ConradS

October 16, 2023

Noted, thanks.

October 16, 2023

Just as I predicted, Malwarebytes started to falsely detect our newly released version (with newly released EV Code Signing signature) as dangerous.

host-7.2.1.0.exe

RiskWare.RemoteAdmin

b0e60c543da4dbcbbf75aa18a2146dc9e6215a6708593f73121e88fac08ce4fa

This is the installer file of the Remote Utilities Host module . The file can be downloaded from here:

https://www.remoteutilities.com/download/host-7.2.1.0.exe

Please, remove the detection. Thank you.

October 11, 2023

Hello,

Remote Utilities 7.2.10 has just been released. Because we know that modern antivirus software are totally ignorant to any EV Code signing certificates and that they immediately flag as malicious just about any new file they get their hands on, I'm sending this message. Please, have your virus analysts review the new version files, namely rutserv.exe and rfusclient.exe and leave them alone. Consider that I'm writing this message pro-actively from the future.

File hashes (you can find the detections on VirusTotal):

02278e9785dedc7bc505913db635a0b085df1c03765d7d80b9490bf3cbc27b66

7d89f8a4ecb91f9df1b5c73c36cad4433de274e6f4c0e1269483dc62331a4362

Thank you very much.

October 28, 2022

15 hours ago, cli said:

I searched the hash you provided on VirusTotal and it returned no results. Can you attach the file or VirusTotal link and detection logs if you have any. Thanks.

Hello,

No, it's via the VirusTotal report that we found it out. I understand that the results shown by Malwarebytes in VT may differ from what is shown by the product version, at least at default settings.

Here is the VT report https://tinyurl.com/nhhwyjfu

Thanks.

October 27, 2022

Hello,

According to VT MalwareBytes detects the file of Portable Viewer as malware.

File hash: e9f14336b28e34b74976a9d15b1b61d966b18f7e99186e98317a6ae5b1862f77

Please, remove the detection. Thanks.

June 9, 2021

Quote

File: 1
RiskWare.RemoteUtilities, C:\MALWARE TEST\RUTSERV\RUTSERV.EXE, No Action By User, 9433, 947675, 1.0.41517, , ame, , 6C6BA57BE4B7B2FB661A99FEA872F6B8, CE5BA1E5D70D95D52B89A1B8278FF8DD4D1E25C38C90CA202B43BDC014795D78

This.

June 9, 2021

Forgot to share a link with the customer request. Here it is.

For your convenience I've also attached a zipped file in question. The archive password is 'infected'. Well, the file is not infected, of course. It's just a stupid tradition among antivirus software vendors to demand "zip file with the password 'infected'" :)

rutserv.zip

June 9, 2021

Hello Malwarebytes,

Our customer reports here that Remote Utilities Host main executable file rutserv.exe is being flagged as malicious by MalwareBytes. Could you please check this?

File details

Name: rutserv.exe

Hash: ce5ba1e5d70d95d52b89a1b8278ff8dd4d1e25c38c90ca202b43bdc014795d78

Signature: yes, EV Code Signing issued to Remote Utilities LLC by Digicert Inc.

P.S. VirusTotal reports doesn't show anything but we are reporting this anyway. Perhaps, the VT Malwarebytes engine shows different results than the one in the software.

Thanks.

March 25, 2021

Hi Mieke,

That's good to know. Unfortunately, we cannot test each and every engine of 60+ out there, that's why we use VirusTotal.

Thank you.

March 25, 2021

Hello,

New version of Remote Utilities has been released. According to VirusTotal Malwarebytes heuristics detects the following files as malware:

https://www.virustotal.com/gui/file/76de0734b74659ca76e9fc5462fe125e17cd65790da255738c5a018cea9b7dac/detection/f-76de0734b74659ca76e9fc5462fe125e17cd65790da255738c5a018cea9b7dac-1616638194

Please, remove the detection. Thanks.

March 14, 2021

Hello,

Quote

As far as signatures we dont like to broad whitelist remote utilities in case malware misuses them. We have seen it all to common in the past.

So you never whitelist remote access software based on digital signature? What about TeamViewer?

Quote

For example there is one tech support scam group that uses a validly signed remote utility. It is registered to that group only and is digitally signed by the manufacturer of the software. If we blankly signed with digisig then the tech support scammers get a pass.

Tech support scam has nothing to do with malware. It is social engineering.

March 14, 2021

According to VirusTotal report Malwarebytes detects the Host file again.

https://www.virustotal.com/gui/file/d4d3ef9196b5dac53d1e06d738eb3e529578752bf9e8cfd2900a600d5f10a7e5/detection

March 12, 2021

Sorry for bothering you again, but here is a log our customer sent to us right now (I removed some personally identifiable information from the log):

Quote

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/12/21
Scan Time: 8:52 AM
Log File: 3b618bdc-833a-11eb-95e4-00ffc63d3be6.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1173
Update Package Version: 1.0.38047
License: Premium

-System Information-
OS: Windows 10 (Build 19042.867)
CPU: x64
File System: NTFS
User: ---------------

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 1173
Threats Detected: 1
Threats Quarantined: 0
Time Elapsed: 0 min, 25 sec

-Scan Options-
Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Malware.AI.4289743849, C:\USERS\ ---------------\APPDATA\ROAMING\REMOTE UTILITIES FILES\VIEWER_69110.MSI, No Action By User, 1000000, 0, 1.0.38047, 2A9448FAC39411FDFFB04BE9, dds, 01154148, 68DDFAD0B160D131CDE7021185253C2E, 1FF1DE4EB42CD6D0D7615A0D9F61E4DFDAF3B33FE48816D960CB3FDF176EC74C

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

One question to you, sorry if that sounds a bit sarcastic. Are Malware virus analysts aware of the existing of digital certificates? I mean, that would really helped them a lot in their work if they were.

For example, they could simply exclude the files digitally signed by Remote Utilities LLC (EV Code Signing issued by Digicert and Comodo) from the detection. That would save us all time and effort. What's the point detecting the same version/file over and over again if it's signed and not altered?

March 10, 2021

Yes, indeed. ) Thanks!

March 10, 2021

Hi Mieke,

Here is the VIrusTotal report https://www.virustotal.com/gui/file/d4d3ef9196b5dac53d1e06d738eb3e529578752bf9e8cfd2900a600d5f10a7e5/detection . It shows the detection.

However, the VirusTotal report on the Agent file (which I initially reported in this thread) no longer shows a detection.

Thanks.

March 10, 2021

Hello,

There is still the same detection on another similar file (Host), here is the VirusTotal report:

https://www.virustotal.com/gui/file/d4d3ef9196b5dac53d1e06d738eb3e529578752bf9e8cfd2900a600d5f10a7e5/detection

Thanks.

March 8, 2021

Thank you very much!

March 8, 2021

Additional information - this is a new version which was only released a few days ago. Quite expectedly there are a number of false positves.

Any Remote Utilities files including this one are signed with either an EV Code Signing certificate (Digicert) or Code Signing certificate (Comodo) issued to Remote Utilities LLC.

March 8, 2021

Here is the VirusTotal report:

https://www.virustotal.com/gui/file/53da1a16c1cd90fa7dd43e4e6d4bfb8b36ce8eb1d8918dda7aef01e9befbd1ff/detection/f-53da1a16c1cd90fa7dd43e4e6d4bfb8b36ce8eb1d8918dda7aef01e9befbd1ff-1615173008

March 8, 2021

Sorry, forgot to provide the file information:

SHA=256: 53da1a16c1cd90fa7dd43e4e6d4bfb8b36ce8eb1d8918dda7aef01e9befbd1ff

March 8, 2021

Hello,

According to VirusTotal.com Remote Utilities Agent 7.0.0.1 is mistakenly detected as Malware.AI.4277518362 .

Please, remove the detection.

Events

Profiles

Forums

Posts posted by ConradS

Important Information