Windows defender false positive - forced to allow threat

Windows defender has started to identify C:\Windows\System32\mshta.exe as a threat [normally reported as a Trojan Powessere.G]. I use mshta.exe to run an hta custom MsgBox - I have been hoping to keep using my current CustomMsgBox tool [batch file calling a vbs-hta file] until later this year when I hope to have had enough time to replace it with a PowerShell alternative.

Windows defender's notification lets me "allow the threat" but that seems to me to be a bigger security hole than is necessary - it will now ignore a potentially real intrusion when all I want to run is a genuine Windows component. My immediate problem is fixed but I would prefer to fix the false positive using the exclusions list.

I cleared the 'Allowed threats history' so I could use the exclusions list instead. I added C:\Windows\System32\mshta.exe to the file exclusions list and I checked that it had taken properly by checking the exclusions list both in the UI & in the Registry. But the exclusion made no difference, it continued to detect and block the exe.

I have repeated the attempt several times [by clearing the allowed threats list & exclusions list beforehand] and the results are the same every time
- allowing the threat works,
- using the exclusions list has no effect.

I studied the relevant tutorial but have not spotted an error in what I have been doing - Add or Remove Windows Defender Exclusions

Does anybody with experience of using the exclusions list to counter false positives have any suggestions for me?

Denis

Try3 said:

Windows defender has started to identify C:\Windows\System32\mshta.exe as a threat...

Windows defender's notification lets me "allow the threat" but that seems to me to be a bigger security hole than is necessary - it will now ignore a potentially real intrusion when all I want to run is a genuine Windows component...

But are you really sure you're trying to run a genuine windows component, or perhaps the genuine file has been replaced by malware? If I right-click on my C:\Windows\System32\mshta.exe and scan with Defender it passes it as clean (1803 with the latest defender definitions).


mshta.exe is often targeted by malware that likes to hide itself under a 'legitimate' name. You should scan with AdwCleaner as a first step, then attach the resulting log files to a post for further advice (find them in the C:\AdwCleaner folder).

https://www.malwarebytes.com/adwcleaner/

Bree,

Thanks for replying.

Yes, I believed that mshta.exe was clean because I had scanned it with Windows defender & with MBAM.

I have now also scanned with Adwcleaner and a number of PUPs were detected then cleaned.

Code:

# -------------------------------
# Malwarebytes AdwCleaner 7.2.2.0
# -------------------------------
# Build:    07-17-2018
# Database: 2018-07-25.1
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    08-02-2018
# Duration: 00:00:01
# OS:       Windows 10 Home
# Cleaned:  8
# Failed:   0

***** [ Services ] *****
No malicious services cleaned.
***** [ Folders ] *****
No malicious folders cleaned.
***** [ Files ] *****
No malicious files cleaned.
***** [ DLL ] *****
No malicious DLLs cleaned.
***** [ WMI ] *****
No malicious WMI cleaned.
***** [ Shortcuts ] *****
No malicious shortcuts cleaned.
***** [ Tasks ] *****
No malicious tasks cleaned.
***** [ Registry ] *****
Deleted       HKCU\Software\Conduit
Deleted       HKLM\Software\Wow6432Node\Conduit
Deleted       HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\searchenginewatch.com
Deleted       HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\softonic.com
Deleted       HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\office-xp-service-pack.en.softonic.com
Deleted       HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hp-scan-and-capture-windows-10.en.softonic.com
Deleted       HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\en.softonic.com
Deleted       HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\bamboo-paper-windows-10.en.softonic.com
***** [ Chromium (and derivatives) ] *****
No malicious Chromium entries cleaned.
***** [ Chromium URLs ] *****
No malicious Chromium URLs cleaned.
***** [ Firefox (and derivatives) ] *****
No malicious Firefox entries cleaned.
***** [ Firefox URLs ] *****
No malicious Firefox URLs cleaned.

*************************
[+] Delete Tracing Keys
[+] Reset Winsock
*************************
AdwCleaner[S00].txt - [2091 octets] - [02/08/2018 00:42:41]
########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

I do not know if those PUP detections were significant or not but as you can see I cleaned them all anyway.

Added a few minutes later
I have repeated Adwcleaner scans on my other computers [the first was on my main computer] and the results were similar
- they all reported then cleaned Conduit keys, and
- one also reported then cleaned keys for another item I seem to have visited softonic about & possibly downloaded [WavePad].

One computer is Ver 1803 & the others are Ver 1709.

Denis

Try3 said:

Yes, I believed that mshta.exe was clean because I had scanned it with Windows defender & with MBAM.

It may have been clean after all, Defender may have blocked it due to what it was trying to download. For the Win32/Powessere family...

Variants in this family... might be dropped by Exploit:Win32/CVE-2012-0158.CJ. That exploit tricks you into opening a fake Word document (.rtf file) that will infect you with this threat.

https://www.microsoft.com/en-us/wdsi...in32/Powessere
And mshta.exe may have been the agent used to try and download it.

As we have seen it many times in previous attacks, mshta.exe is used to retrieve a script and eventually the malware payload.

https://blog.malwarebytes.com/threat...day-used-wild/

I have now also scanned with Adwcleaner and a number of PUPs were detected then cleaned.

That's a good start. Does your CustomMsgBox tool now run without issue?
@simrick may have further suggestions for you to try.

Try3 said:

Windows defender has started to identify C:\Windows\System32\mshta.exe as a threat [normally reported as a Trojan Powessere.G]. I use mshta.exe to run an hta custom MsgBox - I have been hoping to keep using my current CustomMsgBox tool [batch file calling a vbs-hta file] until later this year when I hope to have had enough time to replace it with a PowerShell alternative.
[snip]

Hi.
So, you're doing something like this?
Article: How to create a customised popup notification window using HTA | ITNinja

Have you white-listed your .hta file as well?

Bree, Simrick,

Thanks for persevering with me.

I experimented with removing the 'allow threat' for what I think is the false positive caused by running my batchfile-vbs-hta code [that WD identifies as a powerssere.G Trojan].
- with the 'allow threat' removed, the hta fails & WD says I have the Trojan
- with the 'allow threat' in place, the hta works correctly.
[the above applies to my batchfile-vbs-hta code script as well as the original form of the script mentioned below]

There is no separate hta file but the overall operation is very similar to that linked to by simrick except that this script calls IE ActiveX components.
The hta is run within the vbs and the vbs is called by subroutines within my batch files.

At its simplest, the vbs-hta is as provided by An HTA based VBScript UserForm [Tom Lavedas] - TechNet and that original script exhibits the same symptoms as my batchfile-vbs-hta version of it i.e. I have to 'allow the threat' to get it to work now.
I posted on the TechNet forum as well but only one other user has posted anything even similar to my experience [the utility is several years old now so few of its users might read the source thread any more]

I have tried adding to the exclusion list - the calling batch file, the vbs file, mshta.exe. But it is only 'allow the threat' that lets it work.

Because I am running known scripts on my computers containing the call to mshta.exe, I know what its arguments are so I know that it is not trying to download anything at all let alone anything malicious.
- I have compared the complete batchfile-vbs-hta code scripts on all four computers with the master copy on one of them and they are all uncorrupted.
- I have recopied the original Tom Lavedas version that you can see in that link above and it behaves the same way as my own batchfile-vbs-hta code script.

So the situation is that
- my known script calls mshta to run IE ActiveX components using window and content arguments that vary with each use but are always determined by my scripts.
- WD identifies the mshta call as a Trojan.
- I can only run the script if I 'allow the threat' and I cannot achieve the same by using WD's exclusions but would prefer to do so
- I suspect that the current fault is a result of an IE ActiveX issue [IE is, in effect, in 'extended support' & functional issues are not addressed so the fault itself will not be fixed].
- The focus of my thread is intended to be the use of WD's exclusions.

I hope to find enough time to study PowerShell properly this Autumn and should then be able to replace this whole thing completely.
- The point of the tool is to allow me to display responsive dialog boxes with however many buttons I want labelled with whatever text I want.
- The vbs-hta script is common to every use of the tool. The subroutines within various batch files determine the text & button labels to be used on that particular occasion. The button that is pressed is then reported back to the batch files.
- I had conducted some VBA experiments to prove that I could call the vbs-hta script from VBA then get back the identity of the pressed button [thus allowing me to have a common reporting tool for everything]. But I think I will have to knock that on the head completely until I have the PowerShell version worked out.

Denis

- I suspect that the current fault is a result of an IE ActiveX issue [IE is, in effect, in 'extended support' & functional issues are not addressed so the fault itself will not be fixed].

Just wondering out of curiosity, if you were to install Malwarebytes Antimalware "Trial", (so you have active protection, and Defender is then disabled), would MBAM allow the exclusion and work properly....or even an ESET trial. But, I think you're right - Powershell is probably your best bet.

MBAM does not find any problems so there was nothing to try excluding in either the free or RT versions. I scanned all my computers when the fault appeared then again after I had added the 'allow threat' exclusion to WD.

I've stepped up my PowerShell experiments.


[my mouse was hovering over #2 when I took the picture]

My current prototype works well. It is called from a batch file subroutine when user interaction is required [and, if necessary, it wakes up the monitor so I can see it].
- I am now going to experiment with sending output [variable values] to text files instead of using PS exit codes. That will allow me to use the same tool for reporting from batch files, VBS, other PS, VBA and will also ensure that it is compatible if I ever decide to add in input boxes or any other string outputs. I considered using the Registry for this but I routinely rip batch file variables from text file lists so I already know half of this method.
- I have also added speech [my test version is set to, for example, read out the dialog box title when it appears but that is not half as much fun as getting it to say the word beep five times instead.].
- Then I will have the great joy of working out automatic dialog box sizing procedures that take account of screen resolution, screen size, display scaling, dialog title length, dialog text lengths, button label lengths, ... I want to prove that everything else works before I do this because it can turn into a real nightmare getting all the different computers to display the dialogs decently.

I had intended to use this PSCustomMsgBox as my example task when studying PowerShell this Autumn but I now think I will continue cobbling the tool together so I can ditch my batch-vbs-hts tool because I do not feel comfortable having a threat 'allowed'.

Thanks for trying to help with the WD problem. I have not found a way to exclude the active files rather than allowing the threat. I would like to understand why I had to do it the way I did but it is just an academic exercise now that I have decided to replace the batch-vbs-hta tool.

All the best,
Denis

- I have also added speech [my test version is set to, for example, read out the dialog box title when it appears but that is not half as much fun as getting it to say the word beep five times instead.].

Good luck. Sorry I couldn't be of more help.