PDA

View Full Version : X-Post: TPS MSE Security Essentials Forefront Endpoint



NewsArchive
02-25-2013, 11:28 AM
Hello all,

since today we are also obviously hit by MSE.

What has happened? An Admin called this morning, telling that the update he
installed over the existing install doesn't work anymore, all of a sudden.

He testified that the program has worked okay before.

So he granted access to his machine via Teamviewer and I could see that that
three TPS and one DLL were simply mising. (that DLL was code-signed!)

While I was scratching my head how this could have happened, he (for what
reason ever) opened MS Security Essentials.

Then I told him that I have heard about reports from the colleagues here in the
forum, so that I have installed MSE on my machine also, but without getting
harmed so far.

"Well, you will probably have installed the publiclly downloadable MSE, I
suppose." he said. "We use MS Security Essentials Forefront-Endpoint."

Which leads to to the question: with what version do you run into trouble?

Anyway, I gave him the advice to exclude TPS, but as that code-signed DLL has
diminished too, I suggested to better exclude the entire directory branch.

I hope to hear from him again in a couple of days, whether this mysterious
behaviour happened again - I will report.

bye
Wolfgang

NewsArchive
02-25-2013, 11:28 AM
> So he granted access to his machine via Teamviewer and I could
> see that that three TPS and one DLL were simply mising. (that
> DLL was code-signed!)

Seems to be a typical false-positive bug in MSE and you should report it. A
"suspicious file" alert triggered by a heuristic scanning method removed
your DLL. Code-signed or not, MSE thought that your DLL was some kind of
malware. Sometimes a simple recompile and re-code-sign of the DLL can help
because this always changes the binary contents. But another two or three
recompiles later and the same false-positive might be back.

We check our files here on a regular basis:

www.virustotal.com

In the past, MSE flagged Chrome as a Zbot banking trojan. AVG incorrectly
flagged user32.dll and removed the system file (and killed the machine).

MSE and TPS files is another long story.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 8 ready installations in minutes
--Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
02-25-2013, 11:28 AM
This DLL is actually not from me, it was vuFT3.DLL from Bill Roe (ValUtilites).
I have informed him already.

His DLL was not code-signed by himself, so I did it with my certificate, after
asking Bill for his permission.

Do you coincidently (blinkblink) know where to report this "accident" to Microsoft?

thx
Wolfgang

NewsArchive
02-25-2013, 11:28 AM
Hi Wolfgang,

>
> Do you coincidently (blinkblink) know where to report this
> "accident" to Microsoft?
>

As far as I know, MS handles all the false-positives via this form:

http://www.microsoft.com/security/portal/shared/vendorfp.aspx

Friedrich

NewsArchive
02-25-2013, 11:29 AM
>As far as I know, MS handles all the false-positives via this form:
>
>http://www.microsoft.com/security/portal/shared/vendorfp.aspx

Thanks a lot, Friedrich!

I called MS in Unterschleißheim, got connected to their business hotline in Bulgaria.

There I had a friendly callcenter agent on the line, but all she could offer
was a contact IF I would have had a support contract for business
customers......

Well, all I want to do is to help MS to improve their products......

Now I gonna try that link - wish me luck!

Wolfgang Orth

NewsArchive
02-25-2013, 11:30 AM
virustotal.com Shows 3 problems in vuft3.dll

Dan Scott

NewsArchive
02-25-2013, 11:30 AM
>virustotal.com Shows 3 problems in vuft3.dll

My test returned only 1/46.

Is your DLL also code-signed?

Mine is, with my own COMODO certificate.

And the fun thing is, the only issue that got reported, is "Comodo - Heur.Packed.Unknown"

ohhhhh myyyyyyyy!

Wolfgang Orth

NewsArchive
02-25-2013, 11:31 AM
>www.virustotal.com

returned only one issue: Comodo - Heur.Packed.Unknown

Well, its a Comodo Certificate.......

Do we have to contact Comodo also now?


Bernd, das Brot so: "Mist"

Wolfgang Orth

NewsArchive
02-25-2013, 11:32 AM
Was the dll protected by Armadillo?

>
>So he granted access to his machine via Teamviewer and I could see that that
>three TPS and one DLL were simply mising. (that DLL was code-signed!)

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

NewsArchive
02-25-2013, 11:32 AM
>Was the dll protected by Armadillo?

no

Wolfgang Orth

NewsArchive
02-26-2013, 02:40 AM
>>www.virustotal.com
>
> returned only one issue: Comodo - Heur.Packed.Unknown
>
> Well, its a Comodo Certificate.......
>
> Do we have to contact Comodo also now?

Comodo code-signing and Comodo Antivirus / Spayware are completely different
animals.

vuFT3.DLL seems to have a "Comodo - Heur.Packed.Unknown" problem for a long
time:

https://www.virustotal.com/en/file/f65d747a5f6c1b937874c163fd9332d6ebc038dbff65418a5f e20362d2929967/analysis/

First seen as a virus: 2011-01-26 16:07:39 UTC ( 2 years, 1 month ago )

It has nothing to do with your certificate!

When you code-sign the file with your own certificate, then this will change
the binary contents of vuFT3.DLL. But the file is still detected as malware
(heuristic scanning).

Bill Roe should contact all the virus vendors to report the false positives.

Friedrich

NewsArchive
02-26-2013, 02:40 AM
BTW, I have tested one vuFT3.DLL that is considered to be virus/spyware
free:

https://www.virustotal.com/en/file/dbe03061af3f639dc27f16dee4520a7e304a206218c4f69b83 b9016551099d95/analysis/1361814167/

Bill does not have a version resource embedded so I can't tell you which
version it is.

Friedrich

NewsArchive
02-26-2013, 02:41 AM
> Bill does not have a version resource embedded so I can't tell you which
> version it is.

Some (or later) DLLs have a version resource. V3.4.0.0 is detected as
virus/spyware.

Friedrich

NewsArchive
02-26-2013, 02:41 AM
> vuFT3.DLL seems to have a "Comodo - Heur.Packed.Unknown" problem for a long
> time:

Yep. Been that way for that long with AVG as well.
--

Mark Riffey
http://www.rescuemarketing.com
Now featured on the Visa Business Network
If Guy Kawasaki, the staff of the Wall Street Journal,
Fast Company, US Bank, Marketing Profs & Business Week read it,
maybe you should too.