Kaspersky accusing Cursor of being a trojan

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

I already posted on GitHub and now I’m posting here again.

Update: After reinstalling, it still happens.

was using it normally when Cursor repeatedly closed, and Kaspersky flagged it as a trojan before deleting it… There was an update today, but I don’t remember if there was another one recently.

Event: Malicious object detected
Application: Cursor
User: XXXXXX
User type: Initiator
Component: System Watcher
Result description: Detected
Type: Trojan horse
Name: PDM:Trojan.Win32.Generic
Threat level: High
Object type: Process
Object path: C:\Users\xxxx\AppData\Local\Programs\cursor
Object name: Cursor.exe
Reason: Behavioral analysis
Database release date: Today, 09/29/2025 13:40:00
MD5: 1F0E626623BC4D7E8B68D9663B1AA39D

Steps to Reproduce

Kaspersky + Latest version

Screenshots / Screen Recordings

Operating System

Windows 10/11

Current Cursor Version (Menu → About Cursor → Copy)

Latest version from the website

Does this stop you from using Cursor

Yes - Cursor is unusable

hi @lucianoGG this is a not a trojan report but a very generic false positive that we have seen before though it is rare. Closing itself, trying to installing new version and similar steps are features apps do nowadays regularly. What is likely is that Cursor tried to update itself but antivirus prevented it by locking update installation files.

Could you please post the exact Cursor version you have as the website was updated and we released also an update in the meantime.

You may have to reach out to your antivirus provider to check and fix this false positive detection.

It didn’t happen during an update, since the same issue occurred earlier. I reinstalled it and the same thing happened again.

Version: 1.7.17 (user setup)
Commit: 1.99.3
Date: 34881053400013f38e2354f1479c88c9067039a0
Electron: 2025-09-29T03:10:26.099Z
ElectronBuildId: 34.5.8
Chromium: undefined
Node.js: 132.0.6834.210
V8: 20.19.1
OS: 13.2.152.41-electron.0

Thank you for the additional info. While it was not during update the case is still the same. Cursor has to execute terminal, 3rd party extensions, MCP servers and other features that may appear as suspicious. As there are many antivirus providers and this is a false positive overall, it is recommended that you reach out to your antivirus provider and let them check.

Hey, at the moment the solution is simply to add Cursor to your antivirus exceptions.