katycomputersystems 1 Posted February 10, 2018 Share Posted February 10, 2018 What is everyone doing about C:\Windows\System32\CompatTelRunner.exe ? It shows up on several computers as a potentially unwanted application ("MSIL/WebCompanion.A" & "Win32/SoftonicDownloader.E"), it seems to be an important Windows system file. On my computer, I am unable to delete the file and have not tried removing it from client workstations. Is there a windows update that needs to be run? Do I restore from SFC? Is there another/better solution? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted February 10, 2018 Administrators Share Posted February 10, 2018 If ithe file is detected as a PUA,definitely it's not a system file. Moreover,its name does't ring a bell so it's really suspicious. Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 195 Posted February 10, 2018 Most Valued Members Share Posted February 10, 2018 23 minutes ago, katycomputersystems said: What is everyone doing about C:\Windows\System32\CompatTelRunner.exe ? It shows up on several computers as a potentially unwanted application ("MSIL/WebCompanion.A" & "Win32/SoftonicDownloader.E"), it seems to be an important Windows system file. On my computer, I am unable to delete the file and have not tried removing it from client workstations. Is there a windows update that needs to be run? Do I restore from SFC? Is there another/better solution? Yes it's a valid windows system file, not getting any messages here showing that it is a PUA ...... strange Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted February 10, 2018 Administrators Share Posted February 10, 2018 Ok, I now see that it's a standard system file. If you have doubts about its origin, right click the file, select Properties -> Digital signatures and, if the name of signer is "Microsoft Windows", double click the signature in the list. It will open signature details. Make sure that on the General tab it says that the digital signature is OK. Moreover, the legitimate system file is not MSIL but Win64PE. Please provide the whole record from the Detected threats log which might shed more light. Link to comment Share on other sites More sharing options...
itman 1,748 Posted February 10, 2018 Share Posted February 10, 2018 Of note is someone submitted a sample of CompatTelRunner.exe over at Hybrid-Analysis 5 days ago that was flagged as malicious; abet 70/100: https://www.hybrid-analysis.com/sample/42d422f58e134eb70b2627c19bec411a54668b799af9b6e85458f3437d4a3ea0?environmentId=120 SHA256 hash is 42d422f58e134eb70b2627c19bec411a54668b799af9b6e85458f3437d4a3ea0. VirusTotal shows zip detections for that hash. Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 195 Posted February 10, 2018 Most Valued Members Share Posted February 10, 2018 Same file/hash on VT shows 0/68 .https://www.virustotal.com/en/file/42d422f58e134eb70b2627c19bec411a54668b799af9b6e85458f3437d4a3ea0/analysis/1518214149/ Link to comment Share on other sites More sharing options...
itman 1,748 Posted February 10, 2018 Share Posted February 10, 2018 3 minutes ago, cyberhash said: Same file/hash on VT shows 0/68 . Yes. That is what I posted. Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 195 Posted February 10, 2018 Most Valued Members Share Posted February 10, 2018 4 minutes ago, itman said: Yes. That is what I posted. 70/100 on one and 0/68 on the other , makes no sense Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted February 10, 2018 Most Valued Members Share Posted February 10, 2018 1 hour ago, cyberhash said: 70/100 on one and 0/68 on the other , makes no sense I don't know a lot about the site but it seems to look at indicators. A lot of genuine stuff can look suspicious so I wonder if that site looks for possible suspicious actions - it's not actually a virus though so it isn't on VT Link to comment Share on other sites More sharing options...
Veremo 6 Posted February 11, 2018 Share Posted February 11, 2018 This file is genuine Windows file. It is signed by Microsoft and seen on many computers in the world (hxxp://whitelisting.kaspersky.com/advisor#search/8a511a096bb626405f760d432abbfae6a0870c8c) You can't blindly believe online services showing you some indicators.. If they were so good, there would be no space in the market for proper AVs Link to comment Share on other sites More sharing options...
itman 1,748 Posted February 11, 2018 Share Posted February 11, 2018 Until the OP posts back with a screen shot or upload of the Detected Threats log as previously requested, there is no way to determine what actually is causing these PUA detections. Link to comment Share on other sites More sharing options...
Azure Phoenix 11 Posted February 11, 2018 Share Posted February 11, 2018 20 hours ago, cyberhash said: 70/100 on one and 0/68 on the other , makes no sense Both services work differently, according to the developer. https://malwaretips.com/threads/are-hybrid-analysis-reports-trustworthy.45002/#post-385766 Link to comment Share on other sites More sharing options...
itman 1,748 Posted February 11, 2018 Share Posted February 11, 2018 (edited) 1 hour ago, Azure Phoenix said: Both services work differently, according to the developer. Maybe a bit of background info will help. Cloudstrike bought Payload Analysis last fall. Besides changing its name to Hybrid-Analysis, it replaced the Cuckoo Sandbox Payload Analysis was using with ClouldSrike's Falcon Sandbox. Also, Falcon is CloudStrike's AI scanning engine. Note that samples submitted to Hybrid-Analysis are actually run in the sandbox and behavior monitored versus VirusTotal's static analysis that only employ signatures, heuristics, or whatever else is offered in the AV real-time scan engine. Overall, I could see why Falcon could find the legit ver. of CompatTelRunner.exe suspicious since it does a lot of telemetry or spyware depending on your inclination activities for Microsoft. Also a score of 70/100 for most AI engines is below the acceptable low level threshold of 80/100 most AI engines use for even flagging a process as malicious with high confidence. Therefore, I can only conclude that Falcon found the sample submitted malicious based on the activities it was performing. -EDIT- Forget it. I just submitted my own System32/CompatTelRunner.exe which turns out to have the same hash as the previously submitted sample commented on. Same score and malicious verdict. So I guess one needs to only look at the score generated. If its below 90/100, assume it to be a false positive when all other variables are factored e.g. valid signed file, located in a protected Windows system directory, etc.. Edited February 11, 2018 by itman Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 195 Posted February 11, 2018 Most Valued Members Share Posted February 11, 2018 I thought the OP had posted this because his Eset product had flagged it up because of the wording "what are you all doing about this" , as it has never came up as a FP with Eset and has a value of 0 on VT. I guess it's not Eset related whatsoever , and has been flagged up by some other product Link to comment Share on other sites More sharing options...
katycomputersystems 1 Posted February 13, 2018 Author Share Posted February 13, 2018 Looks like I sent the community down a deep dark hole, it turns out that CompatTelRunner wasn't the problem. I misread the threats log, the real problem was file:///C:/users/marketing/downloads/utorrent.exe/GenericSetup.exe I apologize for the long delay, I installed ERA6 last week - it has been like drinking water from a very large fire hose. Thank you to everyone that took the time to thoughtfully respond to my post. Link to comment Share on other sites More sharing options...
Recommended Posts