Trend Micro flagging Everything as PUA.Win32.FileSearcher.C

[void]

Update:

Thank you everyone for your support.

Trend Micro has dropped the PUA flagging of "Everything" (all current versions).

Everything does not contain any spyware, malware or viruses.

Trend Micro is removing the Installer for Everything 1.4.1.969 and flagging it as PUA.Win32.FileSearcher.C
PUA = Potentially Unwanted Application.

Trend Micro is also removing the Installer for Everything 1.4.1.986 and flagging it as PUA.Win32.FileSearcher.E


For now, Trend Micro recommends adding Everything to your whitelist:
Main console -> gear -> exception list (option on left) -> choose application / program white list.

Or lowering your detection level to normal/medium.

Please make a false positive report on Trend Micro's website:
https://success.trendmicro.com/smb-new-request
Select Threat Issue
Select File False Positive.

-and-

Please politely let Trend Micro know Everything from voidtools is not unwanted by submitting a ticket.

Reply from Trend Micro:

Please note that grayware applications do not fall into any of the major threat categories (i.e. virus or Trojan horse) as they are subject to system functionality, as well as user debate.

REFERENCE: https://www.trendmicro.com/vinfo/us/sec ... wanted-app

There are indeed Trend Micro customers who use this tool for File Searching but there are also customers who have the need that they would be notified if such application is present and being used in the environment they are monitoring.

Given the scenario above, the detection for the file as PUA.WIN32.FileSearcher.C needs to be retained.

If a Trend Micro Customer is using this file, they will need to exempt it through Spyware/Grayware Approved List in their product settings.

REFERENCE for OfficeScan: https://docs.trendmicro.com/all/ent/off ... e_Grayware

We hope this this explains that the Everything.exe is not Spyware but recognized as PUA on Trend Micro's Side and the need to retain the detection to meet the needs from both customers.

This tool was used to lists all files on a file system. It allows an attacker to check whether a system is already infected by another piece of ransomware using the search function. This tool is not considered malicious and was developed by a legitimate company but can be used for profiling purposes.

For more info about the file please refer to the following URLs:

https://www.kroll.com/en-ca/insights/publications/cyber/malware-analysis-buran-ransomware-as-a-service
https://www.bankinfosecurity.com/ransomware-gangs-not-so-secret-attack-vector-rdp-exploits-a-13342

Other PUA names:
PUA.WIN32.FileSearcher.A
PUA.WIN32.FileSearcher.B
PUA.WIN32.FileSearcher.D
PUA.WIN32.FileSearcher.E
PUA.WIN32.FileSearcher.F
PUA.WIN32.FileSearcher.G
PUA.WIN32.FileSearcher.H
PUA.WIN32.FileSearcher.I
PUA.WIN32.FileSearcher.J
PUA.WIN32.FileSearcher.K
PUA.WIN32.FileSearcher.L
PUA.WIN32.FileSearcher.M
PUA.WIN32.FileSearcher.N
PUA.WIN32.FileSearcher.O
PUA.WIN32.FileSearcher.P
PUA.WIN32.FileSearcher.Q
PUA.WIN32.FileSearcher.R
PUA.WIN32.FileSearcher.S
PUA.WIN32.FileSearcher.T
PUA.WIN32.FileSearcher.U
PUA.WIN32.FileSearcher.V
PUA.WIN32.FileSearcher.W
PUA.WIN32.FileSearcher.X
PUA.WIN32.FileSearcher.Y
PUA.WIN32.FileSearcher.Z

[ArnoldM]

Thank you for putting out a new build to fix the issue. I've successfully downloaded and installed this version. All good so far. I haven't even whitelisted the software yet (I think I need admin rights for this) and it's working perfectly.

Thank you for creating and improving this life-saving tool, and for doing this so swiftly!

NB: This is my first post in an type of software forum on the interwebs, and I use tons of software compared to your average MS Office (workplace) user. I couldn't imagine being unable to use your search engine. Ciao!

[void]

My guess is someone is doing something malicious with Everything 1.4.1.969.

I've updated the installer to version 1.4.1.986.

Please make a false positive report on Trend Micro's website:
https://success.trendmicro.com/smb-new-request
Select Threat Issue
Select File False Positive.

-or-

Please politely let Trend Micro know Everything from voidtools is not unwanted by submitting a ticket.

[YossiD]

I am having the same problem with Everything-1.4.1.986.x64 portable that I downloaded this morning. Trend Micro is flagging it as PUA.Win32.FileSearcher.E. Rolled back to 1.4.1.935.x64 and all is well. Have not tried 1.4.1.969.

I have not tried the installer, only the portable version.

Since the Trend Micro is controlled by our SysAdmin I do not have access to the white list.

[void]

I've had reports of the x86 version working.

Please politely let Trend Micro know Everything from voidtools is not unwanted by submitting a ticket.

[juzzle]

Just chiming in to point out that Trend is now reporting "PUA.Win32.FileSearcher.E", not "C". The behaviour started yesterday, also FYI.

[void]

Reply from Trend Micro:

Please note that grayware applications do not fall into any of the major threat categories (i.e. virus or Trojan horse) as they are subject to system functionality, as well as user debate.

REFERENCE: https://www.trendmicro.com/vinfo/us/sec ... wanted-app

There are indeed Trend Micro customers who use this tool for File Searching but there are also customers who have the need that they would be notified if such application is present and being used in the environment they are monitoring.

Given the scenario above, the detection for the file as PUA.WIN32.FileSearcher.C needs to be retained.

If a Trend Micro Customer is using this file, they will need to exempt it through Spyware/Grayware Approved List in their product settings.

REFERENCE for OfficeScan: https://docs.trendmicro.com/all/ent/off ... e_Grayware

We hope this this explains that the Everything.exe is not Spyware but recognized as PUA on Trend Micro's Side and the need to retain the detection to meet the needs from both customers.

[void]

This tool was used to lists all files on a file system. It allows an attacker to check whether a system is already infected by another piece of ransomware using the search function. This tool is not considered malicious and was developed by a legitimate company but can be used for profiling purposes.

For more info about the file please refer to the following URLs:

https://www.kroll.com/en-ca/insights/publications/cyber/malware-analysis-buran-ransomware-as-a-service
https://www.bankinfosecurity.com/ransomware-gangs-not-so-secret-attack-vector-rdp-exploits-a-13342

[therube]

From the Nirsoft end, https://blog.nirsoft.net/2009/05/17/ant ... evelopers/.

The DIR command was used to lists all files on a file system. It allows an attacker to check whether a system is already infected by another piece of ransomware using the search function. This tool is not considered malicious and was developed by a legitimate company but can be used for profiling purposes.

The Google search engine can be used to help find how to develop an A-bomb (or a bird feeder).

Henceforth, Trend Micro (the almighty) has decided to ban all Google searches.

For more information, please refer to, https://www.google.com/search?q=Trend+M ... e+searches

[horst.epp]

The solution is simply as Trend Micro says:
... they will need to exempt it through Spyware/Grayware Approved List in their product settings.
If a user can't do as suggested in his own Trend Micro installation he must complain with the IT organisation
which unfortunately already made the big error to select Trend Micro.

[void]

I have added a Lite version of Everything.

The Lite version does not allow IPC.
With the Lite version, it will be difficult for an attacker to use Everything to create a profile of your system.

[sunish]

The enterprise version is working on my system where Trend Micro is managed by my organization.

Registered on this forum to say thanks for the amazing utility. Trend Micro Antivirus removing it from my system made me realize how much I missed it when it was not working. I have been a user since 2013.

Just curious what makes the enterprise version different?

[void]

The Lite version is the same as the normal version, except it has IPC support removed.

This makes it difficult for an attacker to extract information from Everything.
Unfortunately, this means some useful features such as the command line interface and screen readers will not work with the Lite version.

[void]

Renamed the 'Enterprise' version to the 'Lite' version.

[void]

The Lite version is now being flagged as PUA.

I'm checking with Trend Micro as to why..

[void]

Thank you everyone for your support.

Trend Micro will be dropping the PUA flagging of "Everything" (all versions).

This may take up to a week for the change to be pushed through with the next Spyware update.

[piyo]

Thank you for your continued diligence in this matter.
I am a user of TM and I want to post again on this topic in more detail. But for now, a show of support.

[piyo]

It is unclear to me which "spyware update" version needs to be loaded to resolve this problem so I am publishing my current findings.
Will the version be explained?

Trend Micro is currently tracking Everything as a PUA with these tags:

https://www.trendmicro.com/vinfo/us/thr ... earcher.A/
2.283.00 - 07 May 2020
https://www.trendmicro.com/vinfo/us/thr ... earcher.B/
2.312.14 - 16 Jul 2020
https://www.trendmicro.com/vinfo/us/thr ... earcher.C/
2.313.00 - 16 Jul 2020
https://www.trendmicro.com/vinfo/us/thr ... earcher.G/
??? deleted?
https://www.trendmicro.com/vinfo/us/thr ... earcher.D/
2.317.00 - 30 Jul 2020
https://www.trendmicro.com/vinfo/us/thr ... earcher.E/
2.317.00 - 30 Jul 2020
https://www.trendmicro.com/vinfo/us/thr ... earcher.G/
2.319.00 - 06 Aug 2020
https://www.trendmicro.com/vinfo/us/thr ... earcher.E/
2.322.00 - 13 Aug 2020

Currently the Spyware Pattern version is:

https://www.trendmicro.com/en_us/busine ... s.html?#t4

Spyware Pattern Version: 2.321.00 Release date: 2020-08-12 06:00:14 (UTC-8)
Spyware Pattern (DA6) Version: 23.21 Release date: 2020-08-12 09:40:34 (UTC-8)

https://downloadcenter.trendmicro.com/i ... p_patterns

スパイウェアパターンファイル（SSAPI用）
SSAPIPTN.DA6（マニュアルスキャン＆クリーン用）： 23.21 (08/13)
SSAPTN（リアルタイムスキャン用）： 2.321.00 (08/13)

[void]

The Spyware update that drops the PUA flagging of Everything is still pending.

Please check again Today, it might be in Thursdays (2020-08-20) Spyware Pattern update.

[piyo]

Good news!
According to the following URL, the Spyware signatures presumably associated with Everything (ie. PUA.*.FileSearcher.*) has been dropped on Pattern version 2.325.00, August 19, 2020, 06:00:10 (UTC).

https://www.trendmicro.com/ftp/products ... ssaptn.txt

-----------------------------------------------------------------------------
Trend Micro
New Spyware Pattern Release
-----------------------------------------------------------------------------

Pattern Version: 2.325.00
August 19, 2020, 06:00:10 (UTC)

---------------------
New Spyware Detected:
---------------------
There are [71] new Spyware detected by the pattern file.
All detailed Spyware names please refer to the list below.

snip

---------------------
Spyware Signature Modified:
---------------------




---------------------
Spyware Signature Dropped:
---------------------

CRCK_KEYGEN.CB
PUA.Win32.FileSearcher.A
PUA.Win32.FileSearcher.B
PUA.Win32.FileSearcher.C
PUA.Win32.FileSearcher.F
PUA.Win32.FileSearcher.G
PUA.Win32.FileSearcher.H
PUA.Win32.FileSearcher.I
PUA.Win32.FileSearcher.J
PUA.Win32.FileSearcher.M
PUA.Win32.FileSearcher.N
PUA.Win32.FileSearcher.O
PUA.Win32.FileSearcher.P
PUA.Win32.FileSearcher.Q
PUA.Win64.FileSearcher.A
PUA.Win64.FileSearcher.D
PUA.Win64.FileSearcher.E
PUA.Win64.FileSearcher.G
PUA.Win64.ProcHack.C

[piyo]

Also, the URLs in my previous post that describe Spyware Signature seemed to have its contents deleted. The URLs do show up if one searches for "Everything.exe".
i.e.
https://www.trendmicro.com/vinfo/us/thr ... earcher.A/

I cannot yet verify on my Trend Micro infested machine about this update, but I intend to check it.

[horst.epp]

Also, the URLs in my previous post that describe Spyware Signature seemed to have its contents deleted. The URLs do show up if one searches for "Everything.exe".
i.e.
https://www.trendmicro.com/vinfo/us/thr ... earcher.A/

I cannot yet verify on my Trend Micro infested machine about this update, but I intend to check it.

You can now wait for the next Everything update and the game starts over.
I'm so happy that I can select myself the Anti-virus tool on my machines (currently Kaspersky and Windows Defender).
I had enough problems with Trend Micro in my professional life.

[regios]

It is not made clear in the above if those external actors who used Everything maliciously did so by (1) looking for and exploiting existing installs of Everything or (2) bundling/downloading a copy of Everything when the malware got onto the system.

In case the problem was (1) then can we do something to harden the regular Everything version (not Lite version). For example would it be possible to add some kind of authentication or password step for IPC use? For those of us who want to keep using IPC but still mitigate against this kind of issue.

[void]

From the links that Trend Micro sent me:
https://www.kroll.com/en-ca/insights/pu ... -a-service
https://www.bankinfosecurity.com/ransom ... ts-a-13342

It looks like Everything was not installed, and was copied and run as the portable version.
Although, Trend Micros wording "This tool was used to lists all files on a file system. It allows an attacker to check whether a system is already infected by another piece of ransomware using the search function." makes it difficult to know without more information.

In case the problem was (1) then can we do something to harden the regular Everything version (not Lite version).

Even though this doesn't appear to be the attack used I am looking into a solution, they might include:
Disabling IPC by default. The attacker could just enable it (if they have admin rights)..
Password protecting IPC calls. The attacker could just disable the password (if they have admin rights).
Accept IPC connections only from ES.exe / Everything.exe (code signed by voidtools)

Keep in mind Everything wasn't the attack vector here. These systems were already comprised.
The attacker could have just as easily called DIR or FindFirstFile.

IPC also covers the LVM (List View Message) messages, these are required by screen readers and accessibility features to function.

IPC can be disabled now by setting the ini setting ipc to 0

[regios]

Thanks for clarifying the situation. I see the challenge in effectively locking down IPC access (without removing IPC altogether) in cases where the attacker already has gained admin access to the system by other means, but hopefully something can be done.

[maphew]

For what it's worth, today Apex One allowed me to install Everything (via chocolatey). I manually used the client to scan "C:\Program Files\Everything" via r-click context menu and it came back with no warnings.

I don't know how to retrieve the central server's version number etc.