thae 12 Posted November 7, 2022 Share Posted November 7, 2022 Hey ESET-Forum, since today we got multiple PCs with a warning of BingWallpaperApp.exe from Module scan of system boot area and Module extended memory check. It's being declared as a variant of MSIL/Microsoft.Bing.A PUA. Anybody else getting this? I'm pretty sure that's a false positive, never have gotten this before. Tobias Heilig 1 Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,273 Posted November 7, 2022 Administrators Solution Share Posted November 7, 2022 The detection is correct. We've started to detect the application as potentially unwanted (optional detection) as of today. Microsoft was informed about the reasons of detection. LoneMudokon 1 Link to comment Share on other sites More sharing options...
thae 12 Posted November 7, 2022 Author Share Posted November 7, 2022 (edited) 3 minutes ago, Marcos said: The detection is correct. We've started to detect the application as potentially unwanted (optional detection) as of today. Microsoft was informed about the reasons of detection. Can you share the reasons with us too? EDIT: Is there a resource where we can see what changed for signature or module updates? Edited November 7, 2022 by thae DanielSK and BastianK 2 Link to comment Share on other sites More sharing options...
ErikH 0 Posted November 7, 2022 Share Posted November 7, 2022 We are also receiving MANY of these alerts this morning (Example alert detailed below) - If these are not false positives, is there a recommended course of action? - thanks! Operating memory » BingWallpaperApp.exe(6832) contains a variant of MSIL/Microsoft.Bing.A potentially unwanted application. Link to comment Share on other sites More sharing options...
LoneMudokon 1 Posted November 7, 2022 Share Posted November 7, 2022 I'm having this issue since a few hours as well. I'm surprised to see it's confirmed as not being a false positive. Marcos confirmed that it's "potentially unwanted (optional detection)". It's also labelled upon detection as a PUP. And it's a Microsoft product. So I don't think it's actually dangerous, but more of a potential annoyance. The program does by default try to change both your start page and your search engine to Bing on all your browsers. This can be toggled off, but it means the program has the ability make such modifications. That could be the reason why ESET decided to classify it as unwanted. That would also explain its name classification (MSIL/Microsoft.Bing.A). In any case I'm just guessing here, so we'll have to wait for @Marcos, the ESET team or Microsoft to give us a definitive answer. In any case thanks a lot for your answers, I'm glad to know more about that 👍. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted November 7, 2022 Administrators Share Posted November 7, 2022 We're going to confine the detection so that the application is not detected in memory. Tobias Heilig, LoneMudokon, VidStar and 2 others 5 Link to comment Share on other sites More sharing options...
VidStar 0 Posted November 7, 2022 Share Posted November 7, 2022 12 minutes ago, LoneMudokon said: The program does by default try to change both your start page and your search engine to Bing on all your browsers. This can be toggled off, How is that possible. I've not seen those options available. Link to comment Share on other sites More sharing options...
Scott F 0 Posted November 7, 2022 Share Posted November 7, 2022 Quote The program does by default try to change both your start page and your search engine to Bing on all your browsers. This can be toggled off This, as a blanket statement, is not true. To "try to change" you mean it asks, "would you like to"? Is this an annoyance, really? In who's eyes? I don't want your "protection" from life's annoyances. This smells like an overreach. Can we get just virus protection, thanks. Link to comment Share on other sites More sharing options...
LoneMudokon 1 Posted November 7, 2022 Share Posted November 7, 2022 1 hour ago, VidStar said: How is that possible. I've not seen those options available. It is during the installation, and it is checked on by default. Here's a screenshot of the installer. Once installed it doesn't offer that option anymore. Anas Hussain 1 Link to comment Share on other sites More sharing options...
Anas Hussain 1 Posted November 7, 2022 Share Posted November 7, 2022 LoneMudokon, Thanks for that - helpful to also understand where one can source this program... Is this application bundled with Windows 11 by default/automatically downloaded I have had a user report this detection - I will be doing some investigatory work tomorrow to figure out how this has ended up on their machine... LoneMudokon 1 Link to comment Share on other sites More sharing options...
ESET Staff JamesR 58 Posted November 7, 2022 ESET Staff Share Posted November 7, 2022 For those looking for assistance in removing this software, here are some steps to remove this from individual computers: Windows + R type "Appwiz.cpl" and press enter Find and uninstall/remove (at the end of the uninstall, you may be directed to a Microsoft web page asking if you meant to uninstall and asked if you want to reinstall. Just close this): Microsoft Bing Service Bing Wallpaper After that, start opening each web browser and checking for Bing Homepage/Search extensions/plugins and remove them (the prior uninstall leaves these in place and does not remove them). Chrome: In the address bar, navigate to "chrome://extensions/" and click "remove" to any thing like: "Microsoft Bing Homepage & Search for Chrome" After removal, you may be taken to a web page asking if you want to reinstall the extension. Aryeh Goretsky and LoneMudokon 2 Link to comment Share on other sites More sharing options...
ESET Staff JamesR 58 Posted November 7, 2022 ESET Staff Share Posted November 7, 2022 (edited) For those managing multiple computers via ESET Protect, and would like a more streamline way of removing this software from all computers, this can be done for the installed software, but not for the browser plugins. Browser plugins are managed by the individual browsers, and not directly by the OS. These steps are not working 100% for the Bing Software mentioned in this thread. If I can improve upon this, I will post later. Here are the steps to use ESET Protect to uninstall 3rd party software which can be seen by ESET: This will guide you through the following: Ensure ESET Protect can see installed non-ESET Applications Create a dynamic group to group all computers with unwanted applications Create tasks that will run... ...anytime a computer has the undesired software installed and shows up in the dynamic group (thus uninstalling the unwanted software anytime a new computer joins this group) ...one time run of the tasks on computers that already joined the group while you created the tasks (to uninstall the unwanted software from computers that had already joined this group) I. Setup ESET Management Agent to report non-ESET Applications (only needed if not already configured) In ESET Protect, navigate to "Policies > New Policy" Name the policy "Report Non-ESET Applications" In "Settings" ensure you select "ESET Management Agent" from the drop-down at the top Expand "Advanced Settings" and locate and turn on "Report non-ESET-installed applications" Assign to either the "All" group, or to specific groups/computers of desire. Continue and finish creating the policy At this point, it may take a bit for the non-ESET software to be reported to ESET Protect. Your endpoints will need to check in once to get the policy, then check in again to supply the new info, then ESET Protect will need to parse and put the info into the database. Default check in times are 10 minutes. So you should start seeing the non-ESET applications in about 30 minutes in the following area: II. Check to see if ESET Protect sees the 3rd party applications: In ESET Protect, open the details of an individual computer, then click on "Installed Applications" If you can see Non-ESET applications, your settings are applied and working. You can also check to see if you see your undesired software is visible and has a "Yes" in the column "Agent supports uninstall" which means ESET can attempt to uninstall this software III. Create a dynamic group to group all computers with undesired software (this will help you see how many computers you have with the unwanted software, and allow for a quick way to uninstall the software) In ESET Protect, click on Computers on the left, locate "Windows Computers" in the list of Groups. Click on the gear to the right of this, and select "New Dynamic Group" Name the group "Has Unwanted Software" in the "Template" section, choose "New" and set the following: Name: Unwanted Software Expression: Operation: AND (All conditions have to be true) Click Add Rule and choose: "Installed Software > Application Name", and click OK Click Add Rule and choose: "Installed Software > Application Vendor", and click OK For Application Name, set to "is one of" and fill in the name "Microsoft Bing Service" In the Application Name section, click "Add" and then fill in the name "Bing Wallpaper" For Application Vendor, set to "is one of" , and fill in "Microsoft Corporation" Should look like this: Click Finish Over a short time, you will see computers start to appear here. Next we will make a task to remove the undesired software. IV. Create a task to start uninstalling unwanted software In ESET Protect, click on Computers on the left, then locate your newly made dynamic group named "Has Unwanted Software" Click the gear next to the group name and click "Tasks > New Task..." Name the task "Uninstall unwanted software - Microsoft Bing Service" and in the "Task" drop down, select "Software Uninstall" and click "Continue" In this Settings section, click on "<Select package to uninstall>" and select the first piece of software to uninstall "Microsoft Bing Service" You may desire to click on "Uninstall all versions of package" to ensure any version gets removed. Click "Continue" to get to the targets and ensure your desired target group "Has Unwanted Software" is showing in the list and then click "Continue" In the "Trigger section" set the trigger type to "Joined Dynamic Group Trigger" (this will run this task on any computer as it gets added to our dynamic group, but not on computers already in this group. We will remedy this shortly.) Continue and finish. On your group "Has Unwanted Software" click the gear and choose "Tasks > Run Tasks" Click on "Add Tasks" and find and checkmark your "Uninstall unwanted software - Microsoft Bing Service" and click OK For the "Trigger" section, ensure trigger type is "As Soon As Possible" and click finish. Repeat steps 1 through 11 but: in step 4 select "Bing Wallpaper" in step 3 and 10 use the task name "Uninstall unwanted software - Bing Wallpaper" Edited November 7, 2022 by JamesR thae, Wyatt P, notimportant and 1 other 4 Link to comment Share on other sites More sharing options...
Asteccc 0 Posted November 7, 2022 Share Posted November 7, 2022 I use Bing wallpaper since some weeks, today appears this ESET notification: MSIL/Microsofot.Bing.A is trying to access to DotNet. Enterprise: Unknow. Reputation: (i) File: Script. Detection: PUA How we could know if the app dll's was modified by a hack? Link to comment Share on other sites More sharing options...
LoneMudokon 1 Posted November 7, 2022 Share Posted November 7, 2022 @JamesR Thanks for the detailed instructions. Thankfully, I didn't had any Bing service or web extensions installed (I unchecked those when I initially installed the software). So all I had to do was to uninstall Bing Wallpaper. However it's worth mentioning that ESET was blocking the uninstallation process as well. I know it's not recommended, but I had to disable ESET to be able to uninstall Bing Wallpaper. However, it is now fully uninstalled and a full scan with ESET showed no other issues. Thanks to the ESET team for your support, that's why we love you guys, you're the best 👍. Just out of curiosity, are you taking measures now because Bing Wallpaper was a PUP since the beginning, or was there something new or a change to the software that made it worse? Link to comment Share on other sites More sharing options...
LoneMudokon 1 Posted November 7, 2022 Share Posted November 7, 2022 3 hours ago, Anas Hussain said: LoneMudokon, Thanks for that - helpful to also understand where one can source this program... Is this application bundled with Windows 11 by default/automatically downloaded I have had a user report this detection - I will be doing some investigatory work tomorrow to figure out how this has ended up on their machine... You're welcome 😉. Bing Wallpaper is not installed with Windows 10/11 (any version) by default. It's an additional software that must be installed separately. As for the official source, if you Google "Bing Wallpaper" it's literally the first result, directly from Microsoft's website. However it could have been bundled during another software installation (I don't know if Microsoft bundle it or not). Also, Microsoft is very pushy with their Bing and Edge products. I wouldn't be surprised if your user made a search, ended up on Bing and was proposed the software then. Link to comment Share on other sites More sharing options...
itman 1,748 Posted November 7, 2022 Share Posted November 7, 2022 As far as Bing Wallpaper goes and effective with Win 11 22H2, it is now integrated with SpotLight: https://www.digitalcitizen.life/bing-wallpaper-windows-11-with-windows-spotlight/ . Link to comment Share on other sites More sharing options...
LoneMudokon 1 Posted November 7, 2022 Share Posted November 7, 2022 28 minutes ago, itman said: As far as Bing Wallpaper goes and effective with Win 11 22H2, it is now integrated with SpotLight: https://www.digitalcitizen.life/bing-wallpaper-windows-11-with-windows-spotlight/ . Well not really. Starting Windows 11 22H2 you can get daily Bing wallpapers directly from the Windows settings with the Spotlight feature. That means Windows will fetch those JPEG files from their Bing service and nothing more, and this can be used without any risk. But it does not mean that the Bing Wallpaper app is installed with Windows. The Bing Wallpaper app and its potentially unwanted behavior is not installed with Windows. It has to be downloaded and installed separately. I just wanted to clarify so that there would not be any confusion on the matter. Link to comment Share on other sites More sharing options...
Pawel15 0 Posted November 8, 2022 Share Posted November 8, 2022 hey, now it looks like Eset is blocking the download of the app https://download.microsoft.com/download/9/1/1/911276db-dcd3-4129-9639-375613697b11/Installer/2.0.0.0/Bing/W011 /BingWallpaper.exe Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted November 8, 2022 Administrators Share Posted November 8, 2022 1 minute ago, Pawel15 said: hey, now it looks like Eset is blocking the download of the app https://download.microsoft.com/download/9/1/1/911276db-dcd3-4129-9639-375613697b11/Installer/2.0.0.0/Bing/W011 /BingWallpaper.exe Not just now, it's been blocked since the detection was added. Link to comment Share on other sites More sharing options...
DanielSK 0 Posted January 10, 2023 Share Posted January 10, 2023 (edited) On 11/7/2022 at 3:05 PM, Marcos said: The detection is correct. We've started to detect the application as potentially unwanted (optional detection) as of today. Microsoft was informed about the reasons of detection. And can we know the reason why it is actually unwanted? What kind of threat could I expect, if I leave it installed? Edited January 10, 2023 by DanielSK Link to comment Share on other sites More sharing options...
thae 12 Posted January 11, 2023 Author Share Posted January 11, 2023 6 hours ago, DanielSK said: And can we know the reason why it is actually unwanted? What kind of threat could I expect, if I leave it installed? No real threat, it's only labeled as a PUA. One reason could be, this as @LoneMudokon said: Quote The program does by default try to change both your start page and your search engine to Bing on all your browsers. This can be toggled off, but it means the program has the ability make such modifications. That could be the reason why ESET decided to classify it as unwanted. That would also explain its name classification (MSIL/Microsoft.Bing.A). Link to comment Share on other sites More sharing options...
DanielSK 0 Posted January 11, 2023 Share Posted January 11, 2023 Thank you, @thae. I thought the same, but the lack of reply from ESET representatives made me think that this could be some unclosed vulnerability or something like that. Link to comment Share on other sites More sharing options...
Recommended Posts