Jump to content
bhance

Bomgar remote install .exe wrongly flagged as trojan.agent

Recommended Posts

Hello,

Bomgar remote install .exe's have recently been wrongly flagged as trojan.agents.

Bomgar is a remote assistance tool, and the .exe is the installer sent to clients to initiate remote support sessions. Product is legitimate. See: bomgar.com

Attached are a sample .exe and logfile created with mbam.exe /developer, flagging a couple of these

Thanks!

-bhance

1305089538-bomgar-scc-installer.exe.zip

mbam-log-2011-07-04 (00-19-40).txt

Share this post


Link to post
Share on other sites

Is this the default setup for this software as both its location and double extension is not typical for professional software?

Share this post


Link to post
Share on other sites

I believe so.

In a typical scenario the end user downloads the installer from a web link, runs it, and then the installer performs a 2nd round of install and opens up a remote connection to a managed 'remote session' appliance.

The first .exe installer sits wherever the user downloads it to, but I suspect the files being flagged here are from the 2nd install where it gets the rest of its files from the centralized server. (I only .zipped it to send to this forum - typically it is an .exe on the user's local system)

I'm not 100% on how the rest of its internals work. But because it is a 'remote assistance' program it is likely very network library heavy, will open outside connections (http and https I believe), etc.

Hope this helps,

-bhance

Share this post


Link to post
Share on other sites

The reason we ask is there are 2 issues that are very atypical of professional software.

c:\documents and settings\all users\application data\ <- this is a directory where only other directories are stored. These subdirectories are typically named after their parent software and contain non executable data. The root of application data is an out of the way location where no executables should ever be and as such malcoders like to use this as a location to execute malware from.

1298832433-bomgar-rep-installer.exe.exe <- There is no reason to use this double extension like this and typically the only reason for a double extension is to exploit the default 'hide known extensions' setting in all current versions of windows.

In any event we made some changes and this should not longer be detected. If you have any contact with the authors of this software kindly point this post out to them.

Share this post


Link to post
Share on other sites

Excellent, thanks very much for your assistance. I will pass this thread onto the company that maintains the Bomgar software.

-bhance

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.