Malware AI picked up a file that I think might be a FP

[NDR141]

Thanks in advance for your help.  I recently did a threat scan and Malwarebytes AI detected a file as malware that is related to screen connect.  I just want to know if this is a false positive, as I have used screen connect for awhile.  I can attach the text log I saved of the quarantine.  I don't want to have anything identifiable on the forum so let me know the best way to attach the logs of the Malwarebytes scan.  Thanks.

[Porthos]

32 minutes ago, NDR141 said:

a file as malware that is related to screen connect. 

I will have your post moved to the correct section.

This has been reported recently and fixed for that version that was reported.

32 minutes ago, NDR141 said:

I don't want to have anything identifiable on the forum

A scan log is not really identifiable info. You are welcome to edit the computer and account username before posting if you wish.

We also need you to un quarantine the affected file and zip and attach it here as well.

 

[NDR141]

Thanks for moving it.  I have attached the log file

malwarebytes.txt

[Porthos]

2 minutes ago, NDR141 said:

Thanks for moving it.

Has not been moved yet. An admin has to do that. All I did was alert one.

We need this file zipped and attached here as well.

C:\WINDOWS\TEMP\SCREENCONNECT\21.1.2091.7689\SCREENCONNECT.CLIENTSETUP.EXE

Edited March 20, 2021 by Porthos

[NDR141]

I also initiated a ticket, where I sent the FRST logs.  Should I wait on the reply?  If this is most likely a FP I don't mind waiting to hear back from the support team, but if you think this should be tackled right away, I will provide the further logs.  I have quarantined the file but im not sure how to zip it.  

 

Thanks again for your support.

[Porthos]

1 minute ago, NDR141 said:

I have quarantined the file but im not sure how to zip it.  

UN quarantine it, copy to desktop and right click and choose add to compressed folder if you do not have any 3rd party zipping tools. Attach the zip just like you attached the log.

 

[Porthos]

7 minutes ago, NDR141 said:

I also initiated a ticket, where I sent the FRST logs.

In FP cases like this, first, a FRST log is not needed and second, support will have just guided you here to the forums.

Also, the help desk is taking 3-5 weekdays to respond currently anyway.

The forum is the best way to get assistance as long it is NOT a licensee issue.

Edited March 20, 2021 by Porthos

[NDR141]

Ok.  Just so I'm clear. I will click restore on the quarantined file, and then it will give me an option to copy it to the desktop, where I will be able to right click and compress into a zip file.  After I have done that do I delete the file on the desktop?  Will this impact the app if its a FP?  I apologize for the simple questions, I just want to make sure I do this properly.  Instinctively, it seems like a bad idea to restore the "possible" malware, so I want to make sure I do this in the right order. 

[Porthos]

11 minutes ago, NDR141 said:

I will click restore on the quarantined file

Then the file returns to the original location. C:\WINDOWS\TEMP\SCREENCONNECT\21.1.2091.7689\SCREENCONNECT.CLIENTSETUP.EXE

Then navigate to that file and right click and choose copy and paste it on the Desktop.

Then on the copy you have on the Desktop, you right click and and compress into a zip file.

11 minutes ago, NDR141 said:

Instinctively, it seems like a bad idea to restore the "possible" malware

As long as you do not run/execute the file it will not be an issue even if it was not a FP.

FYI if you did not already know, ScreenConnect is a widely used tool for remote control.

And in addition, this one is located in C:\WINDOWS\TEMP which is a temp file location and is probably why the AI detected it in the first place. Malwarebytes is very fussy (protective) about files running from that folder.

 

Edited March 20, 2021 by Porthos

[NDR141]

I hope i did this correctly.  Thankyou for walking me through this

ScreenConnect.ClientSetup.zip

[Porthos]

32 minutes ago, NDR141 said:

I hope i did this correctly.  Thankyou for walking me through this

ScreenConnect.ClientSetup.zip 2.58 MB · 1 download

Looks good. I think what I said about it being in a temp folder is true.

I downloaded your sample and it is not detected when it is somewhere other than the temp folder.

[NDR141]

That sounds like good news.  I have three questions now.

1.) should I wait to do another threat scan until I hear from the expert in the FP section, when this topic is moved to the correct section? 

2.) This might be a stupid question, but should i be concerned that this file can be downloaded from this forum?  I see that it is a client setup file.  Just want to make sure its nothing identifiable to my specific computer

3.) Can I now delete the copied file and zip folder from my desktop?

 

Thankyou

[Porthos]

1 minute ago, NDR141 said:

2.) This might be a stupid question, but should i be concerned that this file can be downloaded from this forum?  I see that it is a client setup file.  Just want to make sure its nothing identifiable to my specific computer

Don't worry so much. Nothing there.

[NDR141]

Hi,

I just wanted to check, now that my post has been moved to the correct section, if anyone from the FP section should check to see if this AI warning was a true false positive.  It seems like the work that prothos did was correct, as when I restored the file and have scanned again, I haven't had anything come back as detected.  

Thanks for taking the time to confirm.

[shadowwar]

Yes this was a fp with multiple screen connect exes. 

 

[NDR141]

Thank-you for the confirmation, And Thankyou Porthos