Carl1223_Delta

WhatsApp Desktop - was there a false positive in todays signatures?

Recommended Posts

I don't normally leave my laptop running overnight.  I did last night.

On arriving at my home office desk this morning I  found a scroll of EMSISOFT messages to reboot my system.

Looking into the logs I see that just a few minutes after after a major EMSISOFT A-M update, this occurs:

 

10/1/2020 7:02:47 AM
Behavior Blocker detected suspicious behavior "TrojanDownloader" of C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2037.6.0_x64__cv1g1gvanyjgm\app\WhatsApp.exe (SHA1: EDAD233F431DA5CCE506AB0DF3151B24D655FC0C)
 
10/1/2020 6:54:57 AM
A notification message "Emsisoft Anti-Malware Home just updated to a newer software version. Check out what has changed in our change blog." has been shown
 
General Information:
Version 2020.9.0.10390
Connection: Direct
Update started: 10/1/2020 6:54:36 AM
Update ended: 10/1/2020 6:54:46 AM

 

I did not restore to be able to obtain the file to upload to VirusTotal for testing because I have that issue with going into the WindowsApps folder where even though I'm the Admin and supposedly have ALL the power, Windows will not let me access it.  I recall dealing with this once before and it was a bit tricky and took some time and frankly I really do not want to restore the file to test it.

I instead uninstalled Whatsapp Desktop and then reinstalled it and have done another EMSISOFT Malware scan.  No alerts so far.

Please advise.

 

Share this post


Link to post
Share on other sites
11 hours ago, Carl1223_Delta said:

I did not restore to be able to obtain the file to upload to VirusTotal for testing because I have that issue with going into the WindowsApps folder where even though I'm the Admin and supposedly have ALL the power, Windows will not let me access it.

That's normal. Windows has extra protection on that folder to prevent access, and restoring the file should fail. The only easy way to restore a file from a Microsoft Store app that gets deleted is to uninstall the app and then reinstall it.

According to VirusTotal the file that was flagged by the Behavior Blocker isn't digitally signed, however there are ways of signing a file that won't be reflected on VirusTotal (I would believe signatures can be contained in separate "catalogue" files). Regardless, if the file wasn't digitally signed or there was some reason why EAM could not read the signature then that would account for why the Behavior Blocker reacted to it.

  • Thanks 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.