-
Posts
22 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by ConradS
-
-
Just as I predicted, Malwarebytes started to falsely detect our newly released version (with newly released EV Code Signing signature) as dangerous.
host-7.2.1.0.exe RiskWare.RemoteAdmin b0e60c543da4dbcbbf75aa18a2146dc9e6215a6708593f73121e88fac08ce4fa This is the installer file of the Remote Utilities Host module . The file can be downloaded from here:
https://www.remoteutilities.com/download/host-7.2.1.0.exe
Please, remove the detection. Thank you.
-
Hello,
Remote Utilities 7.2.10 has just been released. Because we know that modern antivirus software are totally ignorant to any EV Code signing certificates and that they immediately flag as malicious just about any new file they get their hands on, I'm sending this message. Please, have your virus analysts review the new version files, namely rutserv.exe and rfusclient.exe and leave them alone. Consider that I'm writing this message pro-actively from the future.
File hashes (you can find the detections on VirusTotal):
02278e9785dedc7bc505913db635a0b085df1c03765d7d80b9490bf3cbc27b66 7d89f8a4ecb91f9df1b5c73c36cad4433de274e6f4c0e1269483dc62331a4362
Thank you very much.
-
15 hours ago, cli said:
I searched the hash you provided on VirusTotal and it returned no results. Can you attach the file or VirusTotal link and detection logs if you have any. Thanks.
Hello,
No, it's via the VirusTotal report that we found it out. I understand that the results shown by Malwarebytes in VT may differ from what is shown by the product version, at least at default settings.
Here is the VT report https://tinyurl.com/nhhwyjfu
Thanks.
-
Hello,
According to VT MalwareBytes detects the file of Portable Viewer as malware.
File hash: e9f14336b28e34b74976a9d15b1b61d966b18f7e99186e98317a6ae5b1862f77
Please, remove the detection. Thanks.
-
Quote
File: 1
RiskWare.RemoteUtilities, C:\MALWARE TEST\RUTSERV\RUTSERV.EXE, No Action By User, 9433, 947675, 1.0.41517, , ame, , 6C6BA57BE4B7B2FB661A99FEA872F6B8, CE5BA1E5D70D95D52B89A1B8278FF8DD4D1E25C38C90CA202B43BDC014795D78This.
-
Forgot to share a link with the customer request. Here it is.
For your convenience I've also attached a zipped file in question. The archive password is 'infected'. Well, the file is not infected, of course. It's just a stupid tradition among antivirus software vendors to demand "zip file with the password 'infected'" :)
-
Hello Malwarebytes,
Our customer reports here that Remote Utilities Host main executable file rutserv.exe is being flagged as malicious by MalwareBytes. Could you please check this?
File details
Name: rutserv.exe
Hash: ce5ba1e5d70d95d52b89a1b8278ff8dd4d1e25c38c90ca202b43bdc014795d78
Signature: yes, EV Code Signing issued to Remote Utilities LLC by Digicert Inc.
P.S. VirusTotal reports doesn't show anything but we are reporting this anyway. Perhaps, the VT Malwarebytes engine shows different results than the one in the software.
Thanks.
-
Hi Mieke,
That's good to know. Unfortunately, we cannot test each and every engine of 60+ out there, that's why we use VirusTotal.
Thank you.
-
Hello,
New version of Remote Utilities has been released. According to VirusTotal Malwarebytes heuristics detects the following files as malware:
Please, remove the detection. Thanks.
-
Hello,
QuoteAs far as signatures we dont like to broad whitelist remote utilities in case malware misuses them. We have seen it all to common in the past.
So you never whitelist remote access software based on digital signature? What about TeamViewer?
QuoteFor example there is one tech support scam group that uses a validly signed remote utility. It is registered to that group only and is digitally signed by the manufacturer of the software. If we blankly signed with digisig then the tech support scammers get a pass.
Tech support scam has nothing to do with malware. It is social engineering.
-
According to VirusTotal report Malwarebytes detects the Host file again.
-
Sorry for bothering you again, but here is a log our customer sent to us right now (I removed some personally identifiable information from the log):
QuoteMalwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 3/12/21
Scan Time: 8:52 AM
Log File: 3b618bdc-833a-11eb-95e4-00ffc63d3be6.json
-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1173
Update Package Version: 1.0.38047
License: Premium
-System Information-
OS: Windows 10 (Build 19042.867)
CPU: x64
File System: NTFS
User: ---------------
-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 1173
Threats Detected: 1
Threats Quarantined: 0
Time Elapsed: 0 min, 25 sec
-Scan Options-
Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 0
(No malicious items detected)
Registry Value: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 1
Malware.AI.4289743849, C:\USERS\ ---------------\APPDATA\ROAMING\REMOTE UTILITIES FILES\VIEWER_69110.MSI, No Action By User, 1000000, 0, 1.0.38047, 2A9448FAC39411FDFFB04BE9, dds, 01154148, 68DDFAD0B160D131CDE7021185253C2E, 1FF1DE4EB42CD6D0D7615A0D9F61E4DFDAF3B33FE48816D960CB3FDF176EC74C
Physical Sector: 0
(No malicious items detected)
WMI: 0
(No malicious items detected)
(end)One question to you, sorry if that sounds a bit sarcastic. Are Malware virus analysts aware of the existing of digital certificates? I mean, that would really helped them a lot in their work if they were.
For example, they could simply exclude the files digitally signed by Remote Utilities LLC (EV Code Signing issued by Digicert and Comodo) from the detection. That would save us all time and effort. What's the point detecting the same version/file over and over again if it's signed and not altered?
-
Yes, indeed. ) Thanks!
-
Hi Mieke,
Here is the VIrusTotal report https://www.virustotal.com/gui/file/d4d3ef9196b5dac53d1e06d738eb3e529578752bf9e8cfd2900a600d5f10a7e5/detection . It shows the detection.
However, the VirusTotal report on the Agent file (which I initially reported in this thread) no longer shows a detection.
Thanks.
-
Hello,
There is still the same detection on another similar file (Host), here is the VirusTotal report:
Thanks.
-
Thank you very much!
-
Additional information - this is a new version which was only released a few days ago. Quite expectedly there are a number of false positves.
Any Remote Utilities files including this one are signed with either an EV Code Signing certificate (Digicert) or Code Signing certificate (Comodo) issued to Remote Utilities LLC.
-
-
Sorry, forgot to provide the file information:
SHA=256: 53da1a16c1cd90fa7dd43e4e6d4bfb8b36ce8eb1d8918dda7aef01e9befbd1ff
-
Hello,
According to VirusTotal.com Remote Utilities Agent 7.0.0.1 is mistakenly detected as Malware.AI.4277518362 .
Please, remove the detection.
Pro-active false positive report
in File Detections
Posted
Noted, thanks.