PDFCreator installer caught by MS Defender


We're looking for a solution to convert a number of basic PDFs to PDF/A and PDFCreator seemed to be a good alternative as we would be able to allow users to do the conversion themselves with a minimum of fuss.

However, in testing a deploy MS Defender stops the installer with the following message:
2022-02-11 10:30 (Active) Serious

I saw the previous topic about a supposed Trojan in the installer. (Apparently I can't add links to posts, but it should be easy to find in these forums.)
But it still feels concerning when MS flags the installer.


We will look into it, and probably get in touch with our contacts from Microsoft.

The PUA (potentially unwanted application) message will be either related to optional PDF Architect Free installation or offer (also optional) from our advertisement partner (while using the PDFCreator Free setup).

Here is an article from our FAQ:

I will let you know once we know more.

Best regards

I could not replicate this message / installation problem using Windows 11, the latest MS Edge and latest MS Defender virus definitions.

Downloading and installing PDFCreator Free v. 4.4.1 without any bother.


I just had this exact thing happen with Defender for Endpoint installed 4.4.2 free version.


ESET Endpoint protection is also flagging the installation as PUP

Trend Micro Worry Free Business Security also detected spyware with the Latest PDFCreator 4.4.2 installer, note the server in the second screenshot is in a different time zone, you can see the installer is phoning home to various trackers, this was an in place upgrade and I didn't agree to any new terms explaining this would be happening. So far this is a huge no no and needs to be addressed immediately.

Hi @CompSuperAC,

Thank you for sharing your analysis. We get this feedback from time to time.

The categorization of the WebCompanion (developed by Lavasoft) seems a bit off in my opinion. It is loading an advert and not spyware. Funnily, the advert (you have missed thanks to Trend Micro Worry Free Business Security) is for a free antivirus software:

The attempts to contact other URLs look normal to me - comparing them to other websites / installers. Paddle is a payment provider. Twitter and Linkedin are well known. Then there are some marketing websites (APIs) for my colleagues interesting in statistics.

I'm sure, that everything you want to know about the 'terms and conditions' is explained in our License Agreement / Privacy Policy, which is right above the 'Update' button once you started our setup:

Screenshot 2022-07-04 at 09.38.26

If you have any further questions or remarks, please let me know.

Best regards

Thanks for the clarification Sascha, to clarify the Avast installer is packaged with the PDF Creator (perhaps this is a dumb question because I'm looking at the screenshot I provided and it does say Installer.exe, just double checking to see that's what I'm looking at and not another PDFCreator component)? Also thanks for pointing out the license agreement, a lot of installers these days are doing that (including Microsoft) so I honestly didn't notice it until you pointed it out. Would you be able to tell me which section in the agreement mentions the use of these APIs?

I also had this exact thing happen with Defender for Endpoint installed 4.4.2 free version.