AMS 6.0 - amsloader.exe detected Trojan:Win32/BearfoosA!ml

AMS 6.0 - amsloader.exe detected Trojan:Win32/BearfoosA!ml

Postby EKjellquist » Tue Nov 12, 2024 4:32 pm

Just FYI, am working on upgrading AMS 5.1 -> 6 and Windows Defender detects the AMS 6.0 version of amsloader.exe as being infected with Trojan:Win32/Bearfoos.A!ml. I submitted VirusTotal and it comes up as 2/73 (MaxSecure / Microsoft) as Trojan.Malware.300983.susgen and Program:Win32/Wacapew.C!ml respectively. Scanned directly with avast yields safe result. These are likely false positives (typical with ml extensions), but long story short, if you try and install and wonder why AMS doesn't start, it's probably because Defender quarantined it.

https://www.virustotal.com/gui/file/929aebc88d2f266090cc92415abf8bc53d41c430efa95bebe0c675b8ed34f71b/detection
EKjellquist
 
Posts: 95
Joined: Tue Sep 09, 2014 10:40 pm

Re: AMS 6.0 - amsloader.exe detected Trojan:Win32/BearfoosA!ml

Postby Code Crafters » Wed Nov 13, 2024 8:50 am

Thanks for the feedback. It's strange as the amsloader.exe hasn't even changed since AMS 5. We haven't had other reports of this yet either.

Which version of windows are you running? We use the latest Windows 11 and Windows Server 2016 on our azure VM and neither have flagged it.
Code Crafters
 
Posts: 942
Joined: Mon Sep 10, 2007 2:35 pm

Re: AMS 6.0 - amsloader.exe detected Trojan:Win32/BearfoosA!ml

Postby EKjellquist » Mon Nov 18, 2024 8:32 pm

We ran AMS 5.1 on a Hyper-V VM of Server 2022, upgraded in-place on the same VM, initially Avast sandboxed it, and later on Windows Defender quarantined it automatically. Once Defender was told to restore and ignore it, was ok after that but I was super-confused why AMS 6 wasn't loading for like an hour (never got a notification that amsloader.exe was quarantined)
EKjellquist
 
Posts: 95
Joined: Tue Sep 09, 2014 10:40 pm

Re: AMS 6.0 - amsloader.exe detected Trojan:Win32/BearfoosA!ml

Postby Code Crafters » Tue Nov 19, 2024 10:26 am

Thanks for the feedback. The antivirus probably doesn't like the way the exes are running. The launcher exe starts the loader. From there the loader starts the main app and restarts it if it crashes which is very rare but the whole reason the loader exists. The loader also connects to SMTP, POP3 and IMAP4 to make sure these services are responsive and restarts the main app if not too. I think the main app also monitors for the loader and relaunches that too.

In AMS 6 (DKIM and other updates), we updated the logs to not show connections from the loader but the process is still the same. I'd be interested to know if you have the same issue when upgrading to AMS 6.

It's not uncommon to get false positives from antivirus and at least you can just exclude it but it would be nice if they notified you when quarantining too. There is no malicious code in there but it may be the way it interrogates the main app that it doesn't like.
Code Crafters
 
Posts: 942
Joined: Mon Sep 10, 2007 2:35 pm


Return to General

Who is online

Users browsing this forum: No registered users and 1 guest

cron