TrustedInstaller.exe is still flagged as heuristically suspicious (vista x64)

[metalbot]

Hello, Forum.

I'm a brand new Avast user on a vista x64 sp1 Home Premium desktop box.
(avast! version 4.8 home edition build 4.8.1296; VPS version 081218-0)

Immediately after the reboot the follows the install process, avast started scanning around.
- It may be noteworthy that Windows Update was running concurrently.
- AVG is installed on the box, but was not running a scan at the time.

About 10 minutes into the scan, an "avast! Warning" dialog popped-up boldly claiming "Suspicious File Found!":

"A suspicious file has been detected (using a heuristic method). This may be a sign of malware infection. Please allow the file to be submitted to our virus lab for analysis.

File Name: C:\Windows\servicing\TrustedInstaller.exe
Type:       hidden services"

I have found 3 other threads ( 1 2 3 ) in this forum in which it is claimed that:
- this has been fixed in recent builds
- it might really be a trojan

I don't think either claims are true here. Here's a VirusTotal scan of my file.

If this affects new users of avast on vista x64, it is worrisome to think that a good percentage of these users is likely to click the "Delete now" button and feel safer, when they've in fact compromised their system's ability to keep up to date with security patches.

I am now going to click the "Ignore" button, and submit the file to your virus lab (even though I don't think my windows license truly allows me to send bits copyrighted by MS around, but I digress.)

I won't check the "Do not tell me about this file in the future" checkbox, and will post an update to this thread if the dialog decides to re-appear.


Thank you,
Henri

[DavidR]

In the past the C:\Windows\servicing\TrustedInstaller.exe bas detected by the standard on-access and on-demand scanners based on a virus database signature. This false positive was corrected and it was no longer detected by conventional signature detection.

However, the anti-rootkit scan has detected this by a heuristic method, I think the actual text is relatively clear:
"A suspicious file has been detected (using a heuristic method). This may be a sign of malware infection. Please allow the file to be submitted to our virus lab for analysis."

I also believe the recommended action is to Ignore and send the file for analysis ?

[metalbot]

Hi DavidR,

Thank you for your quick reply.

Your answer is entirely accurate.

Nonetheless, false alarm dialogs that put the user one click away from removing an important system file are a problem, particularly among the less technically inclined crowd.

Heuristics being what they are, creating a whitelist of pairs of (filename, checksum) for system files that are known to get flagged would be one way to minimize occurrences of this scenario.

(It'd be a lot easier if MS would just sign their system files, but I don't think they do.)

Regards,
Henri

[Lisandro]

It'd be a lot easier if MS would just sign their system files, but I don't think they do.

Some files only... that's the problem...

[DavidR]

It'd be a lot easier if MS would just sign their system files, but I don't think they do.

Some files only... that's the problem...

Yes that is a problem and system files are system files are more likely to be unsigned that those that are signed, a means to confirm that they haven't been tampered with (or infected) in the normal detection method there is a check for digital signatures on infected files.

This is obviously one of the problems associated with heuristics, it is just strange that a previous FP on this file was corrected in the normal signature based detection.

[Vlk]

Metalbot, the Windows files are indeed supposed to be signed (trustedinstaller.exe including).
However, they're not signed using embedded signatures; they're signed by so-called catalogs.

The strange thing is, the antirootkit/heuristics module in avast is designed to always ignore files that have a valid Microsoft signature. To that end, it seems to be that the signature validation on your system must've somehow failed.

It would be useful if you could try a standalone version of our signature-verification program. Maybe there's a bug in it, or maybe the security catalogs on your system are somehow corrupted. In any way, it could lead us to a solution of the problem.

To do this, please download the file http://public.avast.com/~vlk/CheckSig.exe

and run it like this:

CheckSig.exe C:\Windows\servicing\TrustedInstaller.exe

(from a command line, as it's a command line program). What does it report? On my box, the output is like this:

Signature of "C:\Windows\servicing\TrustedInstaller.exe" verified.
Details:

Program name:       Microsoft Windows
Program URL:        http://www.microsoft.com/windows
Issuer :            Microsoft Windows Verification PCA
Subject :           Microsoft Windows
Signing Timestamp : 01/19/2008 14:10


Thanks
Vlk

[zone12]

HI I used to have this problem too its false I think it's because you started up one of the those HP games by wildtangt. Delete those things. They dont look very safe.

[metalbot]

Hi Vlk,

I tried running your tool, and it claims the signature on TrustedInstaller.exe is valid:

Code: [Select]

henri@Blackhole /c/Users/henri/Desktop
$ ./CheckSig.exe c:\\Windows\\servicing\\TrustedInstaller.exe
Signature of "c:\Windows\servicing\TrustedInstaller.exe" verified.
Details:

Program name:       Microsoft Windows
Program URL:        http://www.microsoft.com/windows
Issuer :            Microsoft Windows Verification PCA
Subject :           Microsoft Windows
Signing Timestamp : 01/19/2008 09:08

henri@Blackhole /c/Users/henri/Desktop
$
The output is identical to yours, except the hour/minute fields. (I'm on vista home premium, if that explains anything.)

Thanks,
Henri