I noticed yesterday while downloading Policy Plus in a VM for testing that Edge's (and/or Windows's) SmartScreen check marked the EXE as malicious. Surprised, I uploaded the file to VirusTotal, which informed me that one engine (SentinelOne) considered it bad. There was an automated comment from PayloadSecurity with a link to an an also probably automated analysis report.
The report listed a handful of "suspicious indicators", all of which are confusing to me. "Reads the active computer name" and "Reads the cryptographic machine GUID" are listed, but Policy Plus does neither, at least not directly; it's conceivable that the .NET Framework does them for some reason. The "Tries to sleep for a long time" section notes that it tried to sleep for 1566804069 milliseconds, but that's over 18 days, and Policy Plus doesn't intentionally delay at all except when waiting for some other relevant operation to complete, which should take at most a couple minutes, not days. "Reads information about the supported languages" makes more sense, since it does consider the current language for ADML management purposes.
More concerningly, the report alleges that Policy Plus contains the ability to listen for incoming connections, but in reality the program has no remote control or network server features whatsoever. The closest it has is the ability to download a setup package from Microsoft to get the newest ADMX files. The report says it contacts one host, but the IP given resolves to a handful of things under googlevideo.com and gvt1.com, both of which seem to be controlled by Google. I don't know why Policy Plus would ever contact a Google server, because there's nothing in the code to do anything like that.
All in all, the report is baffling to me - if it weren't for the screenshot, extracted strings, and assembly information I'd think they got the wrong file. I filed a SmartScreen false positive report with Microsoft and am waiting to hear back.
No comments:
Post a Comment