Dwer23

Was installing unity3d and microsoft visual studio when i got warning about crypto malware and hidden installations

Recommended Posts

Is this known false positive, or did it just happen that i got some infection at the same time?

 

Here are logs

 

Emsisoft Anti-Malware - Version 2017.8
BB log

Date    PID    Application    Event    Detection    
21/09/2017 01:07:57    0    C:\Windows\Installer\MSI8FAE.tmp    App rule modified        
21/09/2017 01:07:56    1784    C:\Windows\Installer\MSI8FAE.tmp    Allowed always by user    Behavior.CryptoMalware    
21/09/2017 01:07:53    0    C:\Windows\Installer\MSI8FAE.tmp    App rule added        
21/09/2017 01:07:53    1784    C:\Windows\Installer\MSI8FAE.tmp    Allowed always by user    Behavior.HiddenInstallation    
21/09/2017 01:07:27    9864    C:\Windows\Installer\MSI6429.tmp    Quarantined by user    Behavior.HiddenInstallation   

Share this post


Link to post
Share on other sites

If you still have the .tmp files, or maybe the original MSI files, you could upload them to VirusTotal for a second opinion.  http://www.virustotal.com/

If it were a 'known false positive' I think Emsi would have changed their heuristics so that the files were no longer detected.  It might though be a new fp.   If you do upload the files to virustotal and they look innocent, post the virustotal URLs on the FP part of this forum.

Share this post


Link to post
Share on other sites
3 hours ago, Dwer23 said:

Is this known false positive, or did it just happen that i got some infection at the same time?

 

Here are logs

 

Emsisoft Anti-Malware - Version 2017.8
BB log

Date    PID    Application    Event    Detection    
21/09/2017 01:07:57    0    C:\Windows\Installer\MSI8FAE.tmp    App rule modified        
21/09/2017 01:07:56    1784    C:\Windows\Installer\MSI8FAE.tmp    Allowed always by user    Behavior.CryptoMalware    
21/09/2017 01:07:53    0    C:\Windows\Installer\MSI8FAE.tmp    App rule added        
21/09/2017 01:07:53    1784    C:\Windows\Installer\MSI8FAE.tmp    Allowed always by user    Behavior.HiddenInstallation    
21/09/2017 01:07:27    9864    C:\Windows\Installer\MSI6429.tmp    Quarantined by user    Behavior.HiddenInstallation   

Your PC is protected because Emsisoft blocked the threat before it able to execute. You can upload them to VirusTotal to see if it a threat or not. Anything below 2 detection consider to be a false positive, and 5 detection above consider to be a threat. 

Share this post


Link to post
Share on other sites

If it was crypto malware for real, and since i allowed it, shouldnt my pc already be locked down? Initially i though all of those warnings were just emsisoft thinking these visual studio files were malicious, because it happened during when the visual studio installer was downloading something. My Unity3d and visual studio were from legit source so they werent carrying trojans.

Cant find those files anymore, so cant check. Ill try again to find them though. That "installer" folder doesnt even exist anymore, weird?

Share this post


Link to post
Share on other sites

Emsisoft give that same notice when uninstalling VoodooShield. As E.A.M add things like exploit & Anti Ransom-ware some normal stuff get convicted wrongfully.

It's a very uncomfortable feeling & can also be deem as misleading. And to my knowledge it is the only Av that does it. Even before Exploits & ransom-ware was invented there were other misleading notices like etc:Hidden Backdoor,invisible download & manipulation of other process. This is a long on going problem that needs correcting.

Share this post


Link to post
Share on other sites

I would appreciate if someone would download and install Unity3d and visual studio alongside it which it offers to install, and see if your emsisoft says same warnings.

Share this post


Link to post
Share on other sites
9 minutes ago, Dwer23 said:

If it was crypto malware for real, and since i allowed it, shouldnt my pc already be locked down? Initially i though all of those warnings were just emsisoft thinking these visual studio files were malicious, because it happened during when the visual studio installer was downloading something. My Unity3d and visual studio were from legit source so they werent carrying trojans.

Cant find those files anymore, so cant check. Ill try again to find them though. That "installer" folder doesnt even exist anymore, weird?

The application detected behave like Crypto malware. Can you upload these files to VirusTotal and give us the link for it? Behavior Blocker from Emsisoft can sometimes generate false positives, so it best idea to upload to VirusTotal first before clicking allow it to run on your PC.

If it indeed an actual Crypto locker, you have to immediately disconnect any network and removal drive off the computer, then run emsisoft custom full scan not malware scan. After that restore the encrypted files using a backup, and if you don't have one well........you have to start from a scratch. 

 

Share this post


Link to post
Share on other sites

I cant upload them because that "installer" folder doesnt even exist anymore. I havent noticed anything weird on my pc after those warnings, im using my pc as normally. Emsisoft custom scan with direct disk access didnt find anything, nor malwarebytes, or roguekiller, or sophos scanner, or fsecure online scanner, nor hitman pro

Share this post


Link to post
Share on other sites
1 minute ago, Dwer23 said:

I cant upload them because that "installer" folder doesnt even exist anymore. I havent noticed anything weird on my pc after those warnings, im using my pc as normally.

Did u check the temp folder? 

Share this post


Link to post
Share on other sites

One thing someone could do is to install that unity3d and visual studio alongside it, to see if emsisoft gives same warnings, that would pretty much confirm if they were false positives, and if they were they can be whitelisted at emsisoft.

Share this post


Link to post
Share on other sites

If the .tmp files no longer exist,  how about the original installer - probably a .msi file that you'd downloaded(?) and run?

Also the log shows one .tmp file being quarantined.  It has a different name from the one mentioned 4 times above it; was it from the same install attempt (maybe a first try that you deleted)? 

I can't imagine any of the Emsisoft users here will be in a hurry to attempt the same install, but maybe an Emsisoft support person wight try it.  You'd need to tell us/them precisely which installer you downloaded and where from though.  Nobody is clairvoyant.

 

Share this post


Link to post
Share on other sites
4 minutes ago, JeremyNicoll said:

If the .tmp files no longer exist,  how about the original installer - probably a .msi file that you'd downloaded(?) and run?

Also the log shows one .tmp file being quarantined.  It has a different name from the one mentioned 4 times above it; was it from the same install attempt (maybe a first try that you deleted)? 

I can't imagine any of the Emsisoft users here will be in a hurry to attempt the same install, but maybe an Emsisoft support person wight try it.  You'd need to tell us/them precisely which installer you downloaded and where from though.  Nobody is clairvoyant.

 

https://store.unity.com/download?ref=personal

This is where i downloaded the file, which then started to download files in order to install the whole thing, and it also asked if I wanted to install Visual Studio also and i checked yes and during the time it downloaded something for the visual studio, those warnings appeared. Yes, all of those MSI warnings came during that install, i think it quarantined it because i didnt do anything with the first warning because the notification disappeared so fast, the rest i pressed allow.

Share this post


Link to post
Share on other sites

Ah, rats, I see it's not an installer at all... but a stub that in turn downloads other files.  That certainly makes it harder for anyone else to see which files you received.

Share this post


Link to post
Share on other sites
1 minute ago, JeremyNicoll said:

Ah, rats, I see it's not an installer at all... but a stub that in turn downloads other files.  That certainly makes it harder for anyone else to see which files you received.

Well yes, but it should download all the same files for anyone who uses this stub, since its downloading all the required files.

Share this post


Link to post
Share on other sites

The 'installer' whose website address you gave above is named something like   UnityDownloadAssistant.....            which means it doesn't itself contain the product files which means in turn that scanning it won't prove anything.

Also, you said above that "My Unity3d and visual studio were from legit source so they werent carrying trojans."   which is clearly not necessarily true.  "Legit" sources can be infected - look at all the publicity that Piriform/Avast are getting about their infected copied of CCleaner.

 

Share this post


Link to post
Share on other sites

> Well yes, but it should download all the same files for anyone who uses this stub, since its downloading all the required files.

Maybe, maybe not.  It might download different files according to the machine you run it on.

Share this post


Link to post
Share on other sites

Hmm yeah, you are right. Though it would be kinda bad luck, that i would get somekind of virus from that which is certaintly possible. I am little more inclined to think it was false positive since no scans find anything, i might send farbar logs just to make sure pc is clean. The detection says, its crypto malware but my pc is not locked down in any way, so that doesnt really make sense or am mistaken how they work?

Share this post


Link to post
Share on other sites

You said earlier:  "Initially i though all of those warnings were just emsisoft thinking these visual studio files were malicious, because it happened during when the visual studio installer was downloading something"     which seems reasonable to me for the "Behavior.HiddenInstallation" alerts.    After all, if I understand this correctly, the program that was running was not started by you.  I think you ran the download assistant which downloaded other files and then ran them... and to the Behaviour Blocker that's exactly what would happen if some malware was trying to install something without you knowing about it.     On the other hand, the "Behavior.CryptoMalware" alert must surely mean that something in one of these programs was trying to do some encryption or decryption.  That might be innocent, but who knows?

 

I also notice you said   "because that "installer" folder doesn't even exist anymore".    That in itself is not weird - well-behaved installers that create temporary working files should delete them after they have run.  Very few do, though.

Edited by JeremyNicoll
deleted erroneous text

Share this post


Link to post
Share on other sites

Yeah, about the app rule, i think its because I pressed the "allow" button so it created the rule to allow it?

To be precise, the thing i found through search was MSI8FAE.tmp-, note the dash at the end. Thats the thing that was only a folder. In search function, it shows the path is the same as in the logs, but when i go to windows/installer, there is no such folder which is weird. I have enabled show hidden files.

Share this post


Link to post
Share on other sites

You said the installer folder didn't exist any longer; did you mean that the MSIxxxx.tmp files no longer existed in   C:\Windows\Installer\     ?    or did you mean that C:\Windows\Installer\  no longer exists?

No-longer-present MSIxxxx.tmp files is probably ok.    But here, on my W8.1 system,  C:\Windows\Installer\   does exist - indeed there's several hundred files inside it.

Share this post


Link to post
Share on other sites

The whole folder is missing, only trace of it can be found if i type that file in the search function and there it shows where it "resides" but cant navigate into that folder.  I am using windows 10

Share this post


Link to post
Share on other sites

Actually now i found access to the installer folder with right clicking that tmp folder. Those tmp folders are there, but they dont contain any files either. They have same names as in the emsisoft logs, but with - symbol at the end and theyare just folders.

Share this post


Link to post
Share on other sites

> Can we safely atleast assume its not crypto malware, since my pc is working as normally?

I certainly hope so, but I don't think so; if the MSI8FAE.tmp file did install something malicious then for all you know its behaviour might be to wait for a while before doing anything.  Or it might have damaged files you don't look at very often.     Why, given such an alert, did you allow it?

It depends what within the   MSI8FAE.tmp  file made the Behaviour Blocker think it was crypto malware.  

Share this post


Link to post
Share on other sites

At the moment, i just assumed it was false positive because it came at the time of this installation and emsisoft earlier gave me some warning about firewall modification when running farbar recovery tool so I just assumed this was yet another false positive. Now i started to think it little bit more and hoped to see some guidance here regarding this issue. Also thoses being "MSI" files also kinda reinforces the idea of false positive, because its microsofts product, the visual studio.

I didnt do anything else while installing this program, and ive disabled smb 1.0 since start of using this operating system.

Share this post


Link to post
Share on other sites

Right now I think you should do a custom scan of your whole machine.  Do not exclude any files or folders.

In future if you get an alert you don't understand, don't automatically allow it.   What I'd do in that situation is make a copy of the file that the alert was for then block it, so that the install would be stopped in its tracks.   I'd then upload the original (if it still existed) or the copy to virustotal to get an opinion on it.  I might then google to see if other people had had the same problem (note that the name MSInnnn.tmp would probably be different - ie the nnnn part varies - if other people had also downloaded the same thing, which makes looking for other people's problems harder).  I'd possibly also contact the company whose product I was trying to install.  

 

Share this post


Link to post
Share on other sites

I understand. But as ive already said, i ran Emsisoft custom scan with direct disk access didnt find anything, nor malwarebytes, or roguekiller, or sophos scanner, or fsecure online scanner, nor hitman pro, nor rkill

Share this post


Link to post
Share on other sites

> Also thoses being "MSI" files also kinda reinforces the idea of false positive, because its microsofts product

Lots of products, not just Microsoft ones, come with MSI installers.   Although you hope that these particular MSIs were for Visual Studio, or one of its dependencies, I am not sure that you actually do know that for sure.  If the download assistant had decided to download something malicious - not that I'm saying it's likely - how would you know?

 

Share this post


Link to post
Share on other sites
2 minutes ago, JeremyNicoll said:

> Also thoses being "MSI" files also kinda reinforces the idea of false positive, because its microsofts product

Lots of products, not just Microsoft ones, come with MSI installers.   Although you hope that these particular MSIs were for Visual Studio, or one of its dependencies, I am not sure that you actually do know that for sure.  If the download assistant had decided to download something malicious - not that I'm saying it's likely - how would you know?

 

You are right, I cant really know for sure. I am just trying to think on more positive note if you know what i mean, considering various virus scanners came up with nothing and all of this coincidented with this installation and it being compromised doesnt really seem highly likely.

Ive had history of obsessing ALOT of viruses and shredded my pc multiple times a week for no reasons really, i am just so tired at this point.

Share this post


Link to post
Share on other sites

I'm not trying to destroy your 'on a positive note thoughts'.   The thing is, if this turns out ok, there's no problem.  But if it turns bad, then you won't want anyone to have given you a false sense of security.  If you have recent backups and they're on a device that's not connected to your computer, and - as you say - EAM and other apps say your machine is clean - then maybe I'd just go ahead, but be much more alert to signs of a problem in the next few days.  On the other hand if you have no recent backups, or your backups are on internal disks, then I think you need advice.  Maybe post on the 'my pc is infected' sub-forum (and provide the people there with the reports they describe at the top of that subforum), and link to this thread?

 

Something else that might have been a good idea:  even when I download and run a normal installer, I always save it and EIS-scan it before running it.    I don't like the sorts of installers that then download more files and run those.  If I was running one of them and I got an alert (presumably from one of the just-downloaded files) I think I'd be very likely to block the thing at that point, and then investigate the downloaded files before rerunning them.    It might be hard to do that - maybe I'd just delete the whole lot and try again.   Or I'd hunt around the supplier's website to see if they offered a form of download that didn't use a download assistant.  Or ask on their forums how you can be sure the downloads are safe before running them.   Or use a test machine or a virtual machine or a 'sandbox' to do the install - because really in this situation you, the user, have no control over what's going on.    

Share this post


Link to post
Share on other sites

I totally agree, and I have been huge advocant of being cautioned rather than sorry, but ive obsessed and OCD´d so much about these issue very lately, (shredding multiple times a day) so it just feels so demoralizing to shred my pc once again for something that may well be false positive because pc isnt acting up at all even + no virus scanners find anything and ive have things to do.

What I will absolutely do atleast, is that i will run farbar recovery tool and send the logs to be analyzed. Any infection should show up there right?

Share this post


Link to post
Share on other sites
28 minutes ago, Dwer23 said:

I totally agree, and I have been huge advocant of being cautioned rather than sorry, but ive obsessed and OCD´d so much about these issue very lately, (shredding multiple times a day) so it just feels so demoralizing to shred my pc once again for something that may well be false positive because pc isnt acting up at all even + no virus scanners find anything and ive have things to do.

What I will absolutely do atleast, is that i will run farbar recovery tool and send the logs to be analyzed. Any infection should show up there right?

Just follow the instruction here: https://support.emsisoft.com/announcement/2-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread/

Yes.

Share this post


Link to post
Share on other sites
6 hours ago, Dwer23 said:

Is this known false positive, or did it just happen that i got some infection at the same time?

The log shows it was the Behavior Blocker that took action. If the file in question was not digitally signed and did not have enough of a reputation for an automatic decision to be made, then the Behavior Blocker would have quarantined it for performing any behavior that is monitored for. The file could be legitimate, and simply not be well known enough to have established a solid reputation.

You can try restoring the file from the Quarantine, and then uploading it to VirusTotal to get an analysis of it. You can post the link to the analysis here for me to take a look at.

Share this post


Link to post
Share on other sites
On ‎21‎.‎9‎.‎2017 at 9:53 PM, GT500 said:

The log shows it was the Behavior Blocker that took action. If the file in question was not digitally signed and did not have enough of a reputation for an automatic decision to be made, then the Behavior Blocker would have quarantined it for performing any behavior that is monitored for. The file could be legitimate, and simply not be well known enough to have established a solid reputation.

You can try restoring the file from the Quarantine, and then uploading it to VirusTotal to get an analysis of it. You can post the link to the analysis here for me to take a look at.

Oddly its not in the quarantine, the whole quarantine section is empty and even quarantine log is empty. What could explain this?

Share this post


Link to post
Share on other sites
5 hours ago, Dwer23 said:

Oddly its not in the quarantine, the whole quarantine section is empty and even quarantine log is empty. What could explain this?

Reinstalling EAM could do it. Clearing the Quarantine and the logs could as well. Normally you don't have corruption of both the Quarantine files and the logs database file, however it is technically possible for it to happen (although you'd be having other problems if that many files were suddenly corrupted on your hard drive).

Share this post


Link to post
Share on other sites
11 minutes ago, Dwer23 said:

Does this indicate malware?

More than likely not (it isn't possible for malware to modify files in Emsisoft Anti-Malware's folder). If you want to make sure, then we can get a log from FRST.

You can download Farbar Recovery Scan Tool (FRST) from one of the following links, and save it to your Desktop (please note that some web browsers will automatically save all downloads in your Downloads folder, so in those cases please move the download to your desktop):

For 32-bit (x86) editions of Windows:

For 64-bit (x64) editions of Windows:

Note: You need to run the version compatible with your computer. If you are not sure which version applies to your computer, then download both of them and try to run them. Only one of them will run on your computer, and that will be the right version.

  1. Run the FRST download that works on your computer (for Windows Vista, Windows 7, and Windows 8 please right-click on the file and select Run as administrator).
  2. When the tool opens click Yes for the disclaimer in order to continue using FRST.
  3. Press the Scan button.
  4. When the scan is done, it will save a log as a Text Document named FRST in the same place the tool was run from (if you had saved FRST on your desktop, then the FRST log will be saved there).
  5. Please attach the FRST log file to a reply using the More Reply Options button to the lower-right of where you type in your reply to access the attachment controls.
  6. The first time the FRST tool is run it saves another log (a Text Document named Addition - also located in the same place as the FRST tool was run from). Please also attach that log file along with the FRST log file to your reply.

Share this post


Link to post
Share on other sites

I already had farbar logs analyzed on other section here and support person said they were clean.

Though, when i ran farbar, emsisoft blocks something about it saying "firewall modification". Does this compromise the reliability of farbar logs?

Share this post


Link to post
Share on other sites
22 hours ago, Dwer23 said:

Does this compromise the reliability of farbar logs?

It might have prevented FRST from getting Windows Firewall rule information, however that information is not necessary to determine if there's an infection.

Share this post


Link to post
Share on other sites

So i dont need to reupload new logs after allowing it in emsisoft?

How confident you are that it didnt affect the reliability and thus some infection could have evaded analysis?

Share this post


Link to post
Share on other sites
23 hours ago, Dwer23 said:

So i dont need to reupload new logs after allowing it in emsisoft?

Only if whoever was reviewing your logs asks for new logs.

 

23 hours ago, Dwer23 said:

How confident you are that it didnt affect the reliability and thus some infection could have evaded analysis?

100% ;)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.