Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

General discussion related to "Everything".
Post Reply
void
Developer
Posts: 17131
Joined: Fri Oct 16, 2009 11:31 pm

Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void »

Update:
Thank you everyone for your support.

Trend Micro has dropped the PUA flagging of "Everything" (all current versions).
Everything does not contain any spyware, malware or viruses.

Trend Micro is removing the Installer for Everything 1.4.1.969 and flagging it as PUA.Win32.FileSearcher.C
PUA = Potentially Unwanted Application.

Trend Micro is also removing the Installer for Everything 1.4.1.986 and flagging it as PUA.Win32.FileSearcher.E


For now, Trend Micro recommends adding Everything to your whitelist:
Main console -> gear -> exception list (option on left) -> choose application / program white list.

Or lowering your detection level to normal/medium.

Please make a false positive report on Trend Micro's website:
https://success.trendmicro.com/smb-new-request
Select Threat Issue
Select File False Positive.

-and-

Please politely let Trend Micro know Everything from voidtools is not unwanted by submitting a ticket.

Reply from Trend Micro:
Please note that grayware applications do not fall into any of the major threat categories (i.e. virus or Trojan horse) as they are subject to system functionality, as well as user debate.

REFERENCE: https://www.trendmicro.com/vinfo/us/sec ... wanted-app

There are indeed Trend Micro customers who use this tool for File Searching but there are also customers who have the need that they would be notified if such application is present and being used in the environment they are monitoring.

Given the scenario above, the detection for the file as PUA.WIN32.FileSearcher.C needs to be retained.

If a Trend Micro Customer is using this file, they will need to exempt it through Spyware/Grayware Approved List in their product settings.

REFERENCE for OfficeScan: https://docs.trendmicro.com/all/ent/off ... e_Grayware

We hope this this explains that the Everything.exe is not Spyware but recognized as PUA on Trend Micro's Side and the need to retain the detection to meet the needs from both customers.
This tool was used to lists all files on a file system. It allows an attacker to check whether a system is already infected by another piece of ransomware using the search function. This tool is not considered malicious and was developed by a legitimate company but can be used for profiling purposes.

For more info about the file please refer to the following URLs:

https://www.kroll.com/en-ca/insights/publications/cyber/malware-analysis-buran-ransomware-as-a-service
https://www.bankinfosecurity.com/ransomware-gangs-not-so-secret-attack-vector-rdp-exploits-a-13342
Other PUA names:
PUA.WIN32.FileSearcher.A
PUA.WIN32.FileSearcher.B
PUA.WIN32.FileSearcher.D
PUA.WIN32.FileSearcher.E
PUA.WIN32.FileSearcher.F
PUA.WIN32.FileSearcher.G
PUA.WIN32.FileSearcher.H
PUA.WIN32.FileSearcher.I
PUA.WIN32.FileSearcher.J
PUA.WIN32.FileSearcher.K
PUA.WIN32.FileSearcher.L
PUA.WIN32.FileSearcher.M
PUA.WIN32.FileSearcher.N
PUA.WIN32.FileSearcher.O
PUA.WIN32.FileSearcher.P
PUA.WIN32.FileSearcher.Q
PUA.WIN32.FileSearcher.R
PUA.WIN32.FileSearcher.S
PUA.WIN32.FileSearcher.T
PUA.WIN32.FileSearcher.U
PUA.WIN32.FileSearcher.V
PUA.WIN32.FileSearcher.W
PUA.WIN32.FileSearcher.X
PUA.WIN32.FileSearcher.Y
PUA.WIN32.FileSearcher.Z
ArnoldM
Posts: 1
Joined: Wed Jul 22, 2020 7:51 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by ArnoldM »

Thank you for putting out a new build to fix the issue. I've successfully downloaded and installed this version. All good so far. I haven't even whitelisted the software yet (I think I need admin rights for this) and it's working perfectly.

Thank you for creating and improving this life-saving tool, and for doing this so swiftly!

NB: This is my first post in an type of software forum on the interwebs, and I use tons of software compared to your average MS Office (workplace) user. I couldn't imagine being unable to use your search engine. Ciao!
void
Developer
Posts: 17131
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void »

My guess is someone is doing something malicious with Everything 1.4.1.969.

I've updated the installer to version 1.4.1.986.

Please make a false positive report on Trend Micro's website:
https://success.trendmicro.com/smb-new-request
Select Threat Issue
Select File False Positive.

-or-

Please politely let Trend Micro know Everything from voidtools is not unwanted by submitting a ticket.
YossiD
Posts: 9
Joined: Wed Mar 01, 2017 1:00 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by YossiD »

I am having the same problem with Everything-1.4.1.986.x64 portable that I downloaded this morning. Trend Micro is flagging it as PUA.Win32.FileSearcher.E. Rolled back to 1.4.1.935.x64 and all is well. Have not tried 1.4.1.969.

I have not tried the installer, only the portable version.

Since the Trend Micro is controlled by our SysAdmin I do not have access to the white list.
void
Developer
Posts: 17131
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void »

I've had reports of the x86 version working.

Please politely let Trend Micro know Everything from voidtools is not unwanted by submitting a ticket.
juzzle
Posts: 24
Joined: Sat Apr 11, 2020 1:07 am

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by juzzle »

Just chiming in to point out that Trend is now reporting "PUA.Win32.FileSearcher.E", not "C". The behaviour started yesterday, also FYI.

Image
void
Developer
Posts: 17131
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void »

Reply from Trend Micro:
Please note that grayware applications do not fall into any of the major threat categories (i.e. virus or Trojan horse) as they are subject to system functionality, as well as user debate.

REFERENCE: https://www.trendmicro.com/vinfo/us/sec ... wanted-app

There are indeed Trend Micro customers who use this tool for File Searching but there are also customers who have the need that they would be notified if such application is present and being used in the environment they are monitoring.

Given the scenario above, the detection for the file as PUA.WIN32.FileSearcher.C needs to be retained.

If a Trend Micro Customer is using this file, they will need to exempt it through Spyware/Grayware Approved List in their product settings.

REFERENCE for OfficeScan: https://docs.trendmicro.com/all/ent/off ... e_Grayware

We hope this this explains that the Everything.exe is not Spyware but recognized as PUA on Trend Micro's Side and the need to retain the detection to meet the needs from both customers.
void
Developer
Posts: 17131
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void »

This tool was used to lists all files on a file system. It allows an attacker to check whether a system is already infected by another piece of ransomware using the search function. This tool is not considered malicious and was developed by a legitimate company but can be used for profiling purposes.

For more info about the file please refer to the following URLs:

https://www.kroll.com/en-ca/insights/publications/cyber/malware-analysis-buran-ransomware-as-a-service
https://www.bankinfosecurity.com/ransomware-gangs-not-so-secret-attack-vector-rdp-exploits-a-13342
therube
Posts: 5056
Joined: Thu Sep 03, 2009 6:48 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by therube »

From the Nirsoft end, https://blog.nirsoft.net/2009/05/17/ant ... evelopers/.
The DIR command was used to lists all files on a file system. It allows an attacker to check whether a system is already infected by another piece of ransomware using the search function. This tool is not considered malicious and was developed by a legitimate company but can be used for profiling purposes.
The Google search engine can be used to help find how to develop an A-bomb (or a bird feeder).

Henceforth, Trend Micro (the almighty) has decided to ban all Google searches.

For more information, please refer to, https://www.google.com/search?q=Trend+M ... e+searches
horst.epp
Posts: 1456
Joined: Fri Apr 04, 2014 3:24 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by horst.epp »

The solution is simply as Trend Micro says:
... they will need to exempt it through Spyware/Grayware Approved List in their product settings.
If a user can't do as suggested in his own Trend Micro installation he must complain with the IT organisation
which unfortunately already made the big error to select Trend Micro.
void
Developer
Posts: 17131
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void »

I have added a Lite version of Everything.

The Lite version does not allow IPC.
With the Lite version, it will be difficult for an attacker to use Everything to create a profile of your system.
sunish
Posts: 1
Joined: Sat Aug 01, 2020 4:08 am

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by sunish »

The enterprise version is working on my system where Trend Micro is managed by my organization.

Registered on this forum to say thanks for the amazing utility. Trend Micro Antivirus removing it from my system made me realize how much I missed it when it was not working. I have been a user since 2013.

Just curious what makes the enterprise version different?
void
Developer
Posts: 17131
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void »

The Lite version is the same as the normal version, except it has IPC support removed.

This makes it difficult for an attacker to extract information from Everything.
Unfortunately, this means some useful features such as the command line interface and screen readers will not work with the Lite version.
void
Developer
Posts: 17131
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void »

Renamed the 'Enterprise' version to the 'Lite' version.
void
Developer
Posts: 17131
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void »

The Lite version is now being flagged as PUA.

I'm checking with Trend Micro as to why..
void
Developer
Posts: 17131
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void »

Thank you everyone for your support.

Trend Micro will be dropping the PUA flagging of "Everything" (all versions).

This may take up to a week for the change to be pushed through with the next Spyware update.
piyo
Posts: 6
Joined: Fri Mar 20, 2020 8:23 am

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by piyo »

Thank you for your continued diligence in this matter.
I am a user of TM and I want to post again on this topic in more detail. But for now, a show of support.
piyo
Posts: 6
Joined: Fri Mar 20, 2020 8:23 am

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by piyo »

It is unclear to me which "spyware update" version needs to be loaded to resolve this problem so I am publishing my current findings.
Will the version be explained?

Trend Micro is currently tracking Everything as a PUA with these tags:

https://www.trendmicro.com/vinfo/us/thr ... earcher.A/
2.283.00 - 07 May 2020
https://www.trendmicro.com/vinfo/us/thr ... earcher.B/
2.312.14 - 16 Jul 2020
https://www.trendmicro.com/vinfo/us/thr ... earcher.C/
2.313.00 - 16 Jul 2020
https://www.trendmicro.com/vinfo/us/thr ... earcher.G/
??? deleted?
https://www.trendmicro.com/vinfo/us/thr ... earcher.D/
2.317.00 - 30 Jul 2020
https://www.trendmicro.com/vinfo/us/thr ... earcher.E/
2.317.00 - 30 Jul 2020
https://www.trendmicro.com/vinfo/us/thr ... earcher.G/
2.319.00 - 06 Aug 2020
https://www.trendmicro.com/vinfo/us/thr ... earcher.E/
2.322.00 - 13 Aug 2020

Currently the Spyware Pattern version is:

https://www.trendmicro.com/en_us/busine ... s.html?#t4

Spyware Pattern Version: 2.321.00 Release date: 2020-08-12 06:00:14 (UTC-8)
Spyware Pattern (DA6) Version: 23.21 Release date: 2020-08-12 09:40:34 (UTC-8)

https://downloadcenter.trendmicro.com/i ... p_patterns

スパイウェアパターンファイル(SSAPI用)
SSAPIPTN.DA6(マニュアルスキャン&クリーン用): 23.21 (08/13)
SSAPTN(リアルタイムスキャン用): 2.321.00 (08/13)
void
Developer
Posts: 17131
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void »

The Spyware update that drops the PUA flagging of Everything is still pending.

Please check again Today, it might be in Thursdays (2020-08-20) Spyware Pattern update.
piyo
Posts: 6
Joined: Fri Mar 20, 2020 8:23 am

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by piyo »

Good news! :D
According to the following URL, the Spyware signatures presumably associated with Everything (ie. PUA.*.FileSearcher.*) has been dropped on Pattern version 2.325.00, August 19, 2020, 06:00:10 (UTC).

https://www.trendmicro.com/ftp/products ... ssaptn.txt
-----------------------------------------------------------------------------
Trend Micro
New Spyware Pattern Release
-----------------------------------------------------------------------------

Pattern Version: 2.325.00
August 19, 2020, 06:00:10 (UTC)

---------------------
New Spyware Detected:
---------------------
There are [71] new Spyware detected by the pattern file.
All detailed Spyware names please refer to the list below.
snip
---------------------
Spyware Signature Modified:
---------------------




---------------------
Spyware Signature Dropped:
---------------------

CRCK_KEYGEN.CB
PUA.Win32.FileSearcher.A
PUA.Win32.FileSearcher.B
PUA.Win32.FileSearcher.C
PUA.Win32.FileSearcher.F
PUA.Win32.FileSearcher.G
PUA.Win32.FileSearcher.H
PUA.Win32.FileSearcher.I
PUA.Win32.FileSearcher.J
PUA.Win32.FileSearcher.M
PUA.Win32.FileSearcher.N
PUA.Win32.FileSearcher.O
PUA.Win32.FileSearcher.P
PUA.Win32.FileSearcher.Q
PUA.Win64.FileSearcher.A
PUA.Win64.FileSearcher.D
PUA.Win64.FileSearcher.E
PUA.Win64.FileSearcher.G
PUA.Win64.ProcHack.C
Last edited by piyo on Fri Aug 21, 2020 1:44 pm, edited 1 time in total.
piyo
Posts: 6
Joined: Fri Mar 20, 2020 8:23 am

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by piyo »

Also, the URLs in my previous post that describe Spyware Signature seemed to have its contents deleted. The URLs do show up if one searches for "Everything.exe".
i.e.
https://www.trendmicro.com/vinfo/us/thr ... earcher.A/

I cannot yet verify on my Trend Micro infested machine about this update, but I intend to check it.
horst.epp
Posts: 1456
Joined: Fri Apr 04, 2014 3:24 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by horst.epp »

piyo wrote: Fri Aug 21, 2020 1:43 pm Also, the URLs in my previous post that describe Spyware Signature seemed to have its contents deleted. The URLs do show up if one searches for "Everything.exe".
i.e.
https://www.trendmicro.com/vinfo/us/thr ... earcher.A/

I cannot yet verify on my Trend Micro infested machine about this update, but I intend to check it.
You can now wait for the next Everything update and the game starts over. ;)
I'm so happy that I can select myself the Anti-virus tool on my machines (currently Kaspersky and Windows Defender).
I had enough problems with Trend Micro in my professional life.
regios
Posts: 11
Joined: Tue Feb 16, 2016 10:41 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by regios »

It is not made clear in the above if those external actors who used Everything maliciously did so by (1) looking for and exploiting existing installs of Everything or (2) bundling/downloading a copy of Everything when the malware got onto the system.

In case the problem was (1) then can we do something to harden the regular Everything version (not Lite version). For example would it be possible to add some kind of authentication or password step for IPC use? For those of us who want to keep using IPC but still mitigate against this kind of issue.
void
Developer
Posts: 17131
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void »

From the links that Trend Micro sent me:
https://www.kroll.com/en-ca/insights/pu ... -a-service
https://www.bankinfosecurity.com/ransom ... ts-a-13342

It looks like Everything was not installed, and was copied and run as the portable version.
Although, Trend Micros wording "This tool was used to lists all files on a file system. It allows an attacker to check whether a system is already infected by another piece of ransomware using the search function." makes it difficult to know without more information.
In case the problem was (1) then can we do something to harden the regular Everything version (not Lite version).
Even though this doesn't appear to be the attack used I am looking into a solution, they might include:
Disabling IPC by default. The attacker could just enable it (if they have admin rights)..
Password protecting IPC calls. The attacker could just disable the password (if they have admin rights).
Accept IPC connections only from ES.exe / Everything.exe (code signed by voidtools)

Keep in mind Everything wasn't the attack vector here. These systems were already comprised.
The attacker could have just as easily called DIR or FindFirstFile.

IPC also covers the LVM (List View Message) messages, these are required by screen readers and accessibility features to function.

IPC can be disabled now by setting the ini setting ipc to 0
regios
Posts: 11
Joined: Tue Feb 16, 2016 10:41 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by regios »

Thanks for clarifying the situation. I see the challenge in effectively locking down IPC access (without removing IPC altogether) in cases where the attacker already has gained admin access to the system by other means, but hopefully something can be done.
maphew
Posts: 2
Joined: Wed May 23, 2018 4:05 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by maphew »

For what it's worth, today Apex One allowed me to install Everything (via chocolatey). I manually used the client to scan "C:\Program Files\Everything" via r-click context menu and it came back with no warnings.

I don't know how to retrieve the central server's version number etc.
Post Reply