A trojan security risk that appears to originate inside only office software

jcd · 11 June 2025 19:29

Report a bug / security issue
OS version: MacOS Sequoia 15.5 (24F74). Up to date with all patches.
App version: 8.3.3
Downloaded from: ONLYOFFICE website. Normal install process.

Additional information: been running Only Office for several months, very impressed with the product.

While editing a document this afternoon, I received a warning about a trojan security risk

“We moved changesO.json to Quarantine because it was infected with Script:SNH-gen [Trj].”

which seems to originate somewhere within the software.

I had no other programs open at the time of editing the document. Security software is up to date.

File path was: /users/myname/Library/Application Support/asc.onlyoffice.ONLYOFFICE/recovery/DE_N3MJ5H/changes/changes0.json

Can you (Only Office Devs), check just in case something nasty made its way into the code or there is a security threat that is targeting Only Office?

Constantine · 16 June 2025 09:23

Hello @jcd

Are you using any anti-viruses on the device? It is not quite clear what put the file in quarantine and showed the warning. Can you elaborate?

In general, the file that you are mentioning contains changes you made to the file during editing. They are applied when saving the file. If you performed some custom actions or you have a scenario on how to reproduce the issue, please feel free to share.

By the way, does it happen with particular file? If so, what is the origin of this file? It is possible that the file itself is infected with a virus.

jcd · 16 June 2025 19:28

Hi Constantine,

Yes, I have anti-virus software installed and latest security patches installed in both MacOS and the anti virus software. The anti virus software quarantined the file.

I was editing a text file, specifically, I had a table (1 Row / 2 columns ), a small PNG file in the first column and some text in the second column. I copied and pasted the text from the second column below the table and then deleted the table (including the PNG file). it was as I copied and pasted the text that I received the anti virus warning.

The file was a new file created within OnlyOffice, with some of the text copied from a word document created earlier this year. perhaps the word document was infected, but there was no antivirus warning on the word document.

Very bizarre behaviour, I have not been able to reproduce the issue and a full virus scan has not detected any other viruses. Maybe some other users have had similar issues?

I logged the issue, just in case this is a security threat specifically targeting only office.

Thanks for following up. JD

Constantine · 19 June 2025 10:10

Thank you for the information. I haven’t seen similar queries, so I must ask – what antivirus software is being used exactly?

gschne · 20 June 2025 17:28

Good afternoon,
Same issue as JCD has described. My Mac OS Sequioa is up to date, as is my AVG antivirus software which found and quarantined the trojan. I took screenshots of the popup from AVG and could not attach them to this message, as I received a 403 error from your server. Here are the File Path and Process from the screenshot:

/Users/gschne1/Library/Application Support/asc.onlyoffice.ONLYOFFICE/recovery/DE_amCKoe/changes/changes0.json

/Applications/ONLYOFFICE.app/Contents/Frameworks/editors_helper (Renderer).app/Contents/MacOS/editors_helper (Renderer)

Any thoughts or advice? I do wish to continue to use ONLYOFFICE but cannot tolerate a potential security risk. Thank you!
GS

Constantine · 24 June 2025 13:14

Hello @gschne

Thank you for the information. Can you please specify version of Desktop Editors?

Also, @jcd, may I ask you to update the app to the actual version 9.0 and check the situation again?

jcd · 29 June 2025 15:07

Hi Constantine,

Apologies for delay in replying, was travelling for work.

I am using Norton Antivirus. I have upgraded to the latest version, have not seen the problem since upgrading. I will try to recreate the workflow that I was using when I first saw the issue, to see if it happens again.

Constantine · 30 June 2025 09:27

Thank you for the details. I’d be also nice to know version of your antivirus software. Looking forward to your feedback on the status after the update to 9.0.

jcd · 7 July 2025 19:07

Hi, the Norton version is 25.5 latest at the time, it automatically updates. In my previous message, the upgrade I was referring to was the upgrade to only office v9.0. I am continuing to check the workflows I used on that day, so far, so good. no issues.

Constantine · 8 July 2025 15:31

Thank you @jcd for an update.

@gschne, may I ask you to update the app to the actual version and check the situation again?

JJonly · 16 July 2025 21:20

Report a bug / security issue
OS version: MacOS Sequoia 15.5
App version: 9.0.3

I have the same problem. I use Avast antivirus.

Alexandre · 22 July 2025 14:29

Thank you @JJonly
We are checking the situation.

jausten · 19 November 2025 15:42

Hi is there any news to the situation? I have the same problem just now.

I also downloaded from the ONLYOFFICE website and using it since about 4 month.
App-Version: 9.1.0.167 (x64 exe)
System: Windows 11

File path was: C:\users\myname\AppData\Local\ONLYOFFICE\DesktopEditors\data\recover\DE_F4CF\changes\changes0.json

Avira flags the file as TR/SNH

Is there any information, this might be a false positive, do you have any insights, or any more cases, as there is not much about it in open forums.

As cases like this really undercut the trust in the programm, I would be quite glad if you have any reasurance for that matter.

Thanks in advance!

Constantine · 20 November 2025 14:59

Hello @jausten

Please provide more information about your antivirus software – version and date of latest database update. If it is possible to update database in the antivirus, please do so and see if the same behavior occurs. In certain cases old schemas are applied to regular binary changes in .json format as trojan causing the fake detection of “trojan”.

We really appreciate your interest, but the investigation is still undergo.

jausten · 21 November 2025 17:33

Hi @Constantine,

I’m using the Avira software.

Its now the Version 1.1.111.2624. The last Database update was at the same day the warning occured.

I tried to restore the file by releasing it from quarantine, as I was curious about the contents, but avira was’nt able to so I deleted it in the end.

I will monitor my computer in the coming days and hope, that it was nothing serious.

Please keep us updated, if you can find any new information. whatsoever.
Even an indicator its a false positive lifts the spirit.

annasch · 16 March 2026 13:47

Hi, I am having the same issue, also using Avast Security, but on Mac OsX Sonoma 14.8.1

annasch · 16 March 2026 13:50

Avast Security Version 16.2.2g, udpated today 11:39 CET

annasch · 16 March 2026 13:51

Hi, using community version 9.3.1. and an Intel Core i5 Mac.

Nikolas · 24 March 2026 09:21

Hey @annasch,

Thanks for reporting the issue and for the details.
We’ve also passed your case to the development team along with the other similar reports.

I periodically remind the devs to look into this false positive with Avast (and similar AVs).
Sometimes I can forget to follow up because there are many threads — so feel free to ping me with @Nikolas if I go quiet for a while. I’ll keep pushing on this.

Appreciate your patience!

Nikolas · 25 March 2026 13:08

Hey @jcd, @gschne, @JJonly, @jausten, @annasch and everyone else affected,

Thanks for all the reports — we’ve been actively monitoring this issue with changes0.json being flagged as a trojan (mainly by Avast, Avira, Norton, etc.).

What is changes0.json?

It’s a plain text JSON file that stores the history of changes made to your document (cursor positions, text operations, formatting commands, etc.). This folder is automatically created for every unsaved document and is used for:

Autosave / recovery in case of a crash
It is deleted after you successfully save the document

The format and location of these files have not changed in version 9.3.x.

Why do antivirus programs flag it?

The way ONLYOFFICE creates temporary folders and JSON files inside the user’s AppData (or Application Support on macOS) sometimes triggers heuristic rules in antivirus software. These files can look similar to script-like behavior to some AV engines, even though they contain only legitimate editor commands.

This is a false positive — the file does not contain any malicious code.

What you can do right now:

Check the file yourself
Restore changes0.json from quarantine and upload it to https://www.virustotal.com.
60+ scanners show it as clean.
Report false positive to your AV vendor *:
- Avast: Report False Positive
- Avira: Submit Suspicious Files
- Norton: https://submit.norton.com/

* Important: The file may contain your actual document data, so before submitting it, please create a new test document, make some harmless changes, and use that file for analysis (do not send files with confidential information).

Add an exception (recommended if you want to stop the alerts):
- Windows:
  C:\Users\YourName\AppData\Local\ONLYOFFICE\DesktopEditors\data\recover\
- macOS:
  /Users/YourName/Library/Application Support/asc.onlyoffice.ONLYOFFICE/recovery/

We continue to work with antivirus vendors to reduce these false positives.
If you have any questions or the issue persists after adding the exception, feel free to reply here or ping me with @Nikolas.

Thanks again for your patience and reports — we really appreciate it!