emwul64

File: invisible.vbs - safe or not ?

Recommended Posts

EIS v12 stumbled over a file named : invisible.vbs

 

When checking out   isthisfilesafe.com the file was reported to be safe (same hashcodes)

When checking Internet it looks there are somewhat 'mixed' reports.

 

what is correct?

I have not installed anything. Revo Uninstaller shows the last updates were dated 30-10

Only Google drive was updated today (03-nov) but may that had to do with synchronizing?

 

oh, btw, on the forum one has to search using quotes (when searching for strings like invisible.vbs  

on isthisfilesafe.com quotes are not necessary.

 

http://www.isthisfilesafe.com/sha1/920AC866507E9D8DCE84D513AFEAEF2C9E120F4D_details.aspx

 

 

=

zvNOI3cl.png

Share this post


Link to post
Share on other sites

If you follow the link from the isthisfilesafe page to the VirusTotal page, then look at the comments tab, someone has pasted in what this file actually contains.  Assuming that their paste is accurate, the VBS file merely runs any command that's passed to it without opening a command window.  So, it runs a command "invisibly".  Most programmers use something similar when their scripts have to run a subsidiary command.   Is it safe?  Yes, in itself it is.  But what's more important is what other programs/scripts are running this vbs program and what commands they are asking it to run.

 

Commands run via this program will not, I would expect, be anything that couldn't already be run in a command window.  All that's happening is that you don't see the command happen.  It's not a way to run an elevated-privilege command from an ordinary user.

 

If this really worries you, you could turn on Windows audit logging of process creation/termination, and full tracking of commands that are issued and their parameters, then search through your event log records to find out when this program is used and by what other program.     

Share this post


Link to post
Share on other sites

Many thanks. Once one knows to which program it relates, it makes searching for a solution much easier... :)

 

So, on https://goo.gl/mJCcyJ

(Google Drive Help Forum, subject "invisible.vbs error")

I found Google-rep comments:

"That invisible.vbs is a file that is used to auto-upgrade Google Drive on your system.   It is benign and will delete itself after the auto-upgrade of Google Drive is successful."

 

Thanks again.

=
 

Share this post


Link to post
Share on other sites

For this particular file, there was a comment on the VirusTotal analysis that explains what it is. In general, we recommend searching for the SHA-1 hash of the file on VirusTotal to see if there is information on its safety when you see an alert, as the information there can often be helpful to determine whether or not the file is safe. ;)

Share this post


Link to post
Share on other sites

Thanks a lot! JeremyNicoll suggested likewise. I wasn't aware of this 'extra information' on VirusTotal.

 

That said, I followed EIS initial recommendation: quarantined the file. Only later I learned about the above, the VirusTotal comments.

Let's see what happens: I don't see a way to, let's say  'un-quarantine'  the file, i.e. having it restored so to say.

See whether Google Drive will be auto-upgraded nonetheless.

 

Anyway, thanks again.

 

=

Share this post


Link to post
Share on other sites

If you open EIS and click on Quarantine then you'll see a list of everything that's in the Quarantine. Just click on the file you want to restore to select it, and then click on the Restore button in the lower-left corner.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.