that you downloaded and changed in the mean time.

It's almost amusing how almost regularly these issues with AV apps and false positives come up. In all the years I've been running ESET I've never seen a false positive, nor for that matter even a pukka one. Still the best there is.

I’m also a long‑time ESET user as you know and normally trust it completely - but yesterday it actually came back to bite me for the first time in years, and in a pretty nasty way.

I’m preparing the Winstep Update Manager for a large rollout in China, so I’ve been moving files to a CDN and testing everything. One particular file - a ZIP containing the Update Manager setup - kept downloading incomplete when served from the CDN.

The weird part was that if I added something like ?v=0 to the filename, the problem disappeared. That strongly suggested a poisoned cache or CDN edge issue. So I spent hours with their support trying to diagnose it. They couldn’t reproduce it on their side, and nothing made sense.

I tried everything:

Switching to a mobile network

Bypassing my router

Disabling the firewall

Same result: the file downloaded partially and the connection was reset halfway through. No warnings, no alerts, nothing.

It never occurred to me that ESET might be the culprit because:

The file was identical whether or not it had ?v=0

ESET didn’t flag anything

The same file downloaded fine from the Winstep server

The breakthrough came only when I RDPed into the server in Tampa and downloaded the file from there - and it worked perfectly. That’s when it finally clicked: this wasn’t a CDN issue at all, it was local. But even then I thought it could be something with different CDN distribution servers for Tampa and here.

Turns out ESET’s heuristics were silently blocking the download mid‑transfer because the file was coming from a CDN - and I only figured that out when on a hunch I decided to temporarily disable the AV protection. No popup, no warning (although later I found a ton of log related entries) - just a connection reset. Add a query string or download from a different domain, and suddenly it’s fine.

So the problem wasn’t the CDN.
It wasn’t the file.
It wasn’t the network.
It was ESET quietly deciding the file was “suspicious” and killing the connection halfway through.

Sigh.

Well I'm buggered! What a surprise, a shock even. Let's just hope the users in China don't run into those sort of probs with their AV.

Posting to close the loop on this.

I used the option in preferences to create a backup of my settings, then uninstalled Nexus, and removed the Winstep folder from the public documents folder. I then reinstalled Nexus, edited the wbk file to change all occurrences of C:\Users\Public\Documents\WinStep to C:\ProgramData\Winstep, and restored the settings from the wbk file. This resolved the false positives on the png files.

Thanks again for your help!

Well done, and thanks for letting me know!