PAYLOAD.VSIX in Visual Studio 2019 Test Tools

[trevoralf]

Spyware.Agent detected during scheduled scan in:

C:\PROGRAMDATA\MICROSOFT\VISUALSTUDIO\PACKAGES\MICROSOFT.VISUALSTUDIO.TESTTOOLS.TESTPLATFORM.V2.CLI,VERSION=16.5.0.2020020501\PAYLOAD.VSIX

Looks clear on VirusTotal.  I've renamed the file to doc to allow upload.

 

PAYLOAD.doc

[miekiemoes]

Hi,

I can't reproduce detection here. Can you post the detection log? 

[miekiemoes]

I figured it out. This is only detected by older versions of MB. This will be fixed in next database update.

Thanks for reporting!

[zgerber08]

We received this over the weekend on a system using Malwarebytes EDR on the payload.vsix file for Spyware.Agent. Will it be resolved on the business-side EDR database as well?

[miekiemoes]

Hi,

Yes, this has been resolved in a meanwhile, so please update your database

 

[trevoralf]

Thanks Miekiemoes

[zgerber08]

Yes, this file has been restored and is no longer being flagged. Thank you Miekiemoes

[maj0191]

Hi All, 

This is showing up twice in a scan this morning. Specifically for the following two Payload.vsix files:

 File: 2
Malware.Heuristic.1001, C:\PROGRAMDATA\MICROSOFT\VISUALSTUDIO\PACKAGES\MICROSOFT.DIAGNOSTICSHUB.RUNTIME,VERSION=16.10.31306.3\PAYLOAD.VSIX, Quarantined, 1000001, 0, 1.0.44170, 0000000000000000000003E9, dds, 01379044, 794E72ABEEF6A653E03F47FB9C65E18B, 4CA43EC48916B7B16A7E49063EF47D2A23991413EA445BAFBA5D0BEDB2A50D70

Malware.Heuristic.1008, C:\PROGRAMDATA\MICROSOFT\VISUALSTUDIO\PACKAGES\MICROSOFT.VISUALSTUDIO.DEBUGGERCLIENT.MANAGED,VERSION=16.10.31306.167\PAYLOAD.VSIX, Quarantined, 1000001, 0, 1.0.44170, 0000000000000000000003F0, dds, 01379044, 18B19F828BB0F8618021240DFA78FEDD, 11B1B16D555B68E382B20803D95DEF21E89DBB1CD2F580EFEBCC885C0CF2C78A

 

[Porthos]

On 8/16/2021 at 5:59 AM, maj0191 said:

This is showing up twice in a scan this morning

Hi,

Do you have "Use expert system algorithms to identify malicious files" enabled? It is located in Settings > Security> Scan option.

This is normally disabled by default.

In either way, Staff will investigate this and get this fixed.

Thanks for reporting!

FYI. This setting is in the experimental stage.

That setting is to detect malformed files, but sometimes legit files use protection that make them malformed. Malwarebytes is still tweaking the algorithms that is why it’s off by default. If you switch it on it is assumed, you can tell the difference between a FP and a legit detection. 

And if you keep it on, I suggest also turn off auto quarantine. Gives you the time to report FP's and not go thru the extra step to have to restore from quarantine.

Please turn off "Use expert system algorithms to identify malicious files” It is located in Settings > Security> Scan option to avoid these detection's

[maj0191]

Thanks Porthos! I do have it enabled, and I can somewhat guess a false positive. Given the files is named "payload", I can understand why the scanner picked it up, as it's probably not a great filename for any software company to use for legitimate bits of software. If Visual Studio can't run, I'll just reinstall it. No big deal.

At least you know it detects based on common "payload" filenames.

[Porthos]

Just now, maj0191 said:

I do have it enabled

Disable it as it is not supposed to be enabled and then scan again.