Hello
I am using FFS portable on my business PC for years now
Since last week I get the warning from MS Defender, that the exe-files are infected with mailware (EUS:Win32/CustomCertEnterpriseBlock!cl).
First I donated to FFS in order to get the latest portable edition, but also here I receive the warning.
Result is, that the files are deleted.
Copying them again also leads to the warning and deletion.
What is it about?
What is the reason behind?
Is there an edition without that?
Thank you
Joe
MS Defender: FFS Donate Portable infected
- Posts: 6
- Joined: 17 May 2023
- Posts: 3599
- Joined: 11 Jun 2019
What is it specifically flagging? I ran everything except 'Resources' through VirusTotal and it came back 100% perfect.
Open Defender, go to history, show details, post a screenshot
Open Defender, go to history, show details, post a screenshot
- Posts: 3599
- Joined: 11 Jun 2019
Seems like a really generic classification
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=EUS:Win32/CustomCertEnterpriseBlock!cl&ThreatID=-2147236663
Are you on a domain or have something set up that maybe whitelists certs?
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=EUS:Win32/CustomCertEnterpriseBlock!cl&ThreatID=-2147236663
Are you on a domain or have something set up that maybe whitelists certs?
- Posts: 3599
- Joined: 11 Jun 2019
- Posts: 6
- Joined: 17 May 2023
Hi
Scanning it with Kaspersky beforhand also shows 100% clean.
Yes, it might not be a "real" detection, but anyhow it is being blocked/deleted, so that I cannot use FFS anymore on that PC.
However due to limited user rights I cannot do anything about it.
The only chance would be, that the "reason" for it is removed from the EXE.
Scanning it with Kaspersky beforhand also shows 100% clean.
Yes, it might not be a "real" detection, but anyhow it is being blocked/deleted, so that I cannot use FFS anymore on that PC.
However due to limited user rights I cannot do anything about it.
The only chance would be, that the "reason" for it is removed from the EXE.
- Posts: 6
- Joined: 17 May 2023
The question is, what this could be within the EXE:
"This threat can change the way your PC behaves..."
"This threat can change the way your PC behaves..."
- Site Admin
- Posts: 7052
- Joined: 9 Dec 2007
Just wait a few days. FreeFileSync released today, so it's normal for AV software to freak out.
- Posts: 6
- Joined: 17 May 2023
To be honest I do not believe that time will solve the issue. 😉
The first warnings appeared with a quite old edition of FFS out of a sudden.
I only switched to the latest one as I was not 100% sure where from that one was and to be safe with an "official" one. In the end even the old one was a donation-edition.
The first warnings appeared with a quite old edition of FFS out of a sudden.
I only switched to the latest one as I was not 100% sure where from that one was and to be safe with an "official" one. In the end even the old one was a donation-edition.
- Posts: 3599
- Joined: 11 Jun 2019
This is an issue with your company's IT department, not the software. They changed something last week that blocks FFS, along with a lot of other software I would guess. Contact your IT team
- Posts: 6
- Joined: 17 May 2023
Basically I agree to your point.
Unfortunately that is not an option. ;-)
I thought you could tell me, what in the background could cause the issue (e.g. automatic search for updates etc.).
It was a try from my side.
I guess I need to look for an alternative, which works. :-)
Thanks
Unfortunately that is not an option. ;-)
I thought you could tell me, what in the background could cause the issue (e.g. automatic search for updates etc.).
It was a try from my side.
I guess I need to look for an alternative, which works. :-)
Thanks
- Posts: 943
- Joined: 8 May 2006
Which particular files get deleted?
You might try renaming them & see if that might get you somewhere?
If FreeFileSync.exe, you might name it dontdeletemeMS.exe.
If it also deletes FreeFileSync_x64.exe, the above wouldn't help.
But you could try renaming FreeFileSync_x64.exe to dontdeletemeMS64.exe - &, run that file directly (instead of FreeFileSync.exe)***.
***This would be a hack & there could be issues in doing something like that (see recent discussion).
But, it can't hurt to try & see if it gives you something that is workable.
(A/V can be dumb, & sometimes even a name change can help.)
You might try renaming them & see if that might get you somewhere?
If FreeFileSync.exe, you might name it dontdeletemeMS.exe.
If it also deletes FreeFileSync_x64.exe, the above wouldn't help.
But you could try renaming FreeFileSync_x64.exe to dontdeletemeMS64.exe - &, run that file directly (instead of FreeFileSync.exe)***.
***This would be a hack & there could be issues in doing something like that (see recent discussion).
But, it can't hurt to try & see if it gives you something that is workable.
(A/V can be dumb, & sometimes even a name change can help.)
- Posts: 6
- Joined: 17 May 2023
Hi
Thanks for your suggestions.
Unfortunately that did not outsmart AV. 🙁
All exe-files (also in folder bin) are being flagged when trying to copy them onto the machine or executing them. I then can only choose between deleting them or putting them into quarantine by AV.
The interesting thing is, that on another machine with the same setup I somehow managed after numberless tries that AV is not recognising the exe anymore or they are allowed or whatever. No issues anymore.
But I have no idea what I did to get there.
And copying those files onto the other machine does again end up in warnings by AV. 🤔
Thanks for your suggestions.
Unfortunately that did not outsmart AV. 🙁
All exe-files (also in folder bin) are being flagged when trying to copy them onto the machine or executing them. I then can only choose between deleting them or putting them into quarantine by AV.
The interesting thing is, that on another machine with the same setup I somehow managed after numberless tries that AV is not recognising the exe anymore or they are allowed or whatever. No issues anymore.
But I have no idea what I did to get there.
And copying those files onto the other machine does again end up in warnings by AV. 🤔
- Posts: 943
- Joined: 8 May 2006
Whitelisted location? I.e., c:/ffs/ vs. c:/program files/ffs/ (where /program files/ is a "protected" directory?
Different A/V definition updates?
Different A/V definition updates?
- Posts: 3599
- Joined: 11 Jun 2019
IT could probably say exactly what is happening in why