To Customer Support To Customer Support
Solved

Tool from "UserBenchmark" marked as mallware, but generic?

  • 3 October 2023
  • 12 replies
  • 216 views
I
Rank
Userlevel 1

WebRoot flagged as Mallware the benchmarking tool from https://www.userbenchmark.com/

As Win32.LocalInfect.2

Ok, but where can I go for more information?  Is that a generic sort of concern, or something specific?
Based on user reports, automated scanning, behavior?


I see online discussion of “Nullsoft Scriptable Install System (NSIS)” as being the cause of the flag.
And VirusTotal says:
 

Bkav ProW32.AIDetectMalware.64

CynetMalicious (score: 100)

Gridinsoft (no cloud)Trojan.Win64.Downloader.sa

Acronis (Static ML)Undetected

AhnLab-V3Undetected

AlibabaUndetected

ALYacUndetected

Antiy-AVLUndetected

ArcabitUndetected

….

ViRobotUndetected

WebrootUndetected

Avast-Mobile Unable to process file type

BitDefenderFalx Unable to process file type

icon

Best answer by TripleHelix 4 October 2023, 02:00

View original

12 replies

TripleHelix
Rank
Userlevel 7
Badge +63

Hello @iOne 

 

Save a Scan log and post the line that shows the infection! Go to the WSA icon near the clock and right click on it ans select “Save a Scan Log” it should be near the bottom of the log.

 

 

I don’t have any in my log but should look like this!

 

[G] C:\Program Files (x86)\Samsung\Samsung Magician\SamsungMagician.exe [SHA256: 6316EBAABBFFD60B1A541474C1B7C46DA2580EB71BDD6C9FB5DE33F87DC5872C] [MD5: F96B3B282F4905F45207D66E3F40E294] [Flags: 00101000.7902]

 

Thanks,

Daniel - Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Moto G9 Plus OS 11. "Take Them to the Train Station"
TripleHelix
Rank
Userlevel 7
Badge +63

I checked it out in one of my VM’s!

 

Tue 2023-10-03 12:22:31.0603    Infection detected: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
Tue 2023-10-03 12:22:31.0603    Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:31.0604    Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:31.0962    Infection detected: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
Tue 2023-10-03 12:22:31.0962    Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:31.0963    Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0368    Infection detected: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0368    Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0369    Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0443    Infection detected: C:\Users\Daniel\AppData\Local\Microsoft\Windows\INetCache\IE\EW74KN54\UserBenchmarkSetup[1].exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0443    Infection found in realtime: C:\Users\Daniel\AppData\Local\Microsoft\Windows\INetCache\IE\EW74KN54\UserBenchmarkSetup[1].exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0446    Infection detected: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0447    Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0483    Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [(null)]

Daniel - Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Moto G9 Plus OS 11. "Take Them to the Train Station"
TripleHelix
Rank
Userlevel 7
Badge +63

If you feel it’s a False Positive please contact Webroot Support Directly and they will help you!

 

 

Webroot Support:

Submit a ticket 24/7/365 and the best way.

Call 1-866-612-4227  during the week Mon - Fri 7 AM to 5:30 PM (MDT)

Note: When submitting a Support Ticket, Please wait for a response from Support. Putting in another Support Ticket on this problem before Support responses will put your first Support Ticket at the end of the queue.

 

Thanks,

Daniel - Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Moto G9 Plus OS 11. "Take Them to the Train Station"
TripleHelix
Rank
Userlevel 7
Badge +63

Hello @iOne 

 

I contacted support and here is what they had to say!

 

Webroot Support (Oct 3, 2023 19:46)

RE:Is this bad or a FP?

Hello Daniel,

Thank you for providing us the file information. For this file we are keeping our determination as bad and you may allow this locally should you need it.

Regards,
Zach P.
The Webroot Advanced Malware Removal Team

Your Message (Oct 3, 2023 19:20)

Is this bad or a FP?

Is this bad or a FP?

Thanks,

Daniel XD


Tue 2023-10-03 12:22:31.0603 Infection detected: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
Tue 2023-10-03 12:22:31.0603 Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:31.0604 Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:31.0962 Infection detected: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
Tue 2023-10-03 12:22:31.0962 Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:31.0963 Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0368 Infection detected: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0368 Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0369 Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0443 Infection detected: C:\Users\Daniel\AppData\Local\Microsoft\Windows\INetCache\IE\EW74KN54\UserBenchmarkSetup[1].exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0443 Infection found in realtime: C:\Users\Daniel\AppData\Local\Microsoft\Windows\INetCache\IE\EW74KN54\UserBenchmarkSetup[1].exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0446 Infection detected: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0447 Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [W32.Malware.Gen]
Tue 2023-10-03 12:22:32.0483 Infection found in realtime: C:\Users\Daniel\AppData\Local\Temp\UserBenchmarkSetup.exe [UniqueID: 57DA14F2, MD5: 06F5B985F25C0E4AFD573013DC7DCBC7, Size: 14264876 bytes] [524288/00000003] [(null)]

 

I guess that’s it!

Daniel - Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Moto G9 Plus OS 11. "Take Them to the Train Station"
I
Rank
Userlevel 1

Bad as in what bad?

Mallware is a very generic term.

 

If it means the program is collecting data and reporting it to a central sever on launch, well, yes…. that’s what it’s supposed to do.  If it’s doing more than that, it’s a problem.  But what “more”?

 

Tue 2023-10-03 13:08:54.0525    Infection detected: C:\Users\bryce\AppData\Local\Temp\UserBenchmarkSetup.exe [SHA256: F214DA57EA18F3C4BEF70F0F5F0C540B889BF214CADD6B011DC1F0A30BB528FD] [MD5: 06F5B985F25C0E4AFD573013DC7DCBC7] [3/00080000] [W32.Malware.Gen]
 

 

 

TripleHelix
Rank
Userlevel 7
Badge +63

I’m just going by what they said:

 

Webroot Support (Oct 3, 2023 19:46)

RE:Is this bad or a FP?

Hello Daniel,

Thank you for providing us the file information. For this file we are keeping our determination as bad and you may allow this locally should you need it.

Regards,
Zach P.
The Webroot Advanced Malware Removal Team

 

 

Daniel - Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Moto G9 Plus OS 11. "Take Them to the Train Station"
TripleHelix
Rank
Userlevel 7
Badge +63

Also the file when installed is much larger! Size: 14264876 bytes

 

 

https://www.virustotal.com/gui/file/f214da57ea18f3c4bef70f0f5f0c540b889bf214cadd6b011dc1f0a30bb528fd?nocache=1

Daniel - Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Moto G9 Plus OS 11. "Take Them to the Train Station"
TripleHelix
Rank
Userlevel 7
Badge +63

The download is only. And the installer from VirusTotal https://www.virustotal.com/gui/file/ed3a4d2c00348ee99205c7d2f1c69405b0ab046ce10566c7d74ba0e190b75ed6

 

 

But after installed!

 

https://www.virustotal.com/gui/file/f214da57ea18f3c4bef70f0f5f0c540b889bf214cadd6b011dc1f0a30bb528fd?nocache=1

 

“Matches rule Malicious payloads that are hidden in fake Windows error logs by Ariel Millahuel at SOC Prime Threat Detection Marketplace”

 

So there is much more going on then what support told me. Maybe contact support and ask them yourself?

Daniel - Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Moto G9 Plus OS 11. "Take Them to the Train Station"
I
Rank
Userlevel 1

It appears they use NSIS which is a small bootloader:

https://sourceforge.net/projects/nsis/

That then brings in the full program.  Which, by the way, is a portable EXE that’s not actually installed just dropped into a folder.

 

The question remains: is the installer triggering these warnings, or some actual behavior of the program?

TripleHelix
Rank
Userlevel 7
Badge +63

It appears they use NSIS which is a small bootloader:

https://sourceforge.net/projects/nsis/

That then brings in the full program.  Which, by the way, is a portable EXE that’s not actually installed just dropped into a folder.

 

The question remains: is the installer triggering these warnings, or some actual behavior of the program?

Contact support and ask them as they would know! @DanP can you add anything here?

 

Thanks,

Daniel - Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Moto G9 Plus OS 11. "Take Them to the Train Station"
TylerM
Rank
Userlevel 7
Badge +25

Hey everyone!

 

For this software you will have to just do a local allow (manual override) as stated early in this post.

 

For reasons as to why our Research Team will not be whitelisting this vendor’s files:

 

It's unsigned, It escalates privileges, it creates an executable file (exe that creates and exe), it writes executable commands to log files.  We have historically reversed single hashes of this file and again it's not that we think it's overtly bad but in the age of BYOV and other supply chain attacks there just isn't enough safeguards for us to whitelist. 

 

They will be discussing this niche of questionable software in broader org meetings so please let us know your feedback!

 

TripleHelix
Rank
Userlevel 7
Badge +63

Thanks Tyler for your explanation! 👍

Daniel - Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Moto G9 Plus OS 11. "Take Them to the Train Station"

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.