MooseGiblets

Behavior Blocker Warnings

Recommended Posts

During installation of expressvpn and manual updates, I keep getting behavior blocker warnings. I stopped these from being quarantined because I've been using expressvpn for more than a year and this only started happening after windows 1903 was released. I have had issues a lot of issue with windows defender blocking not only express vpn but also emsisoft and my connection and a few other programs related to my system. Just wondering if I should have let these be quarantined but was not sure if these are false positive or if it would break expressvpn for running on my system. 

Detections.png
Download Image

Share this post


Link to post
Share on other sites

There's no reason to quarantine an installer that's installing stuff at your request (assuming you do trust the thing it is installing).  The point about the BB is that it would spot installations (for other programs) being done that you didn't know about.

What's not clear from your text is why so many separate installers are being run every few seconds.    Or is it the same installer being attempted over & over again, where the thing arrived zipped up (or otherwise compressed) then unpacks & places the actual installer into a different MSIxxxx.tmp file each time?   Then it runs that and the  BB flags it because the rule created for the last one was for a differently named .tmp file?

If the MSIxxxx.tmp files are being created in %TEMP% before being run, you could possibly exclude %TEMP% from monitoring... but that in my opinion is very unsafe because it would also mean any other installer, eg a malicious one, placed in %TEMP% would also be ignored.  On the other hand, if the .tmp  files are being placed in (for example) %TEMP%\ExpressVPN  then you could exclude just that folder, which might help.  

You could experiment with excluding %TEMP% to see if an exclusion helps, but then only enable that exclusion when you're about to apply updates.

Maybe the supplier could be asked to change the way their updates are packaged so that they don't all have random names.  

 

 

 

Share this post


Link to post
Share on other sites

I downloaded the installer, double clicked it allowed it through windows uac I don't know if it has the install files or if it connects to expressvpn servers and downloads its install files, The detections are coming from ExpressVPN.NotificationServiceStarter which is currently in my startup menu. I've ran malware scans after install and there were no detection which is why it has me puzzled. As for the rest of your reply I don't understand your questions (msixxx and %temp% . tmp ) all went right over my head. I'm a noob never played with my anti malware no clue how it actually works.

Share this post


Link to post
Share on other sites

Malware scans look for files whose contents are known/suspected to indicate that they are malicious.  On the other hand the Behaviour Blocker looks at what a program/file seems to be doing /once it is actually running/.  A file can look innocent to a malware scan but once run do something that might be suspicious.  In your case the BB is telling you that lots and lots of installs are being attempted.

The BB alerts are all because a "hidden installation" is being attempted, that is, an "MSI" file (which is a standard Microsoft installer file) is being run.   Maybe the file you downloaded was named   "something.msi".     If so, it is not itself executable, but is read and processed by the parts of Windows that understand MSI files.  It looks as if either this particular  .MSI  file first unpacks itself to create many temporary files, named MSIxxxx.tmp, then uses those, or - as you say, maybe downloads a set of MSIxxxx.tmp file and uses them.   Either way, the sheer quantity of them is - perhaps - dubious.

If any program in Windows wants to create a temporary file - perhaps by unzipping or unpacking a container of files, (or by downloading some) - it is likely to put them in a folder whose purpose is to hold temporary files.  Its name depends on the version of Windows you are running and your userid.  It has a symbolic name   TEMP   (or %TEMP%) so that programs can refer to it without knowing what its full name is on your system.

If you open a file explorer window, then put the caret in the file/folder-name area at the top (which looks a bit like a URL bar in a browser) and type %TEMP% and hit enter, the temporary files folder for your userid will be opened.     On my W8.1 system, if my userid was Fred, it would be named: "C:\Users\Fred\AppData\Local\Temp"       There are other temporary file folders in Windows...   If an installer running under an Admin id (ie with UAC permission) creates temporary files they will probably be put in a different folder - a similar folder name but instead of the "Fred" but it'll be the Admin id's name there, eg "C:\Users\TheNameOfTheAdminId\AppData\Local\Temp".

I am not sure that it's safe for you to try to exclude some folders from monitoring by the behaviour blocker; it might be a way to reduce or stop these alerts, but done incautiously it can also stop alerts coming from any malicious software that's also managed to come to roost in that folder - and it's a very likely folder for iffy things to end up in.

  • Thanks 1

Share this post


Link to post
Share on other sites

If you could locate the file being quarantined on disk prior to it being quarantined and get the file hash, you could submit it along with the installer to Emsisoft to figure out whether it's a valid threat. I've had to do this for a couple customers who had software doing innocuous stuff like updating using an unsigned installer (Brother printer/scanner software) and installing TUN/TAP drivers (VPN software).

EDIT: Just reproduced this using the ExpressVPN installer. It's likely a false positive: 10/7/2019 11:45:23 AM
Behavior Blocker detected suspicious behavior "HiddenInstallation" of C:\Windows\Installer\MSI13C1.tmp (SHA1: 062D2E610620917996AA29B09A38CE2710E86739)

Here's the virustotal for it: https://www.virustotal.com/gui/file/d1881c9e34d00005974197efd978611a5c96363e4b2e0ad52a15867a637786af/detection  -- it's an installer for WiX Sharp: https://github.com/oleg-shilo/wixsharp

EDIT: Nevermind - Anti-malware network is recognizing it as safe, the product is just logging the hidden installer part. It's not the same situation as my customers' issues, as the product was actually blocking the installation in their circumstance.

Edited by m0unds
My terrible reading comprehension

Share this post


Link to post
Share on other sites

The file is a temp file. Normally the Behavior Blocker would only log events like that if it was not digitally signed. In this case it's more than likely safe, but if you need to know more then you can upload one of the files in question to VirusTotal and paste a link to the analysis here for us to look at.

Share this post


Link to post
Share on other sites
9 hours ago, m0unds said:

EDIT: Just reproduced this using the ExpressVPN installer. It's likely a false positive: 10/7/2019 11:45:23 AM
Behavior Blocker detected suspicious behavior "HiddenInstallation" of C:\Windows\Installer\MSI13C1.tmp (SHA1: 062D2E610620917996AA29B09A38CE2710E86739)

Here's the virustotal for it: https://www.virustotal.com/gui/file/d1881c9e34d00005974197efd978611a5c96363e4b2e0ad52a15867a637786af/detection  -- it's an installer for WiX Sharp: https://github.com/oleg-shilo/wixsharp

WiX# is a framework for building MSI packages, so ExpressVPN is probably just using that to build their MSI's.

Share this post


Link to post
Share on other sites

I'm glad someone got to the bottom it, I do have a question: If eam quarantines a part(s) of a program will that program still work or will it just not respond? I don't know how the quarantine works which is why I prevented it from quarantining every time it flagged in the initial screenshot. 

Share this post


Link to post
Share on other sites

 

12 hours ago, GT500 said:

WiX# is a framework for building MSI packages, so ExpressVPN is probably just using that to build their MSI's.

Yeah, I know - I mentioned it more for the peace of mind of the OP

5 hours ago, MooseGiblets said:

I'm glad someone got to the bottom it, I do have a question: If eam quarantines a part(s) of a program will that program still work or will it just not respond? I don't know how the quarantine works which is why I prevented it from quarantining every time it flagged in the initial screenshot. 

Quarantine isolates the file(s) in a controlled location to prevent "bad" stuff from being executed. If the file quarantined is a library (DLL) or binary (exe), the program will no longer execute. You can always submit suspected false positives to support using the in-product FP submission function or submitting virustotal results on the false positive part of this forum.

From your post and screenshot, the files are being marked as safe by the anti-malware network, which implies they're whitelisted and not being quarantined. Hope this helps.

Share this post


Link to post
Share on other sites
16 hours ago, MooseGiblets said:

If eam quarantines a part(s) of a program will that program still work or will it just not respond? I don't know how the quarantine works which is why I prevented it from quarantining every time it flagged in the initial screenshot.

EAM's Behavior Blocker usually tries to terminate the running process when it quarantines an executable file, however an installer will often execute other things while it's running, so it can be difficult to tell what exactly the results of EAM quarantining something may be. In this case specifically I suspect the installation would be completely halted when this happened, however I can't be 100% certain about that.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.