Trojan:097m/dplink.a. severe looks to be a FP

[Xtomik]

I just noticed this detection on my Windows 10 desktop. Running the powershell command, I see that in my case it seems to be related to my Crashplan backup service: (I did open a ticket with them as well)

> Get-MpThreatDetection

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.1806.18062
CleaningActionID               : 2
CurrentThreatExecutionStatusID : 1
DetectionID                    : {F78F14C3-9BBD-41DA-8D11-24F4240D0A26}
DetectionSourceTypeID          : 3
DomainUser                     : NT AUTHORITY\SYSTEM
InitialDetectionTime           : 7/4/2018 8:35:05 PM
LastThreatStatusChangeTime     : 7/4/2018 8:35:49 PM
ProcessName                    : C:\Program Files\CrashPlan\CrashPlanService.exe
RemediationTime                : 7/4/2018 8:35:49 PM
Resources                      : {file:_C:\Users\$$$$user$$$\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US\ControlPanel.settingcontent-ms}
ThreatID                       : 2147727924
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 3
PSComputerName                 :

I restored the "virus" file and it looks like what I think it is supposed to look like. It is a text XML file, you can open it in notepad:

<?xml version="1.0" encoding="UTF-8"?>
<PCSettings>
  <SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent">
    <ApplicationInformation>
      <AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID>
      <DeepLink>%windir%\system32\control.exe</DeepLink>
      <Icon>%windir%\system32\control.exe</Icon>
    </ApplicationInformation>
    <SettingIdentity>
      <PageID></PageID>
      <HostID>{12B1697E-D3A0-4DBC-B568-CCF64A3F934D}</HostID>
    </SettingIdentity>
    <SettingInformation>
      <Description>@shell32.dll,-4161</Description>
      <Keywords>@shell32.dll,-4161</Keywords>
    </SettingInformation>
  </SearchableContent>
</PCSettings>

If it was bad, the text between the <DeepLink> tags would be invoking powershell or some malware, but this matches the file I found here, which is supposed to be a copy of the clean, microsoft-provided one:

http://bheltborg.dk/Windows/ImmersiveControlPanel/Settings/ControlPanel.settingcontent-ms

Here is an article about the potential vulnerability:

https://www.bleepingcomputer.com/news/security/windows-settings-shortcuts-can-be-abused-for-code-execution-on-windows-10/

I think this is a false positive, apparently active around 7/4 - 7/5/2018. I ran Defender against the restored file and it doesn't detect anything now. Virustotal gives it an all-clear as well.

[AdvancedSetup]

Hello @Xtomik and

Yes, I would agree with you that it does look to be a FP.

Thank you for posting and locating that information and sharing.

Thanks again

Ron