VirusTotal reports some detections in etwpackage1.58.zip about uiforetw HOT 7 OPEN

This change removes one of the files:

c5c14ff

I'm not convinced that the reports are real so, absent more information, this is all that I will be doing.

from uiforetw.

checked the new version, same detections:
https://www.virustotal.com/graph/03bd38b3aaa13dd15c48b884d240e36cc7e22f9e996985edf83eb0707756ab72

red files indicate detection:
e4629333dec7d596ba57bedd6e7bd0b2ab1a8638c83d0ea63832313e40cb682b
ETWProviders.dll (1 detection- secureage/apex)

214b00ec64d6999957554828b86d0232f92860a6358ae5c6ad5b48a825dde361
DelayedCreateProcess.exe
Google -Detected, Ikarus -Trojan.Win32.Swrort

from uiforetw.

I'm not convinced the reports are real. In particular note that the detections aren't really "the same" because before ETWEventDemo_deb64.exe was flagged as malicious and that file doesn't even exist anymore. Meanwhile ETWProviders.dll was "fine" before but is now suspicious but when I compared the disassemblies between the two versions I saw few differences and none that looked plausibly malicious.

I think these are false positives. Absent more information it's not even clear that there is anything that I can do.

from uiforetw.

Hmm, apologies. I meant same "crowsourced sigma rules".
Floxif Trojan
This Trojan can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine (Malwarebytes)
SOC Prime Threat Detection Marketplace - Ariel Millahuel
Context for the matching events
EventID:11
ProcessId:6352
TargetFilename:C:\Users\george\AppData\Local\Temp\et3j0mdf.c3h\etwpackage\bin\symsrv.dll
RuleName:DLL
CreationUtcTime:1686914585
UtcTime:1686914585
ProcessGuid:{C784477D-4618-648C-BA0A-000000004A00}
Image:C:\Windows\SysWOW64\7za.exe

Detection rule:
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 11
TargetFilename|contains:
- fzshellext.dll
- \AppData\Local\Temp\conres.dll
- \System\symsrv.dll
- symsrv.dll
condition: selection1
fields:

• TargetFilename
• Details
  falsepositives:
• none
  level: high

Thanks though for looking into it & quickly making releases.

from uiforetw.

If any of these detections are accurate then it's a very serious problem, especially since it implies that the machine where I am doing these builds is infected with something. Whether it's Floxif Trojan or anything.

But, I am skeptical about these reports. And, VirusTotal's reports are not the slightest bit clear about what the information means or how to validate it. That's why I feel like I have no choice but to ignore these.

I can't tell what the latest comment is saying. Did something patch symsrv.dll to make it malicious? If so, what?

from uiforetw.

@randomascii
I am not sure this is the place, but I didn't want to create a new issue.
Running the UIForETW & collecting a trace works fine.
The issue with me happens when I try to open the created etl trace, the wpa app crashes on startup with following WEV log:

Application: wpa.exe
CoreCLR Version: 4.700.22.16002
.NET Core Version:
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.FileLoadException: Could not load file or assembly 'Microsoft.Performance.XPerfPlugIn.Extensions, Version=11.2.0.0, Culture=neutral, PublicKeyToken=null'. Operation did not complete successfully because the file contains a virus or potentially unwanted software. (0x800700E1)
File name: 'Microsoft.Performance.XPerfPlugIn.Extensions, Version=11.2.0.0, Culture=neutral, PublicKeyToken=null'
at Microsoft.Performance.Analyzer.Program.Main(String[] args)

Bear in mind this is a company machine and as such there is a virus defense setup which I cannot disable easily.

from uiforetw.

You're seeing a WPA issue rather than a UIforETW issue. It looks like some sort of install problem so I would try resolving it yourself because it is likely that others cannot help you. You could always move the traces to another machine - they don't need to be resolved on the machine they are recorded on. Even a VM could work.

For further discussion please open a new issue rather than repurposing an unrelated issue.

from uiforetw.