Jump to content
BrianHair

ETC_INSTALL_UNIVERSAL_C_RUNTIME.EXE

Recommended Posts

I develop installers for our company. We are an OEM and produce a physical device running Windows 7 embedded which some software we also produce gets installed to. This same software also gets installed onto our end users personal and company computers. 

I have logic in my installer to only take certain actions on the devices we produce and to not run these actions on end users personal devices. We have to update our devices with windows updates and other core OS components for newer versions of our application to function. Our Windows 7 embedded image was old when we first started producing it and was missing a KB from Microsoft that the 2015 and newer C runtimes require, KB2999226 or the Universal C Runtime.

The attached executable runs only on the devices we build, an environment we control 100%, but is extracted everywhere the installer is run. It just installs KB2999226 via the windows built in DISM mechanism and exits. We have had a customer tell us that Malware bytes has flagged this executable as dangerous and we believe this is a false positive.

Additionally, are there steps we can take to ensure our legitimate executable files aren't flagged like this going forward? We're signing them with a valid current certificate.

ETC_Install_Universal_C_Runtime.7z

Share this post


Link to post
Share on other sites
Posted (edited)

One more thing, does it get detected only when you try to run it and/or by right clicking on the executable and then selecting scan with MalwareBytes from the context menu?

Edited by TwinHeadedEagle

Share this post


Link to post
Share on other sites

I do not know as this was from a customer and we're getting things second hand. They wouldn't have manually scanned it or otherwise run the file on their own I wouldn't think as it's being extracted to the temp files area. Though I guess an enterprising individual might do such a thing. My guess is that the real time scanner picked it up. I will try installing malwarebytes and scanning it as you suggest to see what happens there though this will differ from our customers environment.

Some background on how it's run from our installer. I use NSIS to launch a number of sub installers as a bundle. NSIS requires administrative privileges to run so it's running from an administrators context when NSIS launches it. I have NSIS include some of these into the temp area to run for install and then they are removed at the end of the run of the installer automatically. Here is an example of how I'm calling it from NSIS if that'd help you:

nsExec::ExecToStack '"$pluginsdir\ETC_Install_Universal_C_Runtime.EXE"'

I am not sure what you mean about a detection name, but this was a bit of malwarebytes log that the customer sent to us:

Malwarebytes
www.malwarebytes.com

Log Details
Scan Date: 4/25/20
Scan Time: 2:06 PM
Log File: 895c08fe-86f5-11ea-aed5-f44d30143380.json

Software Information
Version: 4.1.0.56
Components Version: 1.0.875
Update Package Version: 1.0.22930
License: Premium

System Information
OS: Windows 10 (Build 18362.778)
CPU: x64
File System: NTFS
User: GARY-DESKTOP\gazza

Scan Summary
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 417432
Threats Detected: 1
Threats Quarantined: 0
Time Elapsed: 3 min, 6 sec

Scan Options
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

Scan Details
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Malware.Generic.2713449660, C:\USERS\GAZZA\APPDATA\LOCAL\TEMP\NSRE05A.TMP\ETC_INSTALL_UNIVERSAL_C_RUNTIME.EXE, No Action By User, 1000000, 0, 1.0.22930, 8694B3D511505F95A1BBF4BC, dds, 00691914

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

 

 

Share this post


Link to post
Share on other sites

I can't reproduce this detection which means it was most likely fixed in the meanwhile as machine learning engine which made this False detection does it automatically.

Share this post


Link to post
Share on other sites

I installed the Malwarebytes trial and scanned in a VM and it did not detect it as a threat either. 

Thank you for looking into this, I guess we'll just leave it be and post here again if it pops up again.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.