Windows 8 server beta msiexec.exe suspicious?

Question

Hello,

I tried to be very safe with my Server beta installation, clean drive, installing SumatraPDF and immediately Sophos Endpoint Security and Control 9.5 (sadly my Sophos credentials where in a PDF), and then proceeding to a few reputable standards like Chrome, AMD's driver. Little after starting the Visual Studio 11 beta "online" installation, I got repeated suspicious behaviour HIPS/FileWriteMod-003 from C:\Windows\SYSWOW64\msiexec.exe , which apparently even ended up in my quarantine, even though my VS installation proceeded normally but failed at the very end. A file msiexec.exe with md5 84996dc545774c3703de5c97ddae2a24 is there anyway, so maybe the Visual Studio installer replaced itself?

Thanks!

This thread was automatically locked due to age.

jak · Accepted Answer

Hi,

Firstly suspicious behaviour detections are really to be considered in the context of what is taking place on the machine at the time. If you're installing software, there is a higher chance of getting a suspicious behaviour alert than when a user is performing their day to day activity. For this reason, Sophos really recommends, where possible, testing new software installs on a machine with sus-behaviour on to rule out any detetions that may worry end users by giving you the chance to authorise files you know to be part of the trusted package you're installing up front.

A good example is modifications to a startup point such as: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run . 
 Any process writing to this key is up for scrutinity as it's such a common key used by malware. Of course it's also used by many legitimate applications to enable themselves to run each time the machine is started.

So if you're consiously installing software and you get an alert for HIPS/RegMod-014 (start-up key creation) 
 http://www.sophos.com/en-us/threat-center/threat-analyses/suspicious-behavior-and-files/HIPS~RegMod-014/detailed-analysis.aspx 
 Then it's probably ok (you might want to check that the run key created does point to a file you have just installed); whereas if you're just viewing a file in Word and you get an alert for a process writing a startup key then you're more likely to raise an eyebrow. 
 For the alert you received and from looking at: 
 http://www.sophos.com/en-us/threat-center/threat-analyses/suspicious-behavior-and-files/HIPS~FileWriteMod-003/detailed-analysis.aspx

It would suggest that the process " C:\Windows\SYSWOW64\msiexec.exe" attempted to open/write to a Sophos file such as maybe SAVService.exe, SAVMain.exe for example. Maybe MSIexec was just checking that what it installed was correct?

I would sugges to send in the file msiexec.exe to the labs ( https://secure2.sophos.com/en-us/support/contact-support/sample-submission.aspx ) asking them to check it (just to be sure) and the background of how it came to be detected, what OS it came from etc, and they will tell you if it is a clean file and feed the data into their rules. Maybe as it's quite a new file it hasn't found it's way into the data yet as I would imagine that known legitiate msiexec.exe versions are treated specially due to the nature of what they are likely to be doing in order to avoid false alarms like this.

This KBA also has some info: 
 http://www.sophos.com/en-us/support/knowledgebase/25472.aspx

Regards, 
 Jak 
 :25337