iondjp

Hidden Installer Behaviour

Recommended Posts

I witnessed a pop up notification by Emsisoft. Here is the detail...

2018-08-24 8:47:25 AM
Behavior Blocker detected suspicious behavior "HiddenInstallation" of "C:\Windows\Installer\MSI174C.tmp" (SHA1: 67ECD82937ED15C2159EA3892A07BA6ACB74179A)

2018-08-24 8:47:25 AM
A notification message "Suspicious behavior has been found in the following program: C:\Windows\Installer\MSI174C.tmp" has been shown

Now, coincidentally I have been monitoring windows updates and I see in the Windows Update History...

2018-08 Cumulative Update for Windows 10 Version 1803 for x64-based Systems (KB4343909) (9)

Last failed install attempt on 2018-08-23 - 0x80070157

So, is the EIS notification indicating a legitimate behavior block, or is it interfering with Windows Updates? I am confused because the last failed attempt of the Windows Update is 2018-08-23.

Incidentally, I have seen both the EIS behavior block and the Windows Update failure a number of times and I see 3 MSIxxxx.tmp files have been marked "Suspicious Behavior Quarantined by User" as well as 9 have been marked "Allowed by Anti-Malware Network, rule created".

I was going to attach here the C:\Windows\Installer\MSI174C.tmp file, but the folder C:\Windows\Installer does not even exist. Also strange, the EIS Quarantine tab does not list the MSI174C.tmp file, nor does it list one of the other files the log indicates was quarantined (MSIBE3E.tmp) on 2018-08-13.

Share this post


Link to post
Share on other sites

Hi there,

I guess it's not from the Windows Update, but from another application. Maybe you running a setup at that time, or there's auto-update from external application that is running in the background. This alert indeed could happen sometimes with legitimate application, for example when the file is not digitally signed. However without the actual file, I can't verify it. It's not quarantined maybe because the file is already deleted by the setup process.

Share this post


Link to post
Share on other sites

This continues to happen whenever I restart windows. I am still seeing Windows complaining that it could not finish installing update. So,what recourse do I have? I do not have the experience to narrow my troubleshooting down. Is there something I could search for in the Event Viewer? Is there a trick in MSConfig to limit startup options to narrow down the culprit. I did look in the Task Manager startup options, but nothing jumps out at me.

Share this post


Link to post
Share on other sites

Did you see any entries related to Windows Update being blocked in our Logs? Without the complete logs and copy of the blocked files, it's hard to verify it.

If you don't mind, I can forward this topic to our Support forum, so our support team can assist you to find out what was wrong.

Share this post


Link to post
Share on other sites

I don't mind if you forward it to support forum. I would just like to know what is going on and that Windows 10 is up to date.

As far as the Windows Update being blocked....what should I look for? I see again today  that there was a number of items in Emsisoft log showing Component=Scheduler & Action=Update "Downloaded and Installed". The system notified me of a required restart which I allowed to happen. Upon login to my user account, I saw Emsisoft alert me "Suspicious Behaviour "HiddenInstallation" of "MSIC461.tmp".

If I was to click "Wait, I think this is safe" what would happen?

Share this post


Link to post
Share on other sites

Ran the various troubleshooters for Windows Update. 

How can I determine what is launching the installer? In other words, is there a way for me to determine if it is part of the Windows Update process? Is it normal for Windows Update to run installer upon reboot after an update install?

What would happen if I click "Wait, I think this is safe?". Am I going to end up with a world of misery?

Share this post


Link to post
Share on other sites

I don't know if it's possible in W10, but in earlier versions it's possible to turn on 'auditing' of the creation and termination of processes, so that each time a process is created a 'Security' eventlog record is created showing that creation, its command line, and what started it.   This is in itself potentially a security risk because it means that anyone able to read that set of eventlogs can see the commands used to start things, (perhaps including passwords etc).  If your system is a home one and no-one else uses it, or a corporate one and you are authorised to see other users' secrets, then you may be able to turn this on.     

I am the only user on my machine, and I have it enabled, because it makes diagnosis of problems in scripts I write easier.   My machine is a W8.1 one, and it took me ages to find a way to turn the feature on, on a non-enterprise version of Windows.  I have no idea which version of W10 allow the same thing. 

Share this post


Link to post
Share on other sites
7 hours ago, iondjp said:

How can I determine what is launching the installer?

You should be able to find out with a tool like Process Hacker. By default it shows running processes in a tree view, where each process is listed as a child (or "branch" if you prefer) of its parent process (the process that executed it). This makes it very easy to see what executed what, and you can even hold your mouse over a process for a few seconds to see the command used to execute a particular process.

Note that you may need to select "Show details for all processes" in the "Hacker" menu in Process Hacker to see all of the information about processes that are running with Administrator or System rights.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.