Jump to content

Windows SQM Consolidator Change


Recommended Posts

Using ESS 7 under Windows 8.1. 

 

Got pop-up today saying that Windows SQM Consolidator has changed "During communication, a change was detected in the application."  and "Recommended action: Deny".  Unfortunately, the Deny button is inactive.

 

I'm thinking this was perhaps legitimately changed by a recent MS update, but how can I tell when Microsoft has actually recently updated?

 

The file in question is wsqmcons.exe MD5 4b8899882458d96fdd8677d49bd0c5b0 dated 10/28/2014, but a hover over file indicates version 6.3.9600.17415 created 11/19/2014.  I wonder if this is related to MS14-068 see https://technet.microsoft.com/library/security/ms14-068  How do I know if this file was intentionally updated by Microsoft during this patch?

See screenshot attached.  I'm thinking I may have to reboot to get rid of the window since there is no way to close it other than to click Allow.

post-1246-0-49361500-1416666614_thumb.png

Link to comment
Share on other sites

Go through the recent KB's installed and compare if its a legit update.

If so app modification is working as intended and telling you the file was majorly changed.

 

You could restore to earlier and see if it happens again but also the Deny not showing up is strange and unusual behavior unless you have some permission issues etc.

Link to comment
Share on other sites

Thanks for the response.  That's what I want to know:  how do I go through the MS KBs to see if a particular file was updated in it?  When I go to the KB article and the security update that's related, I don't see a description of what files are updated when it is installed.  So in the future, if ESS prompts me, I want to be able to make an informed decision, instead of always clicking Deny.  I mean, if it happens right after I install an MS update, I'm pretty sure that's what caused it.  If it happens two weeks afterwards, I have no idea if that file was legitimately updated recently or is the victim of a zero-day.  

 

I think the fact that Deny was grayed out here is probably just a fluke.

Link to comment
Share on other sites

Hello again,

 

If you go to Control Panel > Windows Updates > view update history(at the left)

Attached is my screen shot indicating my last update was KB3011780

If you double click that line item, it will give you the reference url for "more information"

hxxp://support.microsoft.com/kb/3011780

On this page you can scroll down to File Information, and at the bottom File Hash information.

 

Good luck !

post-1101-0-36415500-1417252891_thumb.jpg

Edited by Arakasi
Link to comment
Share on other sites

But it's really strange that the "Deny" button is disabled.

Maybe there is a pre-defined rule to allow it, but this would be quite strange too. :unsure:

Link to comment
Share on other sites

If Eset is performing authenticode signature checking on the executables, then the fact the window states "Microsoft Windows" as the vendor means that the program is not malware. If the link text doesn't give details about a signature, opening the program's Properties window and navigating to the "Digital Signatures" tab will tell you.

 

None of this explains the lack of the Deny button, but at least it'll put you at ease. Microsoft do publish lists of changed files in each of their security updates, but trawling through this will be very time consuming.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...