BrianHair Posted May 4, 2020 ID:1378718 Share Posted May 4, 2020 I develop installers for our company. We are an OEM and produce a physical device running Windows 7 embedded which some software we also produce gets installed to. This same software also gets installed onto our end users personal and company computers. I have logic in my installer to only take certain actions on the devices we produce and to not run these actions on end users personal devices. We have to update our devices with windows updates and other core OS components for newer versions of our application to function. Our Windows 7 embedded image was old when we first started producing it and was missing a KB from Microsoft that the 2015 and newer C runtimes require, KB2999226 or the Universal C Runtime. The attached executable runs only on the devices we build, an environment we control 100%, but is extracted everywhere the installer is run. It just installs KB2999226 via the windows built in DISM mechanism and exits. We have had a customer tell us that Malware bytes has flagged this executable as dangerous and we believe this is a false positive. Additionally, are there steps we can take to ensure our legitimate executable files aren't flagged like this going forward? We're signing them with a valid current certificate. ETC_Install_Universal_C_Runtime.7z Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted May 4, 2020 ID:1378722 Share Posted May 4, 2020 Hello Brian, Do you have a detection name as I cannot reproduce? Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted May 4, 2020 ID:1378723 Share Posted May 4, 2020 (edited) One more thing, does it get detected only when you try to run it and/or by right clicking on the executable and then selecting scan with MalwareBytes from the context menu? Edited May 4, 2020 by TwinHeadedEagle Link to post Share on other sites More sharing options...
BrianHair Posted May 4, 2020 Author ID:1378726 Share Posted May 4, 2020 I do not know as this was from a customer and we're getting things second hand. They wouldn't have manually scanned it or otherwise run the file on their own I wouldn't think as it's being extracted to the temp files area. Though I guess an enterprising individual might do such a thing. My guess is that the real time scanner picked it up. I will try installing malwarebytes and scanning it as you suggest to see what happens there though this will differ from our customers environment. Some background on how it's run from our installer. I use NSIS to launch a number of sub installers as a bundle. NSIS requires administrative privileges to run so it's running from an administrators context when NSIS launches it. I have NSIS include some of these into the temp area to run for install and then they are removed at the end of the run of the installer automatically. Here is an example of how I'm calling it from NSIS if that'd help you: nsExec::ExecToStack '"$pluginsdir\ETC_Install_Universal_C_Runtime.EXE"' I am not sure what you mean about a detection name, but this was a bit of malwarebytes log that the customer sent to us: Malwarebytes www.malwarebytes.com Log Details Scan Date: 4/25/20 Scan Time: 2:06 PM Log File: 895c08fe-86f5-11ea-aed5-f44d30143380.json Software Information Version: 4.1.0.56 Components Version: 1.0.875 Update Package Version: 1.0.22930 License: Premium System Information OS: Windows 10 (Build 18362.778) CPU: x64 File System: NTFS User: GARY-DESKTOP\gazza Scan Summary Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 417432 Threats Detected: 1 Threats Quarantined: 0 Time Elapsed: 3 min, 6 sec Scan Options Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect Scan Details Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Malware.Generic.2713449660, C:\USERS\GAZZA\APPDATA\LOCAL\TEMP\NSRE05A.TMP\ETC_INSTALL_UNIVERSAL_C_RUNTIME.EXE, No Action By User, 1000000, 0, 1.0.22930, 8694B3D511505F95A1BBF4BC, dds, 00691914 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted May 4, 2020 ID:1378729 Share Posted May 4, 2020 I can't reproduce this detection which means it was most likely fixed in the meanwhile as machine learning engine which made this False detection does it automatically. Link to post Share on other sites More sharing options...
BrianHair Posted May 4, 2020 Author ID:1378731 Share Posted May 4, 2020 I installed the Malwarebytes trial and scanned in a VM and it did not detect it as a threat either. Thank you for looking into this, I guess we'll just leave it be and post here again if it pops up again. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now