Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can TrustedInstaller Be Trusted?


  • Please log in to reply
4 replies to this topic

#1 sifu9

sifu9

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 10 February 2014 - 03:34 AM

Hi folks,

I think I have a BIG problem, but I'm too noobish to know for sure.  

Summary:
1. I have 100s to 100s of thousands of files & folders with a unique footprint.
2. Each looks innocent ... at first.
3. Right-click > Properties > Security starts the intrigue
4. System, Adminstrators, and Users have Read & Execute permission; my account does not show up; while TrustedInstaller has Full control. I know -- TI comes from Microsoft (as do some rootkits).
5. Click Advanced > Owner & find that the owner is Administrators, but now I am there as a potential Owner.
6. Click Auditing > Continue to find that a new player (hidden until now) "Everyone" has "Special" access.
7. Double-click Special to learn that Special includes Take ownership & Change permissions (for both Successful & Failed)!

That sounds like an invitation to hackers. Particularly when 1 such file is efsui.exe -- with Encription connections that ransomware loves.

Meanwhile, there are several other unusual footprints that TrustedInstaller produces.

I've spent a full week on this and gained nothing but an acute case of paranoia.

Any advice would be appreciated.



BC AdBot (Login to Remove)

 


m

#2 OldPhil

OldPhil

    Doppleganger


  • Members
  • 3,781 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island New York
  • Local time:11:08 PM

Posted 10 February 2014 - 07:22 AM

Many of the installers out there are junk/nasty installers, it is impossible to differentiate.  What helps a little is to look at the items found in a search and go to the actual vendors site, this is not fool proof!  You must be very diligent watching for obscure boxes or choices within the applets, many are confusing.  You will run into some where you must hit the decline button to get no added junk, I even being very careful still pick up things. 


If you don't stand for the flag then you will fall for anything!


#3 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,042 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:08:08 PM

Posted 10 February 2014 - 01:29 PM

Third party software being bundled in downloads has become a common practice, this is an extra source of revenue for the author of the software being downloaded.  You have a small amount of control over this in the way you install the program.  
 
If you do the Epress ( it is suggested as recommended) installation the third party software will automatically be installed.  
 
If you choose to use the Custom Installation (advanced) each of the third party software will usually appear one at a time with a check mark already added to install the software, you must remove the check mark if you do not want this software installed.
 
An example of these two choices can be seen in the image below.
 
bundled_zps943899be.png

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 10 February 2014 - 07:16 PM

TrustedInstaller.exe is a process of Windows Modules Installer service in Windows 8 | 7 and Vista. Its main function is to enable installation, removal and modification of Windows Updates and optional system components.

What is TrustedInstaller.exe process
Windows Resource Protection
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 sifu9

sifu9
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 11 February 2014 - 01:35 AM

Thanks for your replies.

 

I agree that one must be careful in downloading.

 

I know that the original intent of TrustedInstaller.exe was beneficial. quietman7's links were helpful in clearing up part of the mystery. I ran the program mentioned there (Sfc.exe) and it found no corrupted files.

 

Still, my concern is that TrustedInstaller could have been co-opted. To that end, does it not look suspicious in the pattern documented above that

1. 'Everyone' is granted permissions to assume ownership and change everyone else's permissions

3. Even if that somehow facilitates downloads, why are such instances not fixed at the conclusion of the download?

4. This pattern seems to be attached to every REMOTE & ENCRYTION function [a perfect target for hackers]

5. File dates are not updated, these files date back to 2009 & 2010.

 

So we either have a legitimate odd-looking high-level security feature masquerading as a lowly download helper; or we have a perfect malware tool.

 

What am I misunderstanding?


Edited by sifu9, 11 February 2014 - 03:37 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users