Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was this a false positive? Or something Serious?


  • Please log in to reply
2 replies to this topic

#1 Carbonyl

Carbonyl

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 11 December 2009 - 11:35 AM

Hello. To begin with, here are some details of the system that I'm working with: It's running Windows 7 Professional, Protected by NOD32 v4 antivirus, with Windows Defender running realtime. Weekly I scan with Malwarebytes Antimalware. I use Opera 10.1 for webbrowsing, and typically keep javascript off. I haven't manually downloaded or installed any software in weeks. Only automatic updates have run for various programs. One of those programs I run is Steam.

Yesterday, when Steam self-updated, something very peculiar happened. While Steam was in the process of Patching itself, it spawns a process called SteamServiceTmp.exe. I've seen this happen in the past (I was watching in Process Explorer), so I didn't think much of it at all. However, a popup balloon from Windows Defender cropped up at this point, and said that it wanted to send SteamServiceTmp.exe to Microsoft. I was a little freaked out, because I didn't know what was going on. NOD didn't see anything, and Defender was acting like SteamServiceTmp was a piece of malware. I was in such a panic, I don't remember the exact message, but Defender didn't really say anything explicit. I checked the logfiles for defender, and the quarantine, but found nothing there. I only was able to find evidence that anything happened when I checked the System Event Viewer. I included the entry from that below, following by a hidden log file that I eventually uncovered from this information.

I've been able to dig up no other information on this, despite asking around at several forums (Steam's in particular). It seems like I was the only one who saw this happen, which make me think it wasn't a false positive at all. If it was, then EVERYONE who runs Steam and Windows Defender (quite a few people!) would have seen this!

A NOD32 scan found nothing, a MalwareBytes AntiMalware scan found nothing, and a Windows Defender scan found nothing. Is there some way I can understand what happened here, and some way to ensure that my system is safe? I'm hesitant to call this a fluke, but I don't know what other actions to take. Any assistance would be appreciated. Thanks!

Here's the Event Viewer Log:
Fault bucket 864089046, type 5
Event Name: AVSubmit
Response: Not available
Cab Id: 0

Problem signature:
P1: Windows Defender
P2: 1.1.5302.0
P3: unspecified
P4: 1.71.700.0
P5: 00175e0c-0000-0000-0000-000000000000,7B6FEFA17A704B6D4A03BFABB1DBC794703D4 80F
P6: 
P7: 
P8: 
P9: 
P10: 

Attached files:
\\?\C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{BF619DBF-AF9E-8823-3E83-12DE9B785E0B}-SteamServiceTmp.exe
C:\Users\{Omitted}\AppData\Local\Temp\MPSampleSubm it\client_manifest.txt

These files may be available here:
C:\Users\{Omitted}\AppData\Local\Microsoft\Windows \WER\ReportArchive\NonCritical_Windows Defender_aaba7e9e24b775a1b21d5c41a485d822c4ec703b_ 0ac496bf

Analysis symbol: 
Rechecking for solution: 0
Report Id: 78cda38e-e5ff-11de-862f-001fbc01945b
Report Status: 0

Here's the contents of the Report.wer file generated

Version=1
EventType=AVSubmit
EventTime=129049732283935547
Consent=2
UploadTime=129049732284013672
ReportIdentifier=78cda38e-e5ff-11de-862f-001fbc01945b
Response.BucketId=864089046
Response.BucketTable=5
Response.type=4
Sig[0].Name=Problem Signature 01
Sig[0].Value=Windows Defender
Sig[1].Name=Problem Signature 02
Sig[1].Value=1.1.5302.0
Sig[2].Name=Problem Signature 03
Sig[2].Value=unspecified
Sig[3].Name=Problem Signature 04
Sig[3].Value=1.71.700.0
Sig[4].Name=Problem Signature 05
Sig[4].Value=00175e0c-0000-0000-0000-000000000000,7B6FEFA17A704B6D4A03BFABB1DBC794703D4 80F
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.1.7600.2.0.0.256.48
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=AVSubmit
ConsentKey=AVSubmit
AppName=Windows Defender User Interface
AppPath=C:\Program Files\Windows Defender\MSASCui.exe

EDIT:Just now this happened again, with a different file - This time with a Flash updater I downloaded directly from Adobe (trying to keep Flash up to date to prevent security flaws, ironically!). It found the uninstall_plugin.exe file the same way it did the SteamServiceTmp.exe file, and submitted it to Microsoft. The exact wording on the balloon message was "Review files that Windows Defender will Send to Microsoft (Important). It doesn't say "This is a piece of malware" explicitly, but the logs in the Event viewer call this an "AVsubmission". Additionally, it doesn't say anything other than "We're submitting this". Help?

Edited by Carbonyl, 11 December 2009 - 03:25 PM.


BC AdBot (Login to Remove)

 


#2 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 13 December 2009 - 10:49 AM

Maybe it is something on Windows Defender's end?

#3 Carbonyl

Carbonyl
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 15 December 2009 - 11:05 AM

Maybe it is something on Windows Defender's end?


I've tried to look into it by asking over at the Microsoft answers forum, but I keep getting nonsensical or useless replies. One guy even said "It's a false positive. Heuristics were being overzealous. Should be fixed by now. Oh, and it's definitely a Trojan!" which confused the hell out of me!

The only official reply I got over there was a series of instructions on how to exclude Steam from Defender's scans. But that doesn't explain why Defender is submitting these files. Steam isn't the only program it's grabbing and submitting! It did it to files from Adobe's latest flash update (Which I downloaded DIRECTLY from Adobe's main website! I didn't get tricked!)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users