Jump to content

CompatTelRunner.exe


Recommended Posts

What is everyone doing about C:\Windows\System32\CompatTelRunner.exe ?

It shows up on several computers as a potentially unwanted application ("MSIL/WebCompanion.A" & "Win32/SoftonicDownloader.E"), it seems to be an important Windows system file. On my computer, I am unable to delete the file and have not tried removing it from client workstations.

Is there a windows update that needs to be run? Do I restore from SFC? Is there another/better solution?
 

Link to comment
Share on other sites

  • Administrators

If ithe file is detected as a PUA,definitely it's not a system file. Moreover,its name does't ring a bell so it's really suspicious.

 

Link to comment
Share on other sites

  • Most Valued Members
23 minutes ago, katycomputersystems said:

What is everyone doing about C:\Windows\System32\CompatTelRunner.exe ?

It shows up on several computers as a potentially unwanted application ("MSIL/WebCompanion.A" & "Win32/SoftonicDownloader.E"), it seems to be an important Windows system file. On my computer, I am unable to delete the file and have not tried removing it from client workstations.

Is there a windows update that needs to be run? Do I restore from SFC? Is there another/better solution?
 

Yes it's a valid windows system file, not getting any messages here showing that it is a PUA ...... strange

ctel.thumb.jpg.99795f4ae7b596953e2a0ce78d95e59c.jpg

Link to comment
Share on other sites

  • Administrators

Ok, I now see that it's a standard system file. If you have doubts about its origin, right click the file, select Properties -> Digital signatures and, if the name of signer is "Microsoft Windows", double click the signature in the list. It will open signature details. Make sure that on the General tab it says that the digital signature is OK.

Moreover, the legitimate system file is not MSIL but Win64PE.

Please provide the whole record from the Detected threats log which might shed more light.

Link to comment
Share on other sites

Of note is someone submitted a sample of CompatTelRunner.exe over at Hybrid-Analysis 5 days ago that was flagged as malicious; abet 70/100: https://www.hybrid-analysis.com/sample/42d422f58e134eb70b2627c19bec411a54668b799af9b6e85458f3437d4a3ea0?environmentId=120

SHA256 hash is 42d422f58e134eb70b2627c19bec411a54668b799af9b6e85458f3437d4a3ea0. VirusTotal shows zip detections for that hash.

Link to comment
Share on other sites

  • Most Valued Members
1 hour ago, cyberhash said:

70/100 on one and 0/68 on the other , makes no sense :wacko:

I don't know a lot about the site but it seems to look at indicators. A lot of genuine stuff can look suspicious so I wonder if that site looks for possible suspicious actions - it's not actually a virus though so it isn't on VT

Link to comment
Share on other sites

This file is genuine Windows file. It is signed by Microsoft and seen on many computers in the world (hxxp://whitelisting.kaspersky.com/advisor#search/8a511a096bb626405f760d432abbfae6a0870c8c)

You can't blindly believe online services showing you some indicators.. If they were so good, there would be no space in the market for proper AVs :P

Link to comment
Share on other sites

Until the OP posts back with a screen shot or upload of the Detected Threats log as previously requested, there is no way to determine what actually is causing these PUA detections.

Link to comment
Share on other sites

1 hour ago, Azure Phoenix said:

Both services work differently, according to the developer.

Maybe a bit of background info will help.

Cloudstrike bought Payload Analysis last fall. Besides changing its name to Hybrid-Analysis, it replaced the Cuckoo Sandbox Payload Analysis was using with ClouldSrike's Falcon Sandbox. Also, Falcon is CloudStrike's AI scanning engine. Note that samples submitted to Hybrid-Analysis are actually run in the sandbox and behavior monitored versus VirusTotal's static analysis that only employ signatures, heuristics, or whatever else is offered in the AV real-time scan engine.

Overall, I could see why Falcon could find the legit ver. of CompatTelRunner.exe suspicious since it does a lot of telemetry or spyware depending on your inclination activities for Microsoft. Also a score of 70/100 for most AI engines is below the acceptable low level threshold of 80/100 most AI engines use for even flagging a process as malicious with high confidence. Therefore, I can only conclude that Falcon found the sample submitted malicious based on the activities it was performing.

-EDIT- Forget it. I just submitted my own System32/CompatTelRunner.exe which turns out to have the same hash as the previously submitted sample commented on. Same score and malicious verdict. So I guess one needs to only look at the score generated. If its below 90/100, assume it to be a false positive when all other variables are factored e.g. valid signed file, located in a protected Windows system directory, etc..

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members

I thought the OP had posted this because his Eset product had flagged it up because of the wording "what are you all doing about this" , as it has never came up as a FP with Eset and has a value of 0 on VT.

I guess it's not Eset related whatsoever , and has been flagged up by some other product :ph34r:

Link to comment
Share on other sites

Looks like I sent the community down a deep dark hole, it turns out that CompatTelRunner wasn't the problem.

I misread the threats log, the real problem was file:///C:/users/marketing/downloads/utorrent.exe/GenericSetup.exe

I apologize for the long delay, I installed ERA6 last week - it has been like drinking water from a very large fire hose.

Thank you to everyone that took the time to thoughtfully respond to my post.

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...