Hey everyone,
Not sure if you're experiencing this. I just tried to install the latest update to PowerShell Studio 2017. The update set off all three of our malware monitors, AV and two different machine learning products.
Sapien, do you have anything to say about this?
itengineer
Latest Update Package for PSStudio 2017 sets off malware alerts
Forum rules
Do not post any licensing information in this forum.
Do not post any licensing information in this forum.
Re: Latest Update Package for PSStudio 2017 sets off malware alerts
Thank you for notifying us.
We continuously scan our products on our end and this could be false positive. I highly recommend submitting the file to the antivirus vendor to confirm if it is in fact a false-positive.
We continuously scan our products on our end and this could be false positive. I highly recommend submitting the file to the antivirus vendor to confirm if it is in fact a false-positive.
Brittney
SAPIEN Technologies, Inc.
SAPIEN Technologies, Inc.
- Alexander Riedel
- Posts: 8488
- Last visit: Tue Apr 16, 2024 8:42 am
- Been upvoted: 37 times
Re: Latest Update Package for PSStudio 2017 sets off malware alerts
Since you didn't provide any details as to what is actually flagged I can only guess here.
First of all, our software is continuously monitored and we do not have any virus or malware alerts.
Most likely it is one of the script engines that sets off the alert, because they contain executable code and are not signed (since you sign that when you package).
Many of these anti-virus packages use very basic pattern matching mechanisms that use a pattern as short as possible to enhance scanning speed. That notoriously leads to false positives.
However, here is the big caveat, we have no influence and control over what happens on your machine or in your network. We cannot know what potential infestation you have and how it affects anything you download onto your computer.
So you should, under all circumstances, take any and all files that are reported as infected and send them to your anti-virus software vendor for verification.
Only then, if it is a verified virus, can you go and start looking for the source.
First of all, our software is continuously monitored and we do not have any virus or malware alerts.
Most likely it is one of the script engines that sets off the alert, because they contain executable code and are not signed (since you sign that when you package).
Many of these anti-virus packages use very basic pattern matching mechanisms that use a pattern as short as possible to enhance scanning speed. That notoriously leads to false positives.
However, here is the big caveat, we have no influence and control over what happens on your machine or in your network. We cannot know what potential infestation you have and how it affects anything you download onto your computer.
So you should, under all circumstances, take any and all files that are reported as infected and send them to your anti-virus software vendor for verification.
Only then, if it is a verified virus, can you go and start looking for the source.
Alexander Riedel
SAPIEN Technologies, Inc.
SAPIEN Technologies, Inc.
Re: Latest Update Package for PSStudio 2017 sets off malware alerts
We are experiencing the same thing after the most recent update. FireAmp does NOT like the application anymore and continues to quarantine files associated with the program.
Win32.engine has been detected as W32.B9F5B3A18495.SBX.TG (Conviction from the ThreatGrid Detonation Environment. The number preceding the “SBX” is the score of the binary when ran. Definition provided by TALOS)
Win32.engine has been detected as Auto.362E536C4F.in10.tht.Talos (Conviction of a file that takes place directly upon file import into Talos's infrastructure. This example may contain a partial hash of the SHA256 that matched. Definition provided by TALOS)
Then attempting to reinstall the application:
Win32.engine has been detected as W32.GenericKD.20le.1201 (Third Party comparison engine This example may contain a partial hash of the SHA256 that matched. Definition provided by TALOS)
Win32.engine has been detected as W32.B9F5B3A18495.SBX.TG (Conviction from the ThreatGrid Detonation Environment. The number preceding the “SBX” is the score of the binary when ran. Definition provided by TALOS)
Win32.engine has been detected as Auto.362E536C4F.in10.tht.Talos (Conviction of a file that takes place directly upon file import into Talos's infrastructure. This example may contain a partial hash of the SHA256 that matched. Definition provided by TALOS)
Then attempting to reinstall the application:
Win32.engine has been detected as W32.GenericKD.20le.1201 (Third Party comparison engine This example may contain a partial hash of the SHA256 that matched. Definition provided by TALOS)
- Alexander Riedel
- Posts: 8488
- Last visit: Tue Apr 16, 2024 8:42 am
- Been upvoted: 37 times
Re: Latest Update Package for PSStudio 2017 sets off malware alerts
You need to submit that to your antivirus vendor. Unfortunately we cannot do that for you. We do not have access to your files nor can we be certain what happens on your machine.
Alexander Riedel
SAPIEN Technologies, Inc.
SAPIEN Technologies, Inc.
- Mrliukenon
- Posts: 1
- Last visit: Wed Feb 01, 2023 11:56 am
Re: Latest Update Package for PSStudio 2017 sets off malware alerts
I am also running into issues with the win32.engine file after the latest update. my company's InfoSec team now has my machine in quarantine, and is discussing reimage/replacement (yay).
They are going to submit the file to our AV provider to confirm, but their main concern is due to the hash data they received from the file.
It's flagging with an MD5 hash of: c6bc133ce99bf6150d687aadff61a512
Here is a site that shows all that are flagging it (up to 18 from 16 yesterday):
https://www.virustotal.com/#/file/b9f5b ... /detection
While my InfoSec team is doing their job and investigating the issue, I want to know if there is any way you can run a new scan and confirm that your installer is not producing these same results. This way I can verify if there are any issues with my machine in particular, or if it's safe, part of the package, and just a false-positive on their end.
My colleagues are scared to update now, for fear of having their machines taken away. I am also hesitant to reinstall after they potentially (probably) reimage my machine.
They are going to submit the file to our AV provider to confirm, but their main concern is due to the hash data they received from the file.
It's flagging with an MD5 hash of: c6bc133ce99bf6150d687aadff61a512
Here is a site that shows all that are flagging it (up to 18 from 16 yesterday):
https://www.virustotal.com/#/file/b9f5b ... /detection
While my InfoSec team is doing their job and investigating the issue, I want to know if there is any way you can run a new scan and confirm that your installer is not producing these same results. This way I can verify if there are any issues with my machine in particular, or if it's safe, part of the package, and just a false-positive on their end.
My colleagues are scared to update now, for fear of having their machines taken away. I am also hesitant to reinstall after they potentially (probably) reimage my machine.
Re: Latest Update Package for PSStudio 2017 sets off malware alerts
I received malware warnings on the latest installation as well. I am running AVG Free. I sent one of the files to AVG for analysis, but have not heard anything back as of yet.
These are the files and threat identified:
Win32:Evo-gen [Susp]
C:\Users\user\AppData\Roaming\SAPIEN\SPS 5.4.144.0\install\4920CD9\ScriptEngines\SAPIEN PowerShell V2 Host (Windows) Win32.engine
C:\Users\user\AppData\Roaming\SAPIEN\SPS 5.4.144.0\install\4920CD9\ScriptEngines\SAPIEN PowerShell V2 Host (Windows) Win32.engine
C:\Program Files\SAPIEN Technologies, Inc\PowerShell Studio 2017\ScriptEngines\SAPIEN PowerShell V2 Host (Windows) Win32.engine
Win32:Malware-gen
C:\Users\user\AppData\Roaming\SAPIEN\SPS 5.4.144.0\install\4920CD9\ScriptEngines\SAPIEN PowerShell V2 Host (Windows Forms) Win32.engine
C:\Program Files\SAPIEN Technologies, Inc\PowerShell Studio 2017\ScriptEngines\SAPIEN PowerShell V2 Host (Windows Forms) Win32.engine
These are the files and threat identified:
Win32:Evo-gen [Susp]
C:\Users\user\AppData\Roaming\SAPIEN\SPS 5.4.144.0\install\4920CD9\ScriptEngines\SAPIEN PowerShell V2 Host (Windows) Win32.engine
C:\Users\user\AppData\Roaming\SAPIEN\SPS 5.4.144.0\install\4920CD9\ScriptEngines\SAPIEN PowerShell V2 Host (Windows) Win32.engine
C:\Program Files\SAPIEN Technologies, Inc\PowerShell Studio 2017\ScriptEngines\SAPIEN PowerShell V2 Host (Windows) Win32.engine
Win32:Malware-gen
C:\Users\user\AppData\Roaming\SAPIEN\SPS 5.4.144.0\install\4920CD9\ScriptEngines\SAPIEN PowerShell V2 Host (Windows Forms) Win32.engine
C:\Program Files\SAPIEN Technologies, Inc\PowerShell Studio 2017\ScriptEngines\SAPIEN PowerShell V2 Host (Windows Forms) Win32.engine
Re: Latest Update Package for PSStudio 2017 sets off malware alerts
I forgot to ask this question: I let AVG quarantine all the identified files in my previous post. I need to complete some scripts for work, and just wondering what impact not having the scripting engine files will have when deploying or packaging scripts. Trying to decide whether or not I downgrade or if I can limp along without the fore mentioned files.
Re: Latest Update Package for PSStudio 2017 sets off malware alerts
Just came across this same issue. Updated and our SentinelOne picked it up.
A couple of the hashes found:
952c37721c9cf7fd49013eff46677dc8d0886d13 - https://www.virustotal.com/#/file/b9f5b ... /detection
26/66 engines detecting as a Trojan
53e22960e2d2175f6db3d984f4d2b24ce939849e - https://www.virustotal.com/#/file/362e5 ... /detection
22/65 engines detecting as a Trojan
A couple of the hashes found:
952c37721c9cf7fd49013eff46677dc8d0886d13 - https://www.virustotal.com/#/file/b9f5b ... /detection
26/66 engines detecting as a Trojan
53e22960e2d2175f6db3d984f4d2b24ce939849e - https://www.virustotal.com/#/file/362e5 ... /detection
22/65 engines detecting as a Trojan
- Alexander Riedel
- Posts: 8488
- Last visit: Tue Apr 16, 2024 8:42 am
- Been upvoted: 37 times
Re: Latest Update Package for PSStudio 2017 sets off malware alerts
If you are not packaging for the target that these products are complaining about, it is not a problem.
You need to contact your antivirus vendor. These files are not infected as far as we can tell. Our anti-virus scanners do not report them as infected and several vendors have already white listed them as we are told. But we cannot submit files ourselves to YOUR anti-virus software vendor.
IMPORTANT: Please read other user's posts and our replies. If you have the same issue, you will get the same reply. We have no control over the way your anti-virus vendor scans for patterns. We cannot submit files to them. We scan our files continuously and we have no indication of an actual verified infection with anything.
You need to contact your antivirus vendor. These files are not infected as far as we can tell. Our anti-virus scanners do not report them as infected and several vendors have already white listed them as we are told. But we cannot submit files ourselves to YOUR anti-virus software vendor.
IMPORTANT: Please read other user's posts and our replies. If you have the same issue, you will get the same reply. We have no control over the way your anti-virus vendor scans for patterns. We cannot submit files to them. We scan our files continuously and we have no indication of an actual verified infection with anything.
Alexander Riedel
SAPIEN Technologies, Inc.
SAPIEN Technologies, Inc.