Page 1 of 1
WAPT 1.5 vs Antivirus
Published: April 11, 2018 - 9:20 AM
by Alesk
Hello,
Following the WAPT update from 1.3 to 1.5, we are experiencing detection/blocking by our antivirus software after attempting to update agents on workstations. We will implement a solution, but the goal is to inform users and potentially gather feedback.
Trend Micro Officescan Server XG Build 1315
# Detection 1: The detected malware is Mal_Mlwr-13
https://www.trendmicro.com/vinfo/us/thr ... al_Mlwr-13
# Detection 2: Unauthorized file encryption C:\Windows\Temp\is-L7N1A.tmp\waptagent.tmp (triggered by "c:\windows\temp\waptagent.exe")
# Detection 3: waptconsole.exe
% Thank you in advance for your feedback
Re: WAPT 1.5 vs Antivirus
Published: April 11, 2018 - 2:50 PM
by Alesk
Hello,
Referring to the morning post titled "WAPT 1.5 vs Antivirus" viewtopic.php?f=10&t=1134, here are the elements we have integrated to unlock the situation on a Trend Micro Officescan XG.
# Detection 1: The detected malware is Mal_Mlwr-13
https://www.trendmicro.com/vinfo/us/thr ... al_Mlwr-13
Solution:
https://success.trendmicro.com/solution/000019446 to be applied to all scans on Scan Exclusion List (Directories) c:\wapt
# Detection 2: Unauthorized file encryption C:\Windows\Temp\is-L7N1A.tmp\waptagent.tmp (triggered by "c:\windows\temp\waptagent.exe")
Solution:
http://docs.trendmicro.com/en-us/enterp ... ing-1.aspx on c:\windows\temp\waptagent.exe
# Detection 3: waptconsole.exe
Solution:
http://docs.trendmicro.com/all/ent/offi ... -List.html to be applied to all workstations on c:\wapt\waptconsole.exe
Re: WAPT 1.5 vs Antivirus
Published: April 11, 2018 - 3:32 PM
by htouvet
Thank you for the feedback...
Re: WAPT 1.5 vs Antivirus
Published: April 11, 2018 - 5:21 PM
by Alesk
Unfortunately, that's not enough. A huge number of tmp files are being flagged as Mal_Mlwr-13 in c:\wpat\*.tmp.
Managing the wildcard and bypassing this Mal_Mlwr-13 seems risky...
Any solutions?
Re: WAPT 1.5 vs Antivirus
Published: April 11, 2018 - 5:28 PM
by Alesk
Found:
Integrated c:\wapt\*.* in scan exceptions and to be applied to all scans according to
http://docs.trendmicro.com/en-us/enterp ... wildc.aspx
Re: WAPT 1.5 vs Antivirus
Published: April 12, 2018 - 3:02 PM
by benoitpatin
The best solution isn't to make exceptions, but to inform the antivirus software that the file is a false positive. Most software providers offer a page on their website where you can upload a file and indicate that it's safe. Generally, the update includes the file's hash within 24-48 hours, and you'll be trouble-free.
Re: WAPT 1.5 vs Antivirus
Published: April 12, 2018 - 4:17 PM
by Alesk
Hello,
Indeed, we are making this declaration for publisher applications with fixed elements.
However, with WAPT, detection seems inconsistent and not necessarily 100% accurate on the same elements. It seems necessary to compile a list of the problems encountered so that the declaration to the antivirus manufacturer is complete, and hopefully some issues will be fixed in the debug version 1.5 of WAPT.
... To be continued
Re: WAPT 1.5 vs Antivirus
Published: April 16, 2018 - 3:59 PM
by dcardon
Hello Alesk,
Alesk wrote: ↑Apr 11, 2018 - 5:21 PM
Unfortunately, that's not enough. A huge number of tmp files are being flagged as Mal_Mlwr-13 in c:\wpat\*.tmp.
Managing the wildcard and bypassing this Mal_Mlwr-13 seems risky...
Any solutions?
The WAPT code does not generate a *.tmp file itself. This file is created temporarily by Innosetup during program installation.
However, there is no reason for it to be created in the c:\wapt directory. It should be created in the temporary directory of the account launching the installation (c:\windows\temp for LOCALSYSTEM or %AppData%Local\Temp\ for others).
Could you possibly have a problem with the path for your %PATH% environment variable?
Sincerely,
Denis