WaitForExe.cmd placed in quarantine

Question

WaitForExe.cmd placed in quarantine

jdschuitemaker opened this issue 2 years ago · 7 comments

I downloaded the zip-file and extracted it to a folder and then got a message from our Cisco AMP antivirus software:

WaitForExe.cmd has been detected as W32.Auto:8943003b4e.in05Talos. Quarantine was successful

Answer 1 · 2023-03-14T21:09:38.000Z

@jdschuitemaker can you please clarify which .zip file was downloaded? The PSSDIAG releases for the past couple of years contain no .EXEs or .DLLs. Please see https://github.com/microsoft/DiagManager/releases

Answer 2 · 2023-03-15T08:29:59.000Z

According to my browser history I downloaded it from this link: https://objects.githubusercontent.com/github-production-release-asset-2e65be/71370038/60e71bfb-9868-4c77-b355-d200e7c3ea7a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230313%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230313T085234Z&X-Amz-Expires=300&X-Amz-Signature=eda80286c9eb3eac4bc33fc820cc1408b6a043169610dc1c850d770ee98e081e&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=71370038&response-content-disposition=attachment%3B%20filename%3DPSSDIAG_v_16_22_11_11.zip&response-content-type=application%2Foctet-stream

The link itself seems legit. Also the browser didn't see the file as a possible threat and downloaded without any objects. No warnings whatsoever. I also can go through the zip-file with Explorer and browse the folders/files in it.

Just upon extracting the file and got the message about the quaraintine by Cisco AMP Antivirus Software. I went through the Github sources and found nothing special inside the WaitForCmd.cmd.

I wanted to report so you could look into it. Maybe it is just a false positive. Others might get this message also, so then this issue is just for future reference.

Answer 3 · 2023-03-15T15:35:46.000Z

OK, sorry, I misinterpreted the question. I was thinking of the .zip file that gets produced by PSSDIAG.
Yes, thank you for reporting this.
We will take this into consideration.
This file is calls built-in Windows commands like sleep and findstr - as you pointed out nothing special to it.
Yes, we have seen in the past false positives reported on one or two files. We will see if we can address this on our end at all.

Thank you for being proactive and helping the community, @jdschuitemaker

Answer 4 · 2023-03-15T15:44:14.000Z

@jdschuitemaker, just wanted to inform you that we run the tool through anti-virus validation before we release it.
Just now again validated PSSDIAG_v_16_22_11_11.zip with VirustTotal.com, which validates the file against 50 or 60 different anti-malware providers and "No security vendors and no sandboxes flagged this file as malicious"
Thank you

Answer 5 · 2023-03-15T15:47:45.000Z

Thank you very much for the update!

Answer 6 · 2023-03-15T21:23:20.000Z

@jdschuitemaker I have one more update for you. You can safely delete this file from your pssdiag folder. It is left over from previous functionality and it's not used by any component.
I made that change to it and some other files in the code and a future release will have this file removed.

See #219

Answer 7 · 2023-03-16T08:32:25.000Z

Thank you, I will keep an eye on the new release.