Windows defender false positive - forced to allow threat Solved

Page 1 of 4 123 ... LastLast
  1. Try3's Avatar
    Posts : 2,470
    Windows 10 Home x64 and Pro x86
       #1

    Windows defender false positive - forced to allow threat


    Windows defender has started to identify C:\Windows\System32\mshta.exe as a threat [normally reported as a Trojan Powessere.G]. I use mshta.exe to run an hta custom MsgBox - I have been hoping to keep using my current CustomMsgBox tool [batch file calling a vbs-hta file] until later this year when I hope to have had enough time to replace it with a PowerShell alternative.

    Windows defender's notification lets me "allow the threat" but that seems to me to be a bigger security hole than is necessary - it will now ignore a potentially real intrusion when all I want to run is a genuine Windows component. My immediate problem is fixed but I would prefer to fix the false positive using the exclusions list.

    I cleared the 'Allowed threats history' so I could use the exclusions list instead. I added C:\Windows\System32\mshta.exe to the file exclusions list and I checked that it had taken properly by checking the exclusions list both in the UI & in the Registry. But the exclusion made no difference, it continued to detect and block the exe.

    I have repeated the attempt several times [by clearing the allowed threats list & exclusions list beforehand] and the results are the same every time
    - allowing the threat works,
    - using the exclusions list has no effect.

    I studied the relevant tutorial but have not spotted an error in what I have been doing - Add or Remove Windows Defender Exclusions

    Does anybody with experience of using the exclusions list to counter false positives have any suggestions for me?

    Denis
      My ComputerSystem Spec

  2. Bree's Avatar
    Posts : 12,463
    10 Home x64 (1903) (10 Pro on 2nd pc)
       #2

    Try3 said: View Post
    Windows defender has started to identify C:\Windows\System32\mshta.exe as a threat...

    Windows defender's notification lets me "allow the threat" but that seems to me to be a bigger security hole than is necessary - it will now ignore a potentially real intrusion when all I want to run is a genuine Windows component...
    But are you really sure you're trying to run a genuine windows component, or perhaps the genuine file has been replaced by malware? If I right-click on my C:\Windows\System32\mshta.exe and scan with Defender it passes it as clean (1803 with the latest defender definitions).


    mshta.exe is often targeted by malware that likes to hide itself under a 'legitimate' name. You should scan with AdwCleaner as a first step, then attach the resulting log files to a post for further advice (find them in the C:\AdwCleaner folder).

    https://www.malwarebytes.com/adwcleaner/
      My ComputersSystem Spec

  3. Try3's Avatar
    Posts : 2,470
    Windows 10 Home x64 and Pro x86
    Thread Starter
       #3

    Bree,

    Thanks for replying.

    Yes, I believed that mshta.exe was clean because I had scanned it with Windows defender & with MBAM.

    I have now also scanned with Adwcleaner and a number of PUPs were detected then cleaned.


    Code:
    # -------------------------------
    # Malwarebytes AdwCleaner 7.2.2.0
    # -------------------------------
    # Build:    07-17-2018
    # Database: 2018-07-25.1
    # Support:  https://www.malwarebytes.com/support
    #
    # -------------------------------
    # Mode: Clean
    # -------------------------------
    # Start:    08-02-2018
    # Duration: 00:00:01
    # OS:       Windows 10 Home
    # Cleaned:  8
    # Failed:   0
    
    ***** [ Services ] *****
    No malicious services cleaned.
    ***** [ Folders ] *****
    No malicious folders cleaned.
    ***** [ Files ] *****
    No malicious files cleaned.
    ***** [ DLL ] *****
    No malicious DLLs cleaned.
    ***** [ WMI ] *****
    No malicious WMI cleaned.
    ***** [ Shortcuts ] *****
    No malicious shortcuts cleaned.
    ***** [ Tasks ] *****
    No malicious tasks cleaned.
    ***** [ Registry ] *****
    Deleted       HKCU\Software\Conduit
    Deleted       HKLM\Software\Wow6432Node\Conduit
    Deleted       HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\searchenginewatch.com
    Deleted       HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\softonic.com
    Deleted       HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\office-xp-service-pack.en.softonic.com
    Deleted       HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hp-scan-and-capture-windows-10.en.softonic.com
    Deleted       HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\en.softonic.com
    Deleted       HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\bamboo-paper-windows-10.en.softonic.com
    ***** [ Chromium (and derivatives) ] *****
    No malicious Chromium entries cleaned.
    ***** [ Chromium URLs ] *****
    No malicious Chromium URLs cleaned.
    ***** [ Firefox (and derivatives) ] *****
    No malicious Firefox entries cleaned.
    ***** [ Firefox URLs ] *****
    No malicious Firefox URLs cleaned.
    
    *************************
    [+] Delete Tracing Keys
    [+] Reset Winsock
    *************************
    AdwCleaner[S00].txt - [2091 octets] - [02/08/2018 00:42:41]
    ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########
    I do not know if those PUP detections were significant or not but as you can see I cleaned them all anyway.

    Added a few minutes later
    I have repeated Adwcleaner scans on my other computers [the first was on my main computer] and the results were similar
    - they all reported then cleaned Conduit keys, and
    - one also reported then cleaned keys for another item I seem to have visited softonic about & possibly downloaded [WavePad].

    One computer is Ver 1803 & the others are Ver 1709.

    Denis
    Last edited by Try3; 01 Aug 2018 at 19:30.
      My ComputerSystem Spec

  4. Bree's Avatar
    Posts : 12,463
    10 Home x64 (1903) (10 Pro on 2nd pc)
       #4

    Try3 said: View Post
    Yes, I believed that mshta.exe was clean because I had scanned it with Windows defender & with MBAM.
    It may have been clean after all, Defender may have blocked it due to what it was trying to download. For the Win32/Powessere family...
    Variants in this family... might be dropped by Exploit:Win32/CVE-2012-0158.CJ. That exploit tricks you into opening a fake Word document (.rtf file) that will infect you with this threat.
    https://www.microsoft.com/en-us/wdsi...in32/Powessere
    And mshta.exe may have been the agent used to try and download it.
    As we have seen it many times in previous attacks, mshta.exe is used to retrieve a script and eventually the malware payload.
    https://blog.malwarebytes.com/threat...day-used-wild/

    I have now also scanned with Adwcleaner and a number of PUPs were detected then cleaned.
    That's a good start. Does your CustomMsgBox tool now run without issue?
    @simrick may have further suggestions for you to try.
      My ComputersSystem Spec

  5. simrick's Avatar
    Posts : 15,528
    W10Prox64
       #5

    Try3 said: View Post
    Windows defender has started to identify C:\Windows\System32\mshta.exe as a threat [normally reported as a Trojan Powessere.G]. I use mshta.exe to run an hta custom MsgBox - I have been hoping to keep using my current CustomMsgBox tool [batch file calling a vbs-hta file] until later this year when I hope to have had enough time to replace it with a PowerShell alternative.
    [snip]
    Hi.
    So, you're doing something like this?
    Article: How to create a customised popup notification window using HTA | ITNinja

    Have you white-listed your .hta file as well?
      My ComputerSystem Spec

  6. Try3's Avatar
    Posts : 2,470
    Windows 10 Home x64 and Pro x86
    Thread Starter
       #6

    Bree, Simrick,

    Thanks for persevering with me.

    I experimented with removing the 'allow threat' for what I think is the false positive caused by running my batchfile-vbs-hta code [that WD identifies as a powerssere.G Trojan].
    - with the 'allow threat' removed, the hta fails & WD says I have the Trojan
    - with the 'allow threat' in place, the hta works correctly.
    [the above applies to my batchfile-vbs-hta code script as well as the original form of the script mentioned below]

    There is no separate hta file but the overall operation is very similar to that linked to by simrick except that this script calls IE ActiveX components.
    The hta is run within the vbs and the vbs is called by subroutines within my batch files.
    Windows defender false positive - forced to allow threat-custommsgbox.png
    At its simplest, the vbs-hta is as provided by An HTA based VBScript UserForm [Tom Lavedas] - TechNet and that original script exhibits the same symptoms as my batchfile-vbs-hta version of it i.e. I have to 'allow the threat' to get it to work now.
    I posted on the TechNet forum as well but only one other user has posted anything even similar to my experience [the utility is several years old now so few of its users might read the source thread any more]

    I have tried adding to the exclusion list - the calling batch file, the vbs file, mshta.exe. But it is only 'allow the threat' that lets it work.

    Because I am running known scripts on my computers containing the call to mshta.exe, I know what its arguments are so I know that it is not trying to download anything at all let alone anything malicious.
    - I have compared the complete batchfile-vbs-hta code scripts on all four computers with the master copy on one of them and they are all uncorrupted.
    - I have recopied the original Tom Lavedas version that you can see in that link above and it behaves the same way as my own batchfile-vbs-hta code script.

    So the situation is that
    - my known script calls mshta to run IE ActiveX components using window and content arguments that vary with each use but are always determined by my scripts.
    - WD identifies the mshta call as a Trojan.
    - I can only run the script if I 'allow the threat' and I cannot achieve the same by using WD's exclusions but would prefer to do so
    - I suspect that the current fault is a result of an IE ActiveX issue [IE is, in effect, in 'extended support' & functional issues are not addressed so the fault itself will not be fixed].
    - The focus of my thread is intended to be the use of WD's exclusions.

    I hope to find enough time to study PowerShell properly this Autumn and should then be able to replace this whole thing completely.
    - The point of the tool is to allow me to display responsive dialog boxes with however many buttons I want labelled with whatever text I want.
    - The vbs-hta script is common to every use of the tool. The subroutines within various batch files determine the text & button labels to be used on that particular occasion. The button that is pressed is then reported back to the batch files.
    - I had conducted some VBA experiments to prove that I could call the vbs-hta script from VBA then get back the identity of the pressed button [thus allowing me to have a common reporting tool for everything]. But I think I will have to knock that on the head completely until I have the PowerShell version worked out.

    Denis
    Last edited by Try3; 01 Aug 2018 at 21:24.
      My ComputerSystem Spec


  7. simrick's Avatar
    Posts : 15,528
    W10Prox64
       #7

    - I suspect that the current fault is a result of an IE ActiveX issue [IE is, in effect, in 'extended support' & functional issues are not addressed so the fault itself will not be fixed].
    Just wondering out of curiosity, if you were to install Malwarebytes Antimalware "Trial", (so you have active protection, and Defender is then disabled), would MBAM allow the exclusion and work properly....or even an ESET trial. But, I think you're right - Powershell is probably your best bet.
      My ComputerSystem Spec

  8. Try3's Avatar
    Posts : 2,470
    Windows 10 Home x64 and Pro x86
    Thread Starter
       #8

    MBAM does not find any problems so there was nothing to try excluding in either the free or RT versions. I scanned all my computers when the fault appeared then again after I had added the 'allow threat' exclusion to WD.

    I've stepped up my PowerShell experiments.

    Windows defender false positive - forced to allow threat-t17-chosen-icon.png
    [my mouse was hovering over #2 when I took the picture]

    My current prototype works well. It is called from a batch file subroutine when user interaction is required [and, if necessary, it wakes up the monitor so I can see it].
    - I am now going to experiment with sending output [variable values] to text files instead of using PS exit codes. That will allow me to use the same tool for reporting from batch files, VBS, other PS, VBA and will also ensure that it is compatible if I ever decide to add in input boxes or any other string outputs. I considered using the Registry for this but I routinely rip batch file variables from text file lists so I already know half of this method.
    - I have also added speech [my test version is set to, for example, read out the dialog box title when it appears but that is not half as much fun as getting it to say the word beep five times instead.].
    - Then I will have the great joy of working out automatic dialog box sizing procedures that take account of screen resolution, screen size, display scaling, dialog title length, dialog text lengths, button label lengths, ... I want to prove that everything else works before I do this because it can turn into a real nightmare getting all the different computers to display the dialogs decently.

    I had intended to use this PSCustomMsgBox as my example task when studying PowerShell this Autumn but I now think I will continue cobbling the tool together so I can ditch my batch-vbs-hts tool because I do not feel comfortable having a threat 'allowed'.

    Thanks for trying to help with the WD problem. I have not found a way to exclude the active files rather than allowing the threat. I would like to understand why I had to do it the way I did but it is just an academic exercise now that I have decided to replace the batch-vbs-hta tool.

    All the best,
    Denis
    Last edited by Try3; 03 Aug 2018 at 14:19.
      My ComputerSystem Spec

  9. simrick's Avatar
    Posts : 15,528
    W10Prox64
       #9

    - I have also added speech [my test version is set to, for example, read out the dialog box title when it appears but that is not half as much fun as getting it to say the word beep five times instead.].

    Good luck. Sorry I couldn't be of more help.
      My ComputerSystem Spec


  10. Posts : 75
    Windows 10 Pro 64-bit
       #10

    They fixed it yesterday . . . There are some Win Defender DOS commands you have to run . . . All the info is here:

    Trojan:Win32/Powessere.G . . . False Positive (?) . . . https://social.technet.microsoft.com...nderATPPreview

    I posted my link above on that page, then read on another page that the way to report problems is through the "Give us feedback" button in Win Defender, which requires the "Feedback Hub" app:

    Send feedback to Microsoft with the Feedback Hub app . . . https://support.microsoft.com/en-us/...edback-hub-app

    I didn't get any reply from the Feedback Hub post, but posted here, also, and they were really fast:

    Submit a file for malware analysis - Microsoft Security Intelligence . . . https://www.microsoft.com/en-us/wdsi/filesubmission/
      My ComputerSystem Spec


 
Page 1 of 4 123 ... LastLast

Related Threads
Solved Windows Defender Threat Definitions Update? in AntiVirus, Firewalls and System Security
Normally by this time of day I've had one or two definitions updates. None since last night late: 138426 Anyone got a later version this morning?
Solved Adwcleaner 6.044 False positive in AntiVirus, Firewalls and System Security
I received a false positive for C:\Windows\System32\drivers\Tap0901.sys today, checked on Totalvirus and confirmed as ok. Detection ratio: 0/60 Mike
Another false positive for AdwCleaner 6.030 today in AntiVirus, Firewalls and System Security
C:\WINDOWS\SysNative\wecutil.exe C:\WINDOWS\SysWoW64\wecutil.exe Funny thing, the first folder doesn't even exist at all. Dropped the file to virustotal. 0/56 detections.
severe threat is windows defender?! What?! in AntiVirus, Firewalls and System Security
I dont get it is this false positive? 95775
False negative or false positive ? in Performance & Maintenance
Win 10 Home 10586.164 Did a Sfc /scannow. Result : found corrupted files but unable to repair some of them. Did a dism..../restorehealth. Result : Restore operation successful. Did a sfc /scannow right after dism. Result : found...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 15:44.
Find Us