Comments (7)
This change removes one of the files:
I'm not convinced that the reports are real so, absent more information, this is all that I will be doing.
from uiforetw.
checked the new version, same detections:
https://www.virustotal.com/graph/03bd38b3aaa13dd15c48b884d240e36cc7e22f9e996985edf83eb0707756ab72
red files indicate detection:
e4629333dec7d596ba57bedd6e7bd0b2ab1a8638c83d0ea63832313e40cb682b
ETWProviders.dll (1 detection- secureage/apex)
214b00ec64d6999957554828b86d0232f92860a6358ae5c6ad5b48a825dde361
DelayedCreateProcess.exe
Google -Detected, Ikarus -Trojan.Win32.Swrort
from uiforetw.
I'm not convinced the reports are real. In particular note that the detections aren't really "the same" because before ETWEventDemo_deb64.exe was flagged as malicious and that file doesn't even exist anymore. Meanwhile ETWProviders.dll was "fine" before but is now suspicious but when I compared the disassemblies between the two versions I saw few differences and none that looked plausibly malicious.
I think these are false positives. Absent more information it's not even clear that there is anything that I can do.
from uiforetw.
Hmm, apologies. I meant same "crowsourced sigma rules".
Floxif Trojan
This Trojan can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine (Malwarebytes)
SOC Prime Threat Detection Marketplace - Ariel Millahuel
Context for the matching events
EventID:11
ProcessId:6352
TargetFilename:C:\Users\george\AppData\Local\Temp\et3j0mdf.c3h\etwpackage\bin\symsrv.dll
RuleName:DLL
CreationUtcTime:1686914585
UtcTime:1686914585
ProcessGuid:{C784477D-4618-648C-BA0A-000000004A00}
Image:C:\Windows\SysWOW64\7za.exe
Detection rule:
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 11
TargetFilename|contains:
- fzshellext.dll
- \AppData\Local\Temp\conres.dll
- \System\symsrv.dll
- symsrv.dll
condition: selection1
fields:
- TargetFilename
- Details
falsepositives: - none
level: high
Thanks though for looking into it & quickly making releases.
from uiforetw.
If any of these detections are accurate then it's a very serious problem, especially since it implies that the machine where I am doing these builds is infected with something. Whether it's Floxif Trojan or anything.
But, I am skeptical about these reports. And, VirusTotal's reports are not the slightest bit clear about what the information means or how to validate it. That's why I feel like I have no choice but to ignore these.
I can't tell what the latest comment is saying. Did something patch symsrv.dll to make it malicious? If so, what?
from uiforetw.
@randomascii
I am not sure this is the place, but I didn't want to create a new issue.
Running the UIForETW & collecting a trace works fine.
The issue with me happens when I try to open the created etl trace, the wpa app crashes on startup with following WEV log:
Application: wpa.exe
CoreCLR Version: 4.700.22.16002
.NET Core Version:
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.FileLoadException: Could not load file or assembly 'Microsoft.Performance.XPerfPlugIn.Extensions, Version=11.2.0.0, Culture=neutral, PublicKeyToken=null'. Operation did not complete successfully because the file contains a virus or potentially unwanted software. (0x800700E1)
File name: 'Microsoft.Performance.XPerfPlugIn.Extensions, Version=11.2.0.0, Culture=neutral, PublicKeyToken=null'
at Microsoft.Performance.Analyzer.Program.Main(String[] args)
Bear in mind this is a company machine and as such there is a virus defense setup which I cannot disable easily.
from uiforetw.
You're seeing a WPA issue rather than a UIforETW issue. It looks like some sort of install problem so I would try resolving it yourself because it is likely that others cannot help you. You could always move the traces to another machine - they don't need to be resolved on the machine they are recorded on. Even a VM could work.
For further discussion please open a new issue rather than repurposing an unrelated issue.
from uiforetw.
Related Issues (20)
- Running UIForETW deleted all my WPA Presets HOT 5
- Could UIForETW help in a case of getting only the necessary CPU/Process data? HOT 3
- Do you know how to simulate win10 `perfmon.exe` to monitor the disk operation of a process? HOT 3
- No data and empty presets in new WPA even after 'Copy Startup Profiles' HOT 2
- Broken File I/O recording? HOT 7
- Feature Request for Remote start/stop HOT 2
- UIforETW shortcut doesn't launch from within a folder named 'UI for ETW' HOT 5
- -stackwalk: Unknown flag 'HandleCreate' HOT 3
- Cannot fine exe file HOT 5
- UI for ETW version 1.56 - Locks up when I choose to Start Tracing. HOT 2
- Security Policy violation Binary Artifacts HOT 26
- 需要翻译!need translation! HOT 1
- Windows Performance Analyzer stops at 99%
- This not maybe issue, but I'm asking for help, someone who know how read results from UIforETW HOT 1
- UIforETW does not start if windows 10 sdk is not in default path HOT 15
- Record CPU Core Frequency HOT 1
- ETW Only showing 1 process HOT 4
- Need help! HOT 4
- App is currently showing a spurious update notification HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from uiforetw.