Jump to content

Launch of Epson PowerENGAGE is being flagged as an exploit by RTP


TororoImo

Recommended Posts

Installing an Epson printer also installed something called Epson PowerENGAGE. From what I have gathered online, other printer manufacturers install their own versions of PowereENGAGE. It seems to be some kind of marketing software. Installation also placed an item in Task Scheduler that launches Epson PowerENGAGE.exe every 6 hours. Earlier this month, Malwarebytes Premium real time protection started to detect the launch as an exploit and shut it down. The log did not name PowerENGAGE specifically, but it did include the following:

Malware.Exploit.Agent.Generic, C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, (and then some numbers)

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid
URL: 
 

Since the offending program was not listed, figuring out that PowerENGAGE was the problem took some work. The big clue was that Malwarebytes detected this exploit twice, and both detections took place at 44 minutes after the hour. I went to Task Scheduler and looked for anything scheduled to run at HH:44, and sure enough, there was Epson PowerENGAGE. 

Anyway, I went to C:\Program Files (x86)\Epson PowerENGAGE and double-clicked on Epson PowerEngage.exe, and it triggered the same Malwarebytes detection. 

I have sent an email to Epson support asking them about this app. I will probably uninstall it. 

Anyway, if anyone gets these same detections, you might look in Task Scheduler for some version of PowerEngage. I spent many hours trying to track this down, and I hope I can save others the trouble. 

 

 

Link to post
Share on other sites

Before that, start Task Scheduler as administrator. You can do this from a Windows admin account, or you can type Task Scheduler into the Windows search bar and click on the option to start it as administrator. Running Task Scheduler as a standard user will not allow you to see most of the scheduled tasks, including Epson PowerENGAGE.

Sorry to dribble out this advice, but the original version of this part kept getting blocked because the wording apparently looked like potential spam, so I had to posting it a piece at a time to try to figure out which was the offending part. Another false positive...

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.