Windows 8 server beta msiexec.exe suspicious?

Hi,

Firstly suspicious behaviour detections are really to be considered in the context of what is taking place on the machine at the time.  If you're installing software, there is a higher chance of getting a suspicious behaviour alert than when a user is performing their day to day activity.   For this reason, Sophos really recommends, where possible, testing new software installs on a machine with sus-behaviour on to rule out any detetions that may worry end users by giving you the chance to authorise files you know to be part of the trusted package you're installing up front.

A good example is modifications to a startup point such as: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run .

Any process writing to this key is up for scrutinity as it's such a common key used by malware.  Of course it's also used by many legitimate applications to enable themselves to run each time the machine is started.

So if you're consiously installing software and you get an alert for HIPS/RegMod-014 (start-up key creation)

http://www.sophos.com/en-us/threat-center/threat-analyses/suspicious-behavior-and-files/HIPS~RegMod-014/detailed-analysis.aspx

Then it's probably ok (you might want to check that the run key created does point to a file you have just installed); whereas if you're just viewing a file in Word and you get an alert for a process writing a startup key then you're more likely to raise an eyebrow.

For the alert you received and from looking at:

http://www.sophos.com/en-us/threat-center/threat-analyses/suspicious-behavior-and-files/HIPS~FileWriteMod-003/detailed-analysis.aspx

It would suggest that the process "C:\Windows\SYSWOW64\msiexec.exe" attempted to  open/write to a Sophos file such as maybe SAVService.exe, SAVMain.exe for example.  Maybe MSIexec was just checking that what it installed was correct?  

I would sugges to send in the file msiexec.exe to the labs (https://secure2.sophos.com/en-us/support/contact-support/sample-submission.aspx ) asking them to check it (just to be sure) and the background of how it came to be detected, what OS it came from etc, and they will tell you if it is a clean file and feed the data into their rules.  Maybe as it's quite a new file it hasn't found it's way into the data yet as I would imagine that known legitiate msiexec.exe versions are treated specially due to the nature of what they are likely to be doing in order to avoid false alarms like this.

This KBA also has some info:

http://www.sophos.com/en-us/support/knowledgebase/25472.aspx

Regards,

Jak

Hi,

Firstly suspicious behaviour detections are really to be considered in the context of what is taking place on the machine at the time.  If you're installing software, there is a higher chance of getting a suspicious behaviour alert than when a user is performing their day to day activity.   For this reason, Sophos really recommends, where possible, testing new software installs on a machine with sus-behaviour on to rule out any detetions that may worry end users by giving you the chance to authorise files you know to be part of the trusted package you're installing up front.

A good example is modifications to a startup point such as: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run .

Any process writing to this key is up for scrutinity as it's such a common key used by malware.  Of course it's also used by many legitimate applications to enable themselves to run each time the machine is started.

So if you're consiously installing software and you get an alert for HIPS/RegMod-014 (start-up key creation)

http://www.sophos.com/en-us/threat-center/threat-analyses/suspicious-behavior-and-files/HIPS~RegMod-014/detailed-analysis.aspx

Then it's probably ok (you might want to check that the run key created does point to a file you have just installed); whereas if you're just viewing a file in Word and you get an alert for a process writing a startup key then you're more likely to raise an eyebrow.

For the alert you received and from looking at:

http://www.sophos.com/en-us/threat-center/threat-analyses/suspicious-behavior-and-files/HIPS~FileWriteMod-003/detailed-analysis.aspx

It would suggest that the process "C:\Windows\SYSWOW64\msiexec.exe" attempted to  open/write to a Sophos file such as maybe SAVService.exe, SAVMain.exe for example.  Maybe MSIexec was just checking that what it installed was correct?  

I would sugges to send in the file msiexec.exe to the labs (https://secure2.sophos.com/en-us/support/contact-support/sample-submission.aspx ) asking them to check it (just to be sure) and the background of how it came to be detected, what OS it came from etc, and they will tell you if it is a clean file and feed the data into their rules.  Maybe as it's quite a new file it hasn't found it's way into the data yet as I would imagine that known legitiate msiexec.exe versions are treated specially due to the nature of what they are likely to be doing in order to avoid false alarms like this.

This KBA also has some info:

http://www.sophos.com/en-us/support/knowledgebase/25472.aspx

Regards,

Jak