Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

General discussion related to "Everything".
Post Reply
void
Site Admin
Posts: 5558
Joined: Fri Oct 16, 2009 11:31 pm

Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void » Wed Jul 22, 2020 11:15 am

Everything does not contain any spyware, malware or viruses.

Trend Micro is removing the Installer for Everything 1.4.1.969 and flagging it as PUA.Win32.FileSearcher.C
PUA = Potentially Unwanted Application.

Trend Micro is also removing the Installer for Everything 1.4.1.986 and flagging it as PUA.Win32.FileSearcher.E


For now, Trend Micro recommends adding Everything to your whitelist:
Main console -> gear -> exception list (option on left) -> choose application / program white list.

Or lowering your detection level to normal/medium.

Or, please try the Lite version of Everything.

Please make a false positive report on Trend Micro's website:
https://success.trendmicro.com/smb-new-request
Select Threat Issue
Select File False Positive.

-and-

Please politely let Trend Micro know Everything from voidtools is not unwanted by submitting a ticket.

Reply from Trend Micro:
Please note that grayware applications do not fall into any of the major threat categories (i.e. virus or Trojan horse) as they are subject to system functionality, as well as user debate.

REFERENCE: https://www.trendmicro.com/vinfo/us/sec ... wanted-app

There are indeed Trend Micro customers who use this tool for File Searching but there are also customers who have the need that they would be notified if such application is present and being used in the environment they are monitoring.

Given the scenario above, the detection for the file as PUA.WIN32.FileSearcher.C needs to be retained.

If a Trend Micro Customer is using this file, they will need to exempt it through Spyware/Grayware Approved List in their product settings.

REFERENCE for OfficeScan: https://docs.trendmicro.com/all/ent/off ... e_Grayware

We hope this this explains that the Everything.exe is not Spyware but recognized as PUA on Trend Micro's Side and the need to retain the detection to meet the needs from both customers.
This tool was used to lists all files on a file system. It allows an attacker to check whether a system is already infected by another piece of ransomware using the search function. This tool is not considered malicious and was developed by a legitimate company but can be used for profiling purposes.

For more info about the file please refer to the following URLs:

https://www.kroll.com/en-ca/insights/publications/cyber/malware-analysis-buran-ransomware-as-a-service
https://www.bankinfosecurity.com/ransomware-gangs-not-so-secret-attack-vector-rdp-exploits-a-13342

ArnoldM
Posts: 1
Joined: Wed Jul 22, 2020 7:51 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by ArnoldM » Wed Jul 22, 2020 8:13 pm

Thank you for putting out a new build to fix the issue. I've successfully downloaded and installed this version. All good so far. I haven't even whitelisted the software yet (I think I need admin rights for this) and it's working perfectly.

Thank you for creating and improving this life-saving tool, and for doing this so swiftly!

NB: This is my first post in an type of software forum on the interwebs, and I use tons of software compared to your average MS Office (workplace) user. I couldn't imagine being unable to use your search engine. Ciao!

void
Site Admin
Posts: 5558
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void » Thu Jul 23, 2020 12:37 am

My guess is someone is doing something malicious with Everything 1.4.1.969.

I've updated the installer to version 1.4.1.986.

Please make a false positive report on Trend Micro's website:
https://success.trendmicro.com/smb-new-request
Select Threat Issue
Select File False Positive.

-or-

Please politely let Trend Micro know Everything from voidtools is not unwanted by submitting a ticket.

YossiD
Posts: 5
Joined: Wed Mar 01, 2017 1:00 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by YossiD » Thu Jul 23, 2020 1:30 pm

I am having the same problem with Everything-1.4.1.986.x64 portable that I downloaded this morning. Trend Micro is flagging it as PUA.Win32.FileSearcher.E. Rolled back to 1.4.1.935.x64 and all is well. Have not tried 1.4.1.969.

I have not tried the installer, only the portable version.

Since the Trend Micro is controlled by our SysAdmin I do not have access to the white list.

void
Site Admin
Posts: 5558
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void » Thu Jul 23, 2020 11:48 pm

I've had reports of the x86 version working.

Please politely let Trend Micro know Everything from voidtools is not unwanted by submitting a ticket.

juzzle
Posts: 18
Joined: Sat Apr 11, 2020 1:07 am

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by juzzle » Fri Jul 24, 2020 4:15 am

Just chiming in to point out that Trend is now reporting "PUA.Win32.FileSearcher.E", not "C". The behaviour started yesterday, also FYI.

Image

void
Site Admin
Posts: 5558
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void » Tue Jul 28, 2020 8:00 am

Reply from Trend Micro:
Please note that grayware applications do not fall into any of the major threat categories (i.e. virus or Trojan horse) as they are subject to system functionality, as well as user debate.

REFERENCE: https://www.trendmicro.com/vinfo/us/sec ... wanted-app

There are indeed Trend Micro customers who use this tool for File Searching but there are also customers who have the need that they would be notified if such application is present and being used in the environment they are monitoring.

Given the scenario above, the detection for the file as PUA.WIN32.FileSearcher.C needs to be retained.

If a Trend Micro Customer is using this file, they will need to exempt it through Spyware/Grayware Approved List in their product settings.

REFERENCE for OfficeScan: https://docs.trendmicro.com/all/ent/off ... e_Grayware

We hope this this explains that the Everything.exe is not Spyware but recognized as PUA on Trend Micro's Side and the need to retain the detection to meet the needs from both customers.

void
Site Admin
Posts: 5558
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void » Tue Jul 28, 2020 9:17 am

This tool was used to lists all files on a file system. It allows an attacker to check whether a system is already infected by another piece of ransomware using the search function. This tool is not considered malicious and was developed by a legitimate company but can be used for profiling purposes.

For more info about the file please refer to the following URLs:

https://www.kroll.com/en-ca/insights/publications/cyber/malware-analysis-buran-ransomware-as-a-service
https://www.bankinfosecurity.com/ransomware-gangs-not-so-secret-attack-vector-rdp-exploits-a-13342

therube
Posts: 2609
Joined: Thu Sep 03, 2009 6:48 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by therube » Tue Jul 28, 2020 11:52 am

From the Nirsoft end, https://blog.nirsoft.net/2009/05/17/ant ... evelopers/.
The DIR command was used to lists all files on a file system. It allows an attacker to check whether a system is already infected by another piece of ransomware using the search function. This tool is not considered malicious and was developed by a legitimate company but can be used for profiling purposes.
The Google search engine can be used to help find how to develop an A-bomb (or a bird feeder).

Henceforth, Trend Micro (the almighty) has decided to ban all Google searches.

For more information, please refer to, https://www.google.com/search?q=Trend+M ... e+searches

horst.epp
Posts: 270
Joined: Fri Apr 04, 2014 3:24 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by horst.epp » Tue Jul 28, 2020 12:09 pm

The solution is simply as Trend Micro says:
... they will need to exempt it through Spyware/Grayware Approved List in their product settings.
If a user can't do as suggested in his own Trend Micro installation he must complain with the IT organisation
which unfortunately already made the big error to select Trend Micro.

void
Site Admin
Posts: 5558
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void » Thu Jul 30, 2020 1:51 am

I have added an Lite version of Everything.

The Lite version does not allow IPC.
With the Lite version, it will be difficult for an attacker to use Everything to create a profile of your system.

sunish
Posts: 1
Joined: Sat Aug 01, 2020 4:08 am

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by sunish » Sat Aug 01, 2020 4:21 am

The enterprise version is working on my system where Trend Micro is managed by my organization.

Registered on this forum to say thanks for the amazing utility. Trend Micro Antivirus removing it from my system made me realize how much I missed it when it was not working. I have been a user since 2013.

Just curious what makes the enterprise version different?

void
Site Admin
Posts: 5558
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void » Mon Aug 03, 2020 3:02 am

The Lite version is the same as the normal version, except it has IPC support removed.

This makes it difficult for an attacker to extract information from Everything.
Unfortunately, this means some useful features such as the command line interface and screen readers will not work with the Lite version.

void
Site Admin
Posts: 5558
Joined: Fri Oct 16, 2009 11:31 pm

Re: Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

Post by void » Wed Aug 05, 2020 12:24 am

Renamed the 'Enterprise' version to the 'Lite' version.

Post Reply