Hello,
Just so you know, overnight, our antivirus (Trend Micro) started deleting the waptdeploy.exe file from all the PCs.
These deletions generated alerts on the workstations, causing a bit of a panic. Nice way to start Monday morning!
The file is detected as spyware/greyware with the attack type: PUA.Win32.AddressCatcher.A.
We've temporarily had to exclude the file from scanning using its hash; what can you do on your end?
Sincerely,
Étienne
[ANTIVIRUS] waptdeploy.exe
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
-
dcardon
- WAPT Expert
- Messages: 1932
- Registration: June 18, 2014 - 09:58
- Location: Saint Sébastien sur Loire
- Contact :
Hi Etienne,
it's difficult to anticipate changes in antivirus vendor behavior. That said, we're now starting to scan all builds with VirusTotal by default, so we should have a bit more advance warning if something happens. Furthermore, we've changed the default behavior (it does nothing if no parameters are specified) to minimize reports to antivirus software. The fixes are available on the new 2.1 branch.
For your information, we're now also scanning all new WAPT packages with VirusTotal so they're "known" (in addition to all WAPT binaries).
We're also going to start a new Insider campaign for the WAPT 2.1 release. If you're on the Enterprise version, you can participate to get the new versions as a bonus.
Best regards,
Denis Cardon
it's difficult to anticipate changes in antivirus vendor behavior. That said, we're now starting to scan all builds with VirusTotal by default, so we should have a bit more advance warning if something happens. Furthermore, we've changed the default behavior (it does nothing if no parameters are specified) to minimize reports to antivirus software. The fixes are available on the new 2.1 branch.
For your information, we're now also scanning all new WAPT packages with VirusTotal so they're "known" (in addition to all WAPT binaries).
We're also going to start a new Insider campaign for the WAPT 2.1 release. If you're on the Enterprise version, you can participate to get the new versions as a bonus.
Best regards,
Denis Cardon
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
Hello Denis,
Thank you for your detailed reply!
I did notice that the file had already been scanned by VirusTotal.
As of this morning's update, despite the exception in our antivirus software, the waptupgrade package was flagged. Regarding this, is it possible to download a template somewhere? Or does it have to be completely recreated manually?
Looking at the Enterprise repository, I saw that there's a nightly version that goes up to 2.1. Are you referring to that one? Or does the Insider program offer a stable version? If so, yes, we would be interested
. If it could help resolve our issue.
Best regards,
Étienne
Thank you for your detailed reply!
I did notice that the file had already been scanned by VirusTotal.
As of this morning's update, despite the exception in our antivirus software, the waptupgrade package was flagged. Regarding this, is it possible to download a template somewhere? Or does it have to be completely recreated manually?
Looking at the Enterprise repository, I saw that there's a nightly version that goes up to 2.1. Are you referring to that one? Or does the Insider program offer a stable version? If so, yes, we would be interested
. If it could help resolve our issue.Best regards,
Étienne
WAPT Server version: 2.0 Enterprise
Console installed on a Windows Server 2019
Debian 10 Buster server
Console installed on a Windows Server 2019
Debian 10 Buster server
-
dcardon
- WAPT Expert
- Messages: 1932
- Registration: June 18, 2014 - 09:58
- Location: Saint Sébastien sur Loire
- Contact :
The waptagent.exe file is currently recreated with your wapt server's certificates and configurations. Therefore, the file is unique each time, and since it's unsigned, it's not well-received by most antivirus programs (this isn't related to its behavior, but to the file's uniqueness and lack of a signature).
To partially address this issue, we'll integrate the tis-waptsetup.exe file into the waptupgrade package, along with the configuration file. This file is properly signed and is sent to VirusTotal with each modification, and given the number of sites it's used on, this should generate fewer problems.
The Insider program uses Release Candidate versions, and version 2.1RC1 should be released very soon. Participants in the program have direct access to the developer to fix any issues that might arise (there are so many different ways to set up a network that diversity is necessary to test everything
).
Sincerely,
Denis
To partially address this issue, we'll integrate the tis-waptsetup.exe file into the waptupgrade package, along with the configuration file. This file is properly signed and is sent to VirusTotal with each modification, and given the number of sites it's used on, this should generate fewer problems.
The Insider program uses Release Candidate versions, and version 2.1RC1 should be released very soon. Participants in the program have direct access to the developer to fix any issues that might arise (there are so many different ways to set up a network that diversity is necessary to test everything
).Sincerely,
Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
Hi Etienne,
We also use Trend Micro and have the same problem. With Trend Micro support, we have this option:
"If you suspect a false positive (i.e., you believe the detected file to be non-malicious), kindly submit a sample of the detected file through the following channels for analysis."
I submitted waptdeploy to Trend Micro support, hoping it will be helpful.
Regarding waptagent, I personally sign it with a code signing certificate generated by our internal CA and recognized by our PCs. That seems to be sufficient; I no longer see any alerts from Trend Micro about this file.
We also use Trend Micro and have the same problem. With Trend Micro support, we have this option:
"If you suspect a false positive (i.e., you believe the detected file to be non-malicious), kindly submit a sample of the detected file through the following channels for analysis."
I submitted waptdeploy to Trend Micro support, hoping it will be helpful.
Regarding waptagent, I personally sign it with a code signing certificate generated by our internal CA and recognized by our PCs. That seems to be sufficient; I no longer see any alerts from Trend Micro about this file.
Hi Vincent,
thanks for your reply!
I'd also heard about this possibility, but I couldn't find where to upload the file.
Until now, it was only the waptdeploy.exe file that was causing problems. Now it's a temporary file in the C:\program files (x86)\wapt that's created during installation. We have to exclude this directory from our scans (not a big fan, but we have no choice).
thanks for your reply!
I'd also heard about this possibility, but I couldn't find where to upload the file.
Until now, it was only the waptdeploy.exe file that was causing problems. Now it's a temporary file in the C:\program files (x86)\wapt that's created during installation. We have to exclude this directory from our scans (not a big fan, but we have no choice).
WAPT Server version: 2.0 Enterprise
Console installed on a Windows Server 2019
Debian 10 Buster server
Console installed on a Windows Server 2019
Debian 10 Buster server
You have to open a box in “Threat issue” and you have the option that appears. I searched for a while.
Their feedback:
We have analyzed the file waptdeploy.exe (7d237ea585df8bf1001ed18e8513764b990621ad) and verified this to be non-malicious.
This will be added in our certified safe software databases and may take 12-24 hours to reflect in the systems.
Please make sure that the system is connected to the internet in order for the product to be able to query from our whitelisting.
I think it will only be for my waptdeploy.exe so....
Their feedback:
We have analyzed the file waptdeploy.exe (7d237ea585df8bf1001ed18e8513764b990621ad) and verified this to be non-malicious.
This will be added in our certified safe software databases and may take 12-24 hours to reflect in the systems.
Please make sure that the system is connected to the internet in order for the product to be able to query from our whitelisting.
I think it will only be for my waptdeploy.exe so....
-
maintenancevla
- Messages: 18
- Registration: March 21, 2018 - 2:30 PM
Hello,
I have the same problem with Windows Defender.
Windows SmartScreen is blocking the action.
Do you have a solution
? Is it still relevant? For exclusion?
viewtopic.php?f=10&t=1091
"C:\Program Files (x86)\wapt\waptservice\win32\nssm.exe"
"C:\Program Files (x86)\wapt\waptservice\win64\nssm.exe"
"C:\Program Files (x86)\wapt\waptagent.exe"
"C:\Program Files (x86)\wapt\waptconsole.exe"
"C:\Program Files (x86)\wapt\waptexit.exe"
"C:\wapt\waptservice\win32\nssm.exe"
"C:\wapt\waptservice\win64\nssm.exe"
"C:\wapt\waptagent.exe"
"C:\wapt\waptconsole.exe"
"C:\wapt\waptexit.exe"
Please
I have the same problem with Windows Defender.
Windows SmartScreen is blocking the action.
Do you have a solution
? Is it still relevant? For exclusion?
viewtopic.php?f=10&t=1091
"C:\Program Files (x86)\wapt\waptservice\win32\nssm.exe"
"C:\Program Files (x86)\wapt\waptservice\win64\nssm.exe"
"C:\Program Files (x86)\wapt\waptagent.exe"
"C:\Program Files (x86)\wapt\waptconsole.exe"
"C:\Program Files (x86)\wapt\waptexit.exe"
"C:\wapt\waptservice\win32\nssm.exe"
"C:\wapt\waptservice\win64\nssm.exe"
"C:\wapt\waptagent.exe"
"C:\wapt\waptconsole.exe"
"C:\wapt\waptexit.exe"
Please
- Installed WAPT version: 2.6.0.16795
- Server OS: Debian 11
- Administration/package creation machine OS: Windows Server 2019
- Server OS: Debian 11
- Administration/package creation machine OS: Windows Server 2019
