Author Topic: MS Update on Vista 64bit: "Trustedinstaller.exe" accused as rootkit  (Read 14557 times)

0 Members and 1 Guest are viewing this topic.

Sgt.Schumann

  • Guest
During the MS update process (Vista 64bit) avast! accused the "Trustedinstaller.exe" (located in "C:\windows\servicing\") as rootkit.
I think this is a false positive since this file is AFAIK an essential part of Windows (Update).
Can you confirm this false positive?

Unfortunately after several clicks in the notification window (I tried to choose "Ignore", there were not much options) it was not possible to close the notification window with a regular button (it was some kind of blocked), so i closed it using the "x", which obviously caused, that this file has been deleted :-(

This has as major effect, that Windows Update will not work anymore (since the Trusted Installer Service is broken, because it is based on this .exe)... About an hour to repair this  :(

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: MS Update on Vista 64bit: "Trustedinstaller.exe" accused as rootkit
« Reply #1 on: June 11, 2010, 07:03:21 PM »
I think this is a false positive since this file is AFAIK an essential part of Windows (Update).
Can you confirm this false positive?

Sorry, not many of us use Vista 64bit. ;)
But if you want to make sure send the file to virustotal.com
Please post your results. Thanks..!
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Sgt.Schumann

  • Guest
Re: MS Update on Vista 64bit: "Trustedinstaller.exe" accused as rootkit
« Reply #2 on: June 11, 2010, 07:15:39 PM »
Unfortunately the file has been deleted by avast! (so it is not even in the virus chest), so i can not provide and check this file.

In order to "repair" Windows (Update) and the Trusted Installer Service, I restored the file (probably an older version) from the Vista component store (WinSxS folder) ... which is only a suboptimal - but working - solution ... The restored file was not accused as rootkit by avast! ...

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: MS Update on Vista 64bit: "Trustedinstaller.exe" accused as rootkit
« Reply #3 on: June 11, 2010, 07:23:36 PM »
Unfortunately the file has been deleted by avast! (so it is not even in the virus chest), so i can not provide and check this file.

If the file got deleted, there's nothing much we can check or do anymore, I guess...
asyn

(Btw, do you already know about the new german section..? http://forum.avast.com/index.php?board=24.0)
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Hermite15

  • Guest
Re: MS Update on Vista 64bit: "Trustedinstaller.exe" accused as rootkit
« Reply #4 on: June 11, 2010, 07:23:55 PM »
and what if you try to update again now, see if the updated file is flagged again? just make sure to set the file system shield to "ask", so that you're a 100% sure to get the opportunity to send to Chest...then restore it to any location (may be temporarily deactivate the fs shield, and submit it to Virus Total as suggested by Asyn...

Sgt.Schumann

  • Guest
Re: MS Update on Vista 64bit: "Trustedinstaller.exe" accused as rootkit
« Reply #5 on: June 11, 2010, 07:43:51 PM »
@asyn: thanks for the info about the german section ... nice to know  :)

@logos: thanks for your suggestions
First to say ... it was not my own machine, so i will "see" it in some days at the earliest. On the machine, i have performed several checks for updates (Windows Update) after the "repairing", but there were no new updates available (but update check worked again, since some optional updates were listed). So no new version of the file has been updated, as far as i have noticed. But i will keep an eye on it.
To come back to the "detection" (which ended in the deletion of the file), the notification window with the options to choose (in the drop-down) looked quite different from the normal "file shield" ... if i correctly remind, there were only two options ("delete" and "ignore") ... i had also already configured all shields to "ask" as first option ... maybe the rootkit detection/warning/heuristic has other settings  ...

Hermite15

  • Guest
Re: MS Update on Vista 64bit: "Trustedinstaller.exe" accused as rootkit
« Reply #6 on: June 11, 2010, 07:52:41 PM »
you can may be get the file back from here:
http://catalog.update.microsoft.com/v7/site/Home.aspx

(works only in Internet Explorer)

edit can you post a screen shot of the alert next time?
« Last Edit: June 11, 2010, 07:58:13 PM by Logos »

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: MS Update on Vista 64bit: "Trustedinstaller.exe" accused as rootkit
« Reply #7 on: June 11, 2010, 07:59:19 PM »
I had no problems with my Vista 64bit and avast! 5. Unless this problem raised today. I haven't start my system yet today...
Visit my webpage Angry Sheep Blog

Sgt.Schumann

  • Guest
Re: MS Update on Vista 64bit: "Trustedinstaller.exe" accused as rootkit
« Reply #8 on: June 11, 2010, 08:04:03 PM »
Found another post in the "avast! Free/Pro/Suite"-Section of the forum from yesterday with the same "effect":

http://forum.avast.com/index.php?topic=60635.0
« Last Edit: June 11, 2010, 08:07:11 PM by Sgt.Schumann »


Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: MS Update on Vista 64bit: "Trustedinstaller.exe" accused as rootkit
« Reply #10 on: July 05, 2010, 01:03:55 PM »
confirmed on Windows 7 Version 6.1 Build 7600

Did this happen with the latest avast build...?? (5.0.594)
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

spg SCOTT

  • Guest
Re: MS Update on Vista 64bit: "Trustedinstaller.exe" accused as rootkit
« Reply #11 on: July 05, 2010, 07:19:54 PM »
Again, with the "Recommended" Delete now default...That is a windows file...I thought there would have been measures to avoid this... ::)

ZaphodBB

  • Guest
Re: MS Update on Vista 64bit: "Trustedinstaller.exe" accused as rootkit
« Reply #12 on: July 05, 2010, 09:17:34 PM »
confirmed on Windows 7 Version 6.1 Build 7600

Did this happen with the latest avast build...?? (5.0.594)
asyn


It was on a fresh install yesterday, popped up after all available updates had been installed. i.e. I installed all available system updates prior to installing Avast.

Program Version: 5.0.594
Virus Defs: 100705-0

Hermite15

  • Guest
Re: MS Update on Vista 64bit: "Trustedinstaller.exe" accused as rootkit
« Reply #13 on: July 05, 2010, 09:45:12 PM »
no issue here with "trustedinstaller" up and running...may be the issue came on 32 bit Seven? ...anyway there's just been an update to 100705-1. My screen shot comes from a time when 705 was still there.

bo.elam

  • Guest
Re: MS Update on Vista 64bit: "Trustedinstaller.exe" accused as rootkit
« Reply #14 on: July 10, 2010, 04:52:21 AM »
Again, with the "Recommended" Delete now default...That is a windows file...I thought there would have been measures to avoid this... ::)

If delete is on default, can it be change to ignore? I have done some searching
and I have not found that to be possible. Can somebody tell me if indeed is
possible to change the default action of the auto anti-rootkit scan and how.
The delete default action scares the hell out of me.
Bo