Windows Defender Advanced Threat Protection false positive on Vivaldi components
-
@janrif I just hope you didn't actually install that "Chromnius" thing, that looks really shady - malware masquerading as a browser.
"This Chromium based browser is considered potentially unwanted because it sometimes comes as bundleware and it uses its own search engine and startpage."
https://www.malwarebytes.com/blog/detections/chromnius-download"Chromnius is a Chromium-based web browser by Dragon Boss Solutions LLC 2 in Sharjah Media City, United Arab Emirates."
https://scammer.info/t/chromnius-browser-privacy-intrusion-potentially-unwanted-software/108861"I accidentally installed Chromnius despite a warning ("Suspicious site"? I don't recall exactly) by Malwarebytes. As far as I can tell, it reroutes all queries made in browsers running from Chrome (Google, DuckDuckGo) to Yahoo. MS Edge is unaffected."
https://forums.malwarebytes.com/topic/290799-chromnius-virus-not-found-by-malwarebytes/Please also take note of the image on the MWB site, this warning says "File" is
chrome.exe. This does not mean Chrome is infected, it just means the outbound connection was initiated by the browser:
(this ref. your earlier topic)
-
There is a difference between standard Windows Defender for end users and Windows Defender ATP (Advanced Threat Protection), which is made up for enterprise use and offers an administration backend where companies can implement their own security policies.
I don't have any problem at all on my private computers with Vivaldi and Windows Defender at home.
At work, I use a special company desktop where I am allowed to install my own software (I need that possibility for my job) and use Vivaldi there already several years without problem. Since it is blocked, I turned to company support, but I was told that there is no guarantee for any given software to run on that computer when it is not listed as supported, so it is my problem.
Can be that there was a change in the company's security policies, I don't believe that, but they won't tell me. I assume there was a change in the Vivaldi binaries that triggers the protection. So I am asking if any other user experiences similar problems in a company environment.
Vivaldi main exe, updater and several dlls were quarantined, and even the newest installer. Strange is that there is little information to be found concerning the mentioned malware "CustomCertEnterpriseBlock!cl".
-
@comuki said in Windows Defender Advanced Threat Protection false positive on Vivaldi components:
Strange is that there is little information to be found concerning the mentioned malware "CustomCertEnterpriseBlock!cl"
Generally, everybody keeps public details about viruses to a minimum. About this one, MS seems to say one thing (blocked by admin), other sites say something much worse (claiming it, or some variant, is a worm). Some sites seems big on paranoia and scare-em tactics (possibly to sell something).
Regarding Vivaldi, VirusTotal does not report any detections in the current x64 installer.
As far as company "support" policies are concerned that is something we can't do anything about, unfortunately.
Vivaldi installers, and the installed executables, are digitally signed, which means that changes to the code can be detected, especially during installation. (Although there is an old unpatched Windows vulnerability that allows some data to piggyback without changing the signature, which was used in a recent high profile attack, so make sure you download directly from the vendor, although that did not help during the recent attack, but it does generally reduce the risk)
As for @janrif's case, as have been noted, that was not a Vivaldi installer file; the setup.exe will never be stored in that dir (it may be in a temp dir, and will be in the installation directory), and the casing of the name was wrong. But it is Standard Operating Procedure for malware to use common or well-known application names, like setup, or to use the name of well-known applications after installation, which is yet another reason to download from the official vendor site (and don't let downloads be automatically saved to the download directory, that is a good way to get a file like that Setup app lurking in the download dir waiting for a careless click by the user).
-
@yngve I believe this "CustomCertEnterpriseBlock!cl" is a generic alert saying the program/install has been blocked by policy. Of course, someone/something trying to launch a program not on the official list of approved apps could be either a serious security issue, or just some user trying their luck (like in this case). And users "trying their luck" could be enough to get your system infected...
The way it's done is usually to whitelist certain folders, like Program Files. Any executable being launched from anywhere outside these folders are blocked. And since only Administrators are allowed to install to Program Files, this effectively blocks a huge attack vector.
other sites say something much worse (claiming it, or some variant, is a worm). Some sites seems big on paranoia and scare-em tactics (possibly to sell something).
Yes, sites like "How To Fix Guide" and similar are best avoided, they give absolutely zero useful advice and exist only to push users to install some "malware cleaner" which is probably just as bad or worse than the actual malware...
These sites use sneaky SEO tactics to get first on the search results for common malware/hijackers.
๐ปVolunteer helper ยท Forum moderator ยท Sopranos tester ๐ ๏ธTroubleshooting ๐Report a bug ๐Markdown help
๐ฆ"With a rubber duck, one's never alone" -Douglas Adams๐ฆ -
@Pathduck said in Windows Defender Advanced Threat Protection false positive on Vivaldi components:
I believe this "CustomCertEnterpriseBlock!cl" is a generic alert
Quite possible, and rather than saying "your admins don't want you to use this app", they instead scare the user 90+% to death.
Developer and Security Expert at Vivaldi.
-
@yngve said in Windows Defender Advanced Threat Protection false positive on Vivaldi components:
rather than saying "your admins don't want you to use this app", they instead scare the user 90+% to death.
Oh yes, could be such bad behaviour.
-
@yngve said in Windows Defender Advanced Threat Protection false positive on Vivaldi components:
they instead scare the user 90+% to death.
True!
Or, in some cases - something which has happened to me several times - you get a call from one of the Security guys in charge of the Endpoint Protection:
- "Hey, why did you launchzenmap.exefrom this server?"
- "Because I wanted to check for open ports on another server, that's why!"Fortunately, things are usually more lax once you're on the admin servers
-
@comuki If you want to deep-dive into the EUS:Win32/CustomCertEnterpriseBlock!cl threat detection, you can check at https://cloudbrothers.info/en/guide-to-defender-exclusions/#euswin32customenterpriseblock for how some aspects of Microsoft Defender for Endpoint's threat detections and exclusions are supposed to work. It appears to be beyond my pay grade...
