Carl S 1 Posted November 22, 2014 Share Posted November 22, 2014 Using ESS 7 under Windows 8.1. Got pop-up today saying that Windows SQM Consolidator has changed "During communication, a change was detected in the application." and "Recommended action: Deny". Unfortunately, the Deny button is inactive. I'm thinking this was perhaps legitimately changed by a recent MS update, but how can I tell when Microsoft has actually recently updated? The file in question is wsqmcons.exe MD5 4b8899882458d96fdd8677d49bd0c5b0 dated 10/28/2014, but a hover over file indicates version 6.3.9600.17415 created 11/19/2014. I wonder if this is related to MS14-068 see https://technet.microsoft.com/library/security/ms14-068 How do I know if this file was intentionally updated by Microsoft during this patch? See screenshot attached. I'm thinking I may have to reboot to get rid of the window since there is no way to close it other than to click Allow. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted November 23, 2014 Share Posted November 23, 2014 Go through the recent KB's installed and compare if its a legit update. If so app modification is working as intended and telling you the file was majorly changed. You could restore to earlier and see if it happens again but also the Deny not showing up is strange and unusual behavior unless you have some permission issues etc. Link to comment Share on other sites More sharing options...
Carl S 1 Posted November 25, 2014 Author Share Posted November 25, 2014 Thanks for the response. That's what I want to know: how do I go through the MS KBs to see if a particular file was updated in it? When I go to the KB article and the security update that's related, I don't see a description of what files are updated when it is installed. So in the future, if ESS prompts me, I want to be able to make an informed decision, instead of always clicking Deny. I mean, if it happens right after I install an MS update, I'm pretty sure that's what caused it. If it happens two weeks afterwards, I have no idea if that file was legitimately updated recently or is the victim of a zero-day. I think the fact that Deny was grayed out here is probably just a fluke. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted November 29, 2014 Share Posted November 29, 2014 (edited) Hello again, If you go to Control Panel > Windows Updates > view update history(at the left) Attached is my screen shot indicating my last update was KB3011780 If you double click that line item, it will give you the reference url for "more information" hxxp://support.microsoft.com/kb/3011780 On this page you can scroll down to File Information, and at the bottom File Hash information. Good luck ! Edited November 29, 2014 by Arakasi Link to comment Share on other sites More sharing options...
rugk 397 Posted November 29, 2014 Share Posted November 29, 2014 But it's really strange that the "Deny" button is disabled. Maybe there is a pre-defined rule to allow it, but this would be quite strange too. Link to comment Share on other sites More sharing options...
Proactive Services 11 Posted November 29, 2014 Share Posted November 29, 2014 If Eset is performing authenticode signature checking on the executables, then the fact the window states "Microsoft Windows" as the vendor means that the program is not malware. If the link text doesn't give details about a signature, opening the program's Properties window and navigating to the "Digital Signatures" tab will tell you. None of this explains the lack of the Deny button, but at least it'll put you at ease. Microsoft do publish lists of changed files in each of their security updates, but trawling through this will be very time consuming. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted November 30, 2014 Share Posted November 30, 2014 The greyed out Deny button may be a result of already having an allow rule. Maybe he can sift through and let us know. . . Link to comment Share on other sites More sharing options...
Recommended Posts