Latest Update Package for PSStudio 2017 sets off malware alerts

Anything you want to tell us? Praise? Criticism? Post it here. Please keep it professional and constructive.
Forum rules
Do not post any licensing information in this forum.
User avatar
pstewart0
Posts: 1
Joined: Tue May 24, 2016 3:13 pm

Latest Update Package for PSStudio 2017 sets off malware alerts

Post by pstewart0 » Mon Oct 02, 2017 12:13 pm

Hey everyone,

Not sure if you're experiencing this. I just tried to install the latest update to PowerShell Studio 2017. The update set off all three of our malware monitors, AV and two different machine learning products.

Sapien, do you have anything to say about this?

itengineer

User avatar
brittneyr
Site Admin
Posts: 3
Joined: Thu Jun 01, 2017 7:20 am

Re: Latest Update Package for PSStudio 2017 sets off malware alerts

Post by brittneyr » Mon Oct 02, 2017 1:15 pm

Thank you for notifying us.

We continuously scan our products on our end and this could be false positive. I highly recommend submitting the file to the antivirus vendor to confirm if it is in fact a false-positive.
Brittney Ryn
SAPIEN Technologies, Inc.

User avatar
Alexander Riedel
Posts: 6327
Joined: Tue May 29, 2007 4:43 pm

Re: Latest Update Package for PSStudio 2017 sets off malware alerts

Post by Alexander Riedel » Mon Oct 02, 2017 1:23 pm

Since you didn't provide any details as to what is actually flagged I can only guess here.
First of all, our software is continuously monitored and we do not have any virus or malware alerts.
Most likely it is one of the script engines that sets off the alert, because they contain executable code and are not signed (since you sign that when you package).
Many of these anti-virus packages use very basic pattern matching mechanisms that use a pattern as short as possible to enhance scanning speed. That notoriously leads to false positives.
However, here is the big caveat, we have no influence and control over what happens on your machine or in your network. We cannot know what potential infestation you have and how it affects anything you download onto your computer.
So you should, under all circumstances, take any and all files that are reported as infected and send them to your anti-virus software vendor for verification.
Only then, if it is a verified virus, can you go and start looking for the source.
Alexander Riedel
SAPIEN Technologies, Inc.

User avatar
jwoodring
Posts: 1
Joined: Mon Dec 14, 2015 1:55 pm

Re: Latest Update Package for PSStudio 2017 sets off malware alerts

Post by jwoodring » Thu Oct 05, 2017 7:34 am

We are experiencing the same thing after the most recent update. FireAmp does NOT like the application anymore and continues to quarantine files associated with the program.

Win32.engine has been detected as W32.B9F5B3A18495.SBX.TG (Conviction from the ThreatGrid Detonation Environment. The number preceding the “SBX” is the score of the binary when ran. Definition provided by TALOS)

Win32.engine has been detected as Auto.362E536C4F.in10.tht.Talos (Conviction of a file that takes place directly upon file import into Talos's infrastructure. This example may contain a partial hash of the SHA256 that matched. Definition provided by TALOS)

Then attempting to reinstall the application:
Win32.engine has been detected as W32.GenericKD.20le.1201 (Third Party comparison engine This example may contain a partial hash of the SHA256 that matched. Definition provided by TALOS)

User avatar
Alexander Riedel
Posts: 6327
Joined: Tue May 29, 2007 4:43 pm

Re: Latest Update Package for PSStudio 2017 sets off malware alerts

Post by Alexander Riedel » Thu Oct 05, 2017 7:42 am

You need to submit that to your antivirus vendor. Unfortunately we cannot do that for you. We do not have access to your files nor can we be certain what happens on your machine.
Alexander Riedel
SAPIEN Technologies, Inc.

User avatar
MrLiuKenon
Posts: 1
Joined: Wed Jun 14, 2017 11:55 am

Re: Latest Update Package for PSStudio 2017 sets off malware alerts

Post by MrLiuKenon » Thu Oct 05, 2017 8:26 am

I am also running into issues with the win32.engine file after the latest update. my company's InfoSec team now has my machine in quarantine, and is discussing reimage/replacement (yay).

They are going to submit the file to our AV provider to confirm, but their main concern is due to the hash data they received from the file.

It's flagging with an MD5 hash of: c6bc133ce99bf6150d687aadff61a512

Here is a site that shows all that are flagging it (up to 18 from 16 yesterday):
https://www.virustotal.com/#/file/b9f5b ... /detection

While my InfoSec team is doing their job and investigating the issue, I want to know if there is any way you can run a new scan and confirm that your installer is not producing these same results. This way I can verify if there are any issues with my machine in particular, or if it's safe, part of the package, and just a false-positive on their end.

My colleagues are scared to update now, for fear of having their machines taken away. I am also hesitant to reinstall after they potentially (probably) reimage my machine.

User avatar
mcgoo49
Posts: 2
Joined: Wed Dec 03, 2014 7:52 am

Re: Latest Update Package for PSStudio 2017 sets off malware alerts

Post by mcgoo49 » Fri Oct 06, 2017 8:10 am

I received malware warnings on the latest installation as well. I am running AVG Free. I sent one of the files to AVG for analysis, but have not heard anything back as of yet.

These are the files and threat identified:

Win32:Evo-gen [Susp]
C:\Users\user\AppData\Roaming\SAPIEN\SPS 5.4.144.0\install\4920CD9\ScriptEngines\SAPIEN PowerShell V2 Host (Windows) Win32.engine
C:\Users\user\AppData\Roaming\SAPIEN\SPS 5.4.144.0\install\4920CD9\ScriptEngines\SAPIEN PowerShell V2 Host (Windows) Win32.engine
C:\Program Files\SAPIEN Technologies, Inc\PowerShell Studio 2017\ScriptEngines\SAPIEN PowerShell V2 Host (Windows) Win32.engine

Win32:Malware-gen
C:\Users\user\AppData\Roaming\SAPIEN\SPS 5.4.144.0\install\4920CD9\ScriptEngines\SAPIEN PowerShell V2 Host (Windows Forms) Win32.engine
C:\Program Files\SAPIEN Technologies, Inc\PowerShell Studio 2017\ScriptEngines\SAPIEN PowerShell V2 Host (Windows Forms) Win32.engine

User avatar
mcgoo49
Posts: 2
Joined: Wed Dec 03, 2014 7:52 am

Re: Latest Update Package for PSStudio 2017 sets off malware alerts

Post by mcgoo49 » Fri Oct 06, 2017 8:16 am

I forgot to ask this question: I let AVG quarantine all the identified files in my previous post. I need to complete some scripts for work, and just wondering what impact not having the scripting engine files will have when deploying or packaging scripts. Trying to decide whether or not I downgrade or if I can limp along without the fore mentioned files.

User avatar
kpersit
Posts: 2
Joined: Sun Mar 03, 2013 12:43 pm

Re: Latest Update Package for PSStudio 2017 sets off malware alerts

Post by kpersit » Mon Oct 09, 2017 12:47 pm

Just came across this same issue. Updated and our SentinelOne picked it up.
A couple of the hashes found:
952c37721c9cf7fd49013eff46677dc8d0886d13 - https://www.virustotal.com/#/file/b9f5b ... /detection
26/66 engines detecting as a Trojan

53e22960e2d2175f6db3d984f4d2b24ce939849e - https://www.virustotal.com/#/file/362e5 ... /detection
22/65 engines detecting as a Trojan

User avatar
Alexander Riedel
Posts: 6327
Joined: Tue May 29, 2007 4:43 pm

Re: Latest Update Package for PSStudio 2017 sets off malware alerts

Post by Alexander Riedel » Mon Oct 09, 2017 1:07 pm

If you are not packaging for the target that these products are complaining about, it is not a problem.
You need to contact your antivirus vendor. These files are not infected as far as we can tell. Our anti-virus scanners do not report them as infected and several vendors have already white listed them as we are told. But we cannot submit files ourselves to YOUR anti-virus software vendor.

IMPORTANT: Please read other user's posts and our replies. If you have the same issue, you will get the same reply. We have no control over the way your anti-virus vendor scans for patterns. We cannot submit files to them. We scan our files continuously and we have no indication of an actual verified infection with anything.
Alexander Riedel
SAPIEN Technologies, Inc.

Locked