Hello,
while a device is running PatchMyPC-ScriptRunner.exe to install AcroRdrDCx642300120064_en_US.exe Windows defender detected and removed installer.bin because of Trojan:Script/Wacatac.H!ml being found in the file.
does anyone else have this issue or is this a false positive?
Hi There,
We havent heard any more reports about this. When Adobe Reader installs, the intaller extracts a bin file to program files and then extracts the installation files from the bin. It sounds like Defender is picking this up as a false positive.
You can verify the hash results of our scan for that files at
https://www.virustotal.com/gui/file/5f554986394757cc0eb314938addd7d926c817afee5c4ac6043eab878da3a8eb (https://www.virustotal.com/gui/file/5f554986394757cc0eb314938addd7d926c817afee5c4ac6043eab878da3a8eb)
Hi,
We are also detecting this on 4 different machines so far in our organization.
Detection:
https://app.screencast.com/7keNiqeyvniS7
We have also had this same issue on 6 of our computers. Do Patch My PC have any advice for this?
We have a significant amount of machines also detecting this
Hey there,
PMPC does not repackage Acrobat Reader, the binary is downloaded from Adobe. During our testing we check the binary for malware and record the hash. You can read our full security validation process at https://patchmypc.com/deep-dive-into-security-validation-of-third-party-software-updates-in-microsoft-sccm (https://patchmypc.com/deep-dive-into-security-validation-of-third-party-software-updates-in-microsoft-sccm)
All updates we add to our catalogue are scanned using Virus Total, and the results for the Acrobat Reader DC Cont 23.001.20064 installer can be found here - VirusTotal - File - 1e6d872b3023308f1dfaed643c7174542523edcc0d61429b9ecf06be884dc45e (https://www.virustotal.com/gui/file/1e6d872b3023308f1dfaed643c7174542523edcc0d61429b9ecf06be884dc45e)
Additionally, we extracted the EXE and ran the installer.bin through Virus Total. Those results can be found here - VirusTotal - File - 5e54975463b5f5a25d9c143e543ef967faf6c38cc4b95ceda36a1fe97efb79e9 (https://www.virustotal.com/gui/file/5e54975463b5f5a25d9c143e543ef967faf6c38cc4b95ceda36a1fe97efb79e9)
You could also grab the .BIN file from C:\ProgramData\Adobe\Temp (location may vary depending on architecture deployed) and check it against Virus Total too.
Whilst we are not quick to dismiss as a false positive, we would encourage your security teams to validate the Adobe download link too at https://ardownload2.adobe.com/pub/adobe/acrobat/win/AcrobatDC/2300120064/AcroRdrDCx642300120064_en_US.exe (//http:////ardownload2.adobe.com/pub/adobe/acrobat/win/AcrobatDC/2300120064/AcroRdrDCx642300120064_en_US.exe)
You can find the download link in our catalog by right clicking any product and choose "show package info" ( see image)
showinfo.png
I accepted that it is a false positive and put in a surpression rule.
However, I am now getting the same notifications for installer.bin for AcroRdrDCx642300120093_en_US.exe
This time it also includes a warning for a 'Bladabindi' backdoor.
I'm fairly certain that this is also a false one, but I worry that we'll get dozens of warnings with each adobe acrobat reader update.
Edit: Virustotal shows no threats:
https://www.virustotal.com/gui/file/241d2acfe8b9ea5eeaca10f91f7f1259340a200bba8cc118649caab595d8daf0
Thanks for reaching out. We do sympathise with your position but unfortunately there is nothing we can do here. I would advise reaching out to Adobe and they may be able to give more advice on why their installers are being flagged, incorrectly, by some Anti-Virus vendors.
I think, MS messed something up with the wacatac detection. We had faklse positives for docker containers when updating docker
Malware Name: Trojan:Script/Wacatac.H!ml
Number of infections: 1
Last detection time(UTC time): 3/23/2023 8:39:52 AM
These are the infections of this malware:
1. Computer name: XXX
Domain: XXX
Detection time(UTC time): 3/23/2023 8:39:52 AM
Malware file path: file:_C:\Windows\Temp\DockerDesktop\qkrpy3zo0cw
Remediation action: Remove
Action status: Succeeded
Quote from: Ben Whitmore (Patch My PC) on March 27, 2023, 03:54:10 AMThanks for reaching out. We do sympathise with your position but unfortunately there is nothing we can do here. I would advise reaching out to Adobe and they may be able to give more advice on why their installers are being flagged, incorrectly, by some Anti-Virus vendors.
No worries, I wasn't blaming you guys. I think the issue lies with Defender detection, like AndAuf mentioned above. I will try and find out what it is specifically about installer.bin that triggers the incident and will report back here if I do.