Windows Defender Problems

[meohmy]

Recently Windows Defender has started flagging several software's as a virus for no reason, for instance, the installation file of Brave Browser, Internet Download Manager and Hard Disk Sentinel are all flagged and I cannot install them. Samsung Magician is also flagged as a virus and deleted by Defender with Defender also recognising Microsoft Edge as a virus.

 

Even my Canon MG7750 printer drivers don't escape Defenders clutches, this happens running both Pro & Enterprise versions of Windows 11. All software's are downloaded direct from the relevant official sites. I can install in safe mode and create an exclusion but that doesn't work either.

I am waiting for a new Samsung 970 EVO PLUS 1TB M.2 NVMe before I do a fresh install and am hoping a can find the cause before then, If anyone has any ideas I would really appreciate it.

 

 

Edited October 2 by Matt
Added space between the paragraphs.

[UpGrade]

Cannot enlarge the screenshots, can you upload me a copy of any one of these files and provide better shots ?

[7even]

Your computer is probably infected with a virus. Try scanning it with a 3rd party antivirus such as Kaspersky Virus Removal tool and see how it goes.

https://www.kaspersky.com/downloads/free-virus-removal-tool

 

[meohmy]

@UpGrade

Thanks for the reply, I have uploaded pics here

https://mega.nz/folder/zSwX2IZb#MwKzhKJsLI4gFvnTbbM_GQ

 

@7even

Theses things happen with Defender on a clean install with only all Microsoft updates installed. Until I apply the updates I can do what I want.

 

[pc71520]

17 hours ago, meohmy said:

Recently Windows Defender has started flagging several software's as a virus for no reason.

WD has been very aggressive. Legitimate files are often targeted/attacked...

I suggest you use another Anti-Malware...

[UpGrade]

16 hours ago, meohmy said:

@UpGrade

Thanks for the reply, I have uploaded pics here

https://mega.nz/folder/zSwX2IZb#MwKzhKJsLI4gFvnTbbM_GQ

 

@7even

Theses things happen with Defender on a clean install with only all Microsoft updates installed. Until I apply the updates I can do what I want.

 

Thanks,
 

Floxif is a family of file-changing trojan viruses that infect Windows executable and DLL files. Once the Floxif infection takes root, the infected files can spy on the device and serve as a backdoor for other malware. Floxif was famously distributed with legitimate versions of the CCleaner utility in 2017, when hackers injected the malware into CCleaner’s build environment.

 

Im fairly certain is actually an infection but I couldn't confirm without a sample, can you restore a file that has been detected and upload it to a filehoster as an archive and password protect it incase anybody stumbles across it.

 

@meohmy Please give me the link and password and I will analyse for you to confirm if its a false positive or a threat.

 

I also advise you run a full scan of your machine ASAP and see how many files it picks up with the same Floxif classification (I expect a lot), see if it can remove them. If not you can try Malwarebytes to remove the infection.

 

  

3 hours ago, pc71520 said:

WD has been very aggressive. Legitimate files are often targeted/attacked...

I suggest you use another Anti-Malware...

I agree that Defender does have a high number of FP's but in this specific case from the initial description and the malware classification, it's likely infected and the malware is replicating across files.

Edited September 27 by UpGrade

[meohmy]

Thanks for all the info and the help.

 

Here are 2 files with different supposed infections, both downloaded from official web pages. Windows Firewall Control and Thunderbird email client.

I have password protected both files, then added both into one password protected file. Password is nsane

 

https://mega.nz/file/ifgkmRwY#H97nWLzM5V9WoAbiBLjNRe38R57QdJHm6n-fzt7UCt8

 

[DLord]

@meohmy I totally agree with @UpGrade.  While he is analyzing the uploaded files, I also suggest you completely scan your PC with a reliable third-party AV, specially a boot-time scan for any early loading malwares such as rootkits, etc.

 

Like mentioned above, although WD could be very aggressive at times, but what you are experiencing seems to have another underlying reason.

[Akaneharuka]

@meohmy

 

Hey, Just a question, where did you download that windows Pro & Enterprise versions of Windows 11 ?

 

From MS main site right ?

[meohmy]

Yes I downloaded an iso direct from Microsoft and used 'Rufus' to bypass Microsoft account etc.

 

I have taken my desktop offline as I am changing to an nvm2 install drive and water cooling and am currently downloading another iso from Microsoft which I will probably install Monday or Tuesday. My install preference at the moment is Windows 11 Pro for workstations as Enterprise is probably overkill for my current usage.

 

I appreciate all suggestions and have taken onboard everything said, I will probably check all downloads against 'virustotal' as well as testing in a sandbox or on my laptop in future.

[Ecarion]

On 9/28/2024 at 4:45 AM, meohmy said:

I appreciate all suggestions [...]

From my point of view, it will be better to remove Windows Defender from the official .iso (that's not very difficult with DISM but I use W10 (until W12 appears ? I don't know yet that's too far)).

 

After the installation, you have just to install another antivirus far reliable (such as Eset. Kaspersky, etc etç etc) and don't forget the firewall (the best is to block everything until you create one rule to allow it for a software which require internet to work).

 

Despite the time, that's true MicroSoft has improve it even more with W11 but the results remain the same (it's still under the concurrent). There is also the fact you current story prove it because any good antivirus will catch this kind of threat and protect your files.

On 9/27/2024 at 3:29 AM, UpGrade said:

[...] you can try Malwarebytes to remove the infection.

Perhaps it will work because it's an old story (2017) but I won't forget MBAM has made several bad choices since the version 3 (and this year the legacies like the version 2 was totally abandoned for nothing (bad practice for bad reasons)).

 

That's why I rather to advice to use something like the Emergency Kit Of Emisoft which is a dual engine (it's use BitDefender) with frequent update.

On 9/28/2024 at 4:45 AM, meohmy said:

I will probably check all downloads against 'virustotal'

Recently I had discover the TIP (aka "Threat Insights Portal") : https://tip.neiki.dev/ which we can us to combine (compare) the results.

 

Probably ? No you must always proceed a check specially when you can't trust the source (and if you are not familiar with the security or you don't follow the stories).

 

Another thing check also the hash (md5, sha-1 etc) even with an official link (to avoid this kind of trouble). When you can't find any hash download it again (after 2 weeks or 4 months etc) and if you see a difference ( none match = potential risk) wait the news (usually provide by the changelog).

Edited October 2 by Matt
Added space between the paragraphs.

[UpGrade]

Files are 100% infected, both files are packed with UPX, originals are NOT!

 

See Binisoft official page SHA256 Hash Value, found here: https://www.binisoft.org/wfc

 

Confirmed same hash on original file after downloading from site and compared against modified / infected:

 

Here you can see the hashes do not match, indicating tampering.

 

Lookup up the hashes shows this exact file has already been analysed online:

wfc6setup.exe

VirusTotal: https://www.virustotal.com/gui/file/4fecbca7a9831f0daff57f512abecdd1e9a99813adc0de5a7ce150a485e8a98f/details

MWDB Link : https://mwdb.cert.pl/file/4fecbca7a9831f0daff57f512abecdd1e9a99813adc0de5a7ce150a485e8a98f
VirusShare Link : https://virusshare.com/file?4fecbca7a9831f0daff57f512abecdd1e9a99813adc0de5a7ce150a485e8a98f
VXUG Link : https://virus.exchange/samples/
Triage Link : https://tria.ge/240929-j47mbawbjm

 

The same is true for the other file (Thunderbird Setup 128.1.0esr.exe):

https://www.virustotal.com/gui/file/9efdeec4e0f5e3587f288ca00f8cdafa5e06bcd530cb5549f55ef3e38a5a324a

 

Both are infected with the same malware, which drops a malicious file (icsys.icn.exe) onto the machine when ran, this them creates a malicious explorer.exe and places it into the themes folder:

 

 

It also drops other malicious files into the resources folder which are names the same as some Windows system files:

 

Then scheduled tasks are created for persistence:

 

I didn't see any call outs to domains so its only replicates itself on the machine.

 

Read here the full list of actions this can perform:

https://threats.kaspersky.com/en/threat/Virus.Win32.VB.mz/

 

Check Defender for any exclusions that you did not set and if they exist remove them. Open task manager and look for any of the processes running from the paths in the screenshots above, close them all and the download Malwarebytes and try a scan it should be able to remove this.

 

  

On 9/29/2024 at 1:16 AM, Ecarion said:

Perhaps it will work because it's an old story (2017) but I won't forget MBAM has made several bad choices since the version 3 (and this year the legacies like the version 2 was totally abandoned for nothing (bad practice for bad reasons)).

 

Yes no software if perfect but in this specific case, it should do a good job of removal. With the info above, it can be cross checked that the files are removed. I agree, Emsisoft Emergency Kit / Kaspersky Rescued Disk or anything similar should also remove this too.

Edited September 30 by UpGrade

[meohmy]

Many thanks for the explanations, I can't believe this infection as I am generally very careful and this is definitely my first . I do recall  WFC telling me that windows explorer wanted to connect to the internet but saw no reason to let it and blocked the outgoing attempt. I have downloaded the kaspersky rescue disk and will run on my laptop shortly.

 

I have decided to rebuild my desktop from scratch with a fresh windows downloaded .iso as well fresh downloads of all software's and drivers.

 

Possibly a silly question, but where to find the hash of each software? I see WFC hash posted next to the download button but have not noticed it anywhere else.

Edited October 2 by Matt
Added space between the paragraphs.

[UpGrade]

A complete rebuild is the best option always to be honest. ! way to always get the latest genuine version is: https://uupdump.net/ or https://massgrave.dev/genuine-installation-media by WindowsAddict (On this forum) or https://msdn.rg-adguard.net/

 

Some sites will post hashes of the software somewhere but some don't, you cant always see them before download but just ensure you ALWAYS download from a reputable source / link / official site.

 

This malware could have come from an email link as well.

Edited October 3 by UpGrade