31415926ZZA

Windows Defender is getting triggered while EEK is scanning adwcleaner_8.0.7.exe

Recommended Posts

Hi,

i noticed that Windows Defender is getting triggered while Emsisoft Emergency Kit (Version 2020.5.0.10152) is scanning the current version of Adwcleaner (adwcleaner_8.0.7.exe). I assume that it is a false positive - however i decided to investigate the issue a bit:

Microsoft Defender Antivirus hat Schadsoftware oder andere potenziell unerwünschte Software erkannt.
 Weitere Informationen:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Woreflint.A!cl&threatid=2147723317&enterprise=0
     Name: Trojan:Win32/Woreflint.A!cl
     ID: 2147723317
     Schweregrad: Schwerwiegend
     Kategorie: Trojaner
     Pfad: file:_C:\Users\Admin\AppData\Local\Temp\tmp00000407\tmp00002054
     Erkennungsursprung: Lokaler Computer
     Erkennungstype: Konkret
     Erkennungsquelle: Echtzeitschutz
     Benutzer: SB-VM\Admin
     Prozessname: C:\EEK\bin64\a2emergencykit.exe
     Sicherheitsversion: AV: 1.323.44.0, AS: 1.323.44.0, NIS: 1.323.44.0
     Modulversion: AM: 1.1.17400.5, NIS: 1.1.17400.5

According to Windows Defender the SHA256-checksum of tmp00002054 is 21110fd1a765e85a488c768108a000199fb58321455e3a6291da28ad8a462a1d (https://www.virustotal.com/gui/file/21110fd1a765e85a488c768108a000199fb58321455e3a6291da28ad8a462a1d/details) - which is kind of interesting, because the checksum of adwcleaner_8.0.7.exe is 9ef8ccabdf03ebe627cc0134ca9dcf9a85e41174722a6519b68fd18a8ba7279e (https://www.virustotal.com/gui/file/9ef8ccabdf03ebe627cc0134ca9dcf9a85e41174722a6519b68fd18a8ba7279e/details).

I noticed that Adwcleaner uses UPX - so i assume that EEK unpacks adwcleaner_8.0.7.exe during the scan. Because i got curious i unpacked adwcleaner_8.0.7.exe by myself (with UPX 3.91) to see whether i get a file which matches the checksum of tmp00002054. I did not - the checksum of the unpacked version of adwcleaner_8.0.7.exe is a737ca137171318688b6057ba73c0a57fffbc39dac344cba6c39dc6a921482d9 (https://www.virustotal.com/gui/file/a737ca137171318688b6057ba73c0a57fffbc39dac344cba6c39dc6a921482d9/details). If you take a peek at the Virustotal-links you will see that the files look similar.

Worth to mention is that Windows Defender only gets triggered by the tmp-file which EEK produces during its scan (the original adwcleaner_8.0.7.exe and the manually unpacked Version do not trigger Windows Defender).

I'm not an expert when it comes to these things, just a curious guy, but i thought that it might be useful to someone if i share my observations.

If there are further questions feel free to ask :)

Share this post


Link to post
Share on other sites

The file you unpacked yourself is half a megabyte smaller than the "similar" one - (21.02 MB vv 21.49 MB).     The not-yet-unpacked .exe is much smaller, about 8 MB.)

The section in the VT report entitled "Portable Executable Info" seems to have a different selection of info for the two files - as if one maybe contains headers that the other doesn't.  On the other hand I saved out the list of hashes etc of the contained resources, and compared them, and they are identical.  That is both unpacked executables contain the same set of icons, executable code, etc.

Maybe the version of UPX used by you, and whatever EEK uses, are different, or one or other ran with options to include (or not) some headers in the file it created?

 

@GT500 - why do the VT reports show the two larger files as not-signed and yet also list a set of Verisign CA stuff?  Does it mean that the files are signed with out-of-date, or otherwise iffy, certificates?

Share this post


Link to post
Share on other sites
12 hours ago, 31415926ZZA said:

I noticed that Adwcleaner uses UPX - so i assume that EEK unpacks adwcleaner_8.0.7.exe during the scan.

The BitDefender engine will extract all files contained in EXE files that contain compressed data to a folder in the TEMP folder in order to scan them, and this is probably where that file is coming from. If you use 7-Zip or WinRAR to extract the contents of the unpacked EXE file then you may end up with the file in question.

Share this post


Link to post
Share on other sites
7 hours ago, JeremyNicoll said:

@GT500 - why do the VT reports show the two larger files as not-signed and yet also list a set of Verisign CA stuff?  Does it mean that the files are signed with out-of-date, or otherwise iffy, certificates?

VirusTotal may have failed to validate the signature, however I can't be certain why. I don't think they publicly document how their signature validation works.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.