Sortcut to Taskmanager in startup is reported as RiskWare.AgentE (Resolved)

[Fred232]

I'm not sure if this is a false positive or not but it does not seem right to me.

 

I wanted a method to start Task Manager automatically when I logged in.

I created a shortcut to Task manager (shortcut to C:\Windows\System32\Taskmgr.exe) and placed it in C:\Users\<My-User>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

It works and Task Manager opens when I log into this account.

 

However, a Malwarebytes scan reports the link/shortcut file as RiskWare.AgentE

If I scan the actual C:\Windows\System32\Taskmgr.exe file directly neither Defender or Malwarebytes report it as malware. But if I scan the link in the startup folder Defender still says it OK but Malwarebytes reports the problem.

If I cut the shortcut out of the startup folder and put it on the desktop Malwarebytes also now says its OK.

 

Is this correct or a False Positive or is Malwarebytes just playing it safe and reporting this type of link when its in startup?

 

[Porthos]

@Fred232 Could you please provide the protection log skowin the detection.

[Fred232]

Thanks for the reply.

Log as requested.

Theres nothing wrong with the file regard detections when its placed in other folders, just when its in 'startup'.

I would be nice if MWB could scan a bit deeper, ie, maybe follow the link and actually scan the file its a shortcut of. After all Taskmgr at that location (windows\system32) is a signed Microsoft file that I assume you would scan and pass in a full scan of the system. Just not the link to it when its in startup?

If not then I guess its 'exceptions time'.

Thanks

log.txt

[Fred232]

Any thoughts?

 

[Porthos]

On 4/13/2024 at 9:21 AM, Fred232 said:

I guess its 'exceptions time'.

I would since it is obviously not malware. Just something being called from a non-standard location.

[Fred232]

Can I ask how its done? I'm hoping I've missed something.

 

I tried to put it into the allow list under the settings cog.

Click 'Add', click 'Allow a file or folder', click 'select a file'. Navigate to the link (in startup) select it and click 'open'. However the actual Taskmanager (C:\windows\system32\Taskmgr.exe') and NOT the actual link (C:\USERS\My-User\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\TASKMGR.EXE.LNK) gets allowed, and when I run a scan the link still gets detected.

I don't want to exclude the entire 'startup' folder in case I was unlucky and some malware got into it.

 

But also, as it appears to know that link is the real taskmanager, as its followed the link to its source, why is it failing in the first place?

 

So how do I exempt the link and only that link?

Thanks

 

[blender]

Hello,

I see your struggle. I tried the same as you BUT I renamed the shortcut itself to taskmanager once it was created. And no need to exclude anything.
THAT works. (at least a workaround for now)

We're looking into this. Will reply back when I get some feedback from my peers.

[Porthos]

I also just activate the task manager with a right-click on the taskbar.

[blender]

Hello again,

Just a note to say the rule responsible for this detection will be removed. Update will be within a couple hours.

Thanks for reporting.

[Fred232]

Porthos & Blender, thanks for the quick replies and response.

 

Just ran a scan and its not longer detected.

Version:

MWB - 4.6.13.324

Update Package - 1.0.83633

Component Package - 1.0.2319 

 

Thanks