X-Post: TPS MSE Security Essentials Forefront Endpoint

[NewsArchive]

Hello all,

since today we are also obviously hit by MSE.

What has happened? An Admin called this morning, telling that the update he
installed over the existing install doesn't work anymore, all of a sudden.

He testified that the program has worked okay before.

So he granted access to his machine via Teamviewer and I could see that that
three TPS and one DLL were simply mising. (that DLL was code-signed!)

While I was scratching my head how this could have happened, he (for what
reason ever) opened MS Security Essentials.

Then I told him that I have heard about reports from the colleagues here in the
forum, so that I have installed MSE on my machine also, but without getting
harmed so far.

"Well, you will probably have installed the publiclly downloadable MSE, I
suppose." he said. "We use MS Security Essentials Forefront-Endpoint."

Which leads to to the question: with what version do you run into trouble?

Anyway, I gave him the advice to exclude TPS, but as that code-signed DLL has
diminished too, I suggested to better exclude the entire directory branch.

I hope to hear from him again in a couple of days, whether this mysterious
behaviour happened again - I will report.

bye
Wolfgang

[NewsArchive]

> So he granted access to his machine via Teamviewer and I could
> see that that three TPS and one DLL were simply mising. (that
> DLL was code-signed!)

Seems to be a typical false-positive bug in MSE and you should report it. A
"suspicious file" alert triggered by a heuristic scanning method removed
your DLL. Code-signed or not, MSE thought that your DLL was some kind of
malware. Sometimes a simple recompile and re-code-sign of the DLL can help
because this always changes the binary contents. But another two or three
recompiles later and the same false-positive might be back.

We check our files here on a regular basis:

www.virustotal.com

In the past, MSE flagged Chrome as a Zbot banking trojan. AVG incorrectly
flagged user32.dll and removed the system file (and killed the machine).

MSE and TPS files is another long story.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 8 ready installations in minutes
--Official Comodo Code Signing and SSL Certificate Partner

[NewsArchive]

This DLL is actually not from me, it was vuFT3.DLL from Bill Roe (ValUtilites).
I have informed him already.

His DLL was not code-signed by himself, so I did it with my certificate, after
asking Bill for his permission.

Do you coincidently (blinkblink) know where to report this "accident" to Microsoft?

thx
Wolfgang

[NewsArchive]

Hi Wolfgang,

>
> Do you coincidently (blinkblink) know where to report this
> "accident" to Microsoft?
>

As far as I know, MS handles all the false-positives via this form:

http://www.microsoft.com/security/po.../vendorfp.aspx

Friedrich

[NewsArchive]

>As far as I know, MS handles all the false-positives via this form:
>
>http://www.microsoft.com/security/po.../vendorfp.aspx

Thanks a lot, Friedrich!

I called MS in Unterschleißheim, got connected to their business hotline in Bulgaria.

There I had a friendly callcenter agent on the line, but all she could offer
was a contact IF I would have had a support contract for business
customers......

Well, all I want to do is to help MS to improve their products......

Now I gonna try that link - wish me luck!

Wolfgang Orth

[NewsArchive]

virustotal.com Shows 3 problems in vuft3.dll

Dan Scott

[NewsArchive]

>virustotal.com Shows 3 problems in vuft3.dll

My test returned only 1/46.

Is your DLL also code-signed?

Mine is, with my own COMODO certificate.

And the fun thing is, the only issue that got reported, is "Comodo - Heur.Packed.Unknown"

ohhhhh myyyyyyyy!

Wolfgang Orth

[NewsArchive]

>www.virustotal.com

returned only one issue: Comodo - Heur.Packed.Unknown

Well, its a Comodo Certificate.......

Do we have to contact Comodo also now?


Bernd, das Brot so: "Mist"

Wolfgang Orth

[NewsArchive]

Was the dll protected by Armadillo?

>
>So he granted access to his machine via Teamviewer and I could see that that
>three TPS and one DLL were simply mising. (that DLL was code-signed!)

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

[NewsArchive]

>Was the dll protected by Armadillo?

no

Wolfgang Orth