Tranquil IT Forum

Hello,

Just so you know, overnight, our antivirus (Trend Micro) started deleting the waptdeploy.exe file from all the PCs.
These deletions generated alerts on the workstations, causing a bit of a panic. Nice way to start Monday morning!
The file is detected as spyware/greyware with the attack type: PUA.Win32.AddressCatcher.A.
We've temporarily had to exclude the file from scanning using its hash; what can you do on your end?

Sincerely,
Étienne

Hi Etienne,

it's difficult to anticipate changes in antivirus vendor behavior. That said, we're now starting to scan all builds with VirusTotal by default, so we should have a bit more advance warning if something happens. Furthermore, we've changed the default behavior (it does nothing if no parameters are specified) to minimize reports to antivirus software. The fixes are available on the new 2.1 branch.

For your information, we're now also scanning all new WAPT packages with VirusTotal so they're "known" (in addition to all WAPT binaries).

We're also going to start a new Insider campaign for the WAPT 2.1 release. If you're on the Enterprise version, you can participate to get the new versions as a bonus.

Best regards,
Denis Cardon

Hello Denis,

Thank you for your detailed reply!
I did notice that the file had already been scanned by VirusTotal.
As of this morning's update, despite the exception in our antivirus software, the waptupgrade package was flagged. Regarding this, is it possible to download a template somewhere? Or does it have to be completely recreated manually?

Looking at the Enterprise repository, I saw that there's a nightly version that goes up to 2.1. Are you referring to that one? Or does the Insider program offer a stable version? If so, yes, we would be interested . If it could help resolve our issue.

Best regards,
Étienne

The waptagent.exe file is currently recreated with your wapt server's certificates and configurations. Therefore, the file is unique each time, and since it's unsigned, it's not well-received by most antivirus programs (this isn't related to its behavior, but to the file's uniqueness and lack of a signature).

To partially address this issue, we'll integrate the tis-waptsetup.exe file into the waptupgrade package, along with the configuration file. This file is properly signed and is sent to VirusTotal with each modification, and given the number of sites it's used on, this should generate fewer problems.

The Insider program uses Release Candidate versions, and version 2.1RC1 should be released very soon. Participants in the program have direct access to the developer to fix any issues that might arise (there are so many different ways to set up a network that diversity is necessary to test everything ).

Sincerely,

Denis

Hi Etienne,

We also use Trend Micro and have the same problem. With Trend Micro support, we have this option:
"If you suspect a false positive (i.e., you believe the detected file to be non-malicious), kindly submit a sample of the detected file through the following channels for analysis."
I submitted waptdeploy to Trend Micro support, hoping it will be helpful.

Regarding waptagent, I personally sign it with a code signing certificate generated by our internal CA and recognized by our PCs. That seems to be sufficient; I no longer see any alerts from Trend Micro about this file.

Hi Vincent,

thanks for your reply!
I'd also heard about this possibility, but I couldn't find where to upload the file.

Until now, it was only the waptdeploy.exe file that was causing problems. Now it's a temporary file in the C:\program files (x86)\wapt that's created during installation. We have to exclude this directory from our scans (not a big fan, but we have no choice).

You have to open a box in “Threat issue” and you have the option that appears. I searched for a while.

Their feedback:
We have analyzed the file waptdeploy.exe (7d237ea585df8bf1001ed18e8513764b990621ad) and verified this to be non-malicious.

This will be added in our certified safe software databases and may take 12-24 hours to reflect in the systems.

Please make sure that the system is connected to the internet in order for the product to be able to query from our whitelisting.

I think it will only be for my waptdeploy.exe so....

Hello,

I have the same problem with Windows Defender.

Windows SmartScreen is blocking the action.

Do you have a solution

? Is it still relevant? For exclusion?
viewtopic.php?f=10&t=1091

"C:\Program Files (x86)\wapt\waptservice\win32\nssm.exe"
"C:\Program Files (x86)\wapt\waptservice\win64\nssm.exe"
"C:\Program Files (x86)\wapt\waptagent.exe"
"C:\Program Files (x86)\wapt\waptconsole.exe"
"C:\Program Files (x86)\wapt\waptexit.exe"

"C:\wapt\waptservice\win32\nssm.exe"
"C:\wapt\waptservice\win64\nssm.exe"
"C:\wapt\waptagent.exe"
"C:\wapt\waptconsole.exe"
"C:\wapt\waptexit.exe"

Please