Nextcloud version (eg, 12.0.2): 15.0.4
Operating system and version (eg, Ubuntu 17.04): Debian 9
Apache or nginx version (eg, Apache 2.4.25): nginx-1.14.2
PHP version (eg, 7.1): 7.2.15
The issue you are facing:
Bitdefender states “ransomware behaviour detected” for nextcloud.exe and when I look at the files affected, they seem to be database files. So, I was wondering whether this was normal Nextcloud behaviour or if this is indeed caused by ransomware? Here are some screenshots:
Disclaimer: I’m not by any means an expert on ransomware protection, let alone Bitdefender’s implementation.
That said, most ransomware protection seems to work by checking any files that change to see if the new format ‘makes sense’ to the protection software. If the software can’t make sense of the new contents of files (if they’re database or compressed log files), and if several files are being written at once, this can look suspicious.
I’d recommend running an offline malware scan (Windows Defender has a pretty good option for this, if you don’t see the option in Bitdefender), just to be on the safe side. After that, though, I’d exempt Nextcloud from the ransomware protection check. Those file changes to seem like Nextcloud’s expected behavior.
Thanks for your feedback! Since then, nothing has really happened and it seems to have been a one-time thing. I checked with Windows Defender as well - same result!
I’ll update my answer if anything changes.
