Unsolved
2 Posts
2
18653
Crowdstrike detected InvColPC.exe as Malicious? is this legit file ? associated file IntelAMTInv
CrowdStrike detected InvColPC as Malicious? is this legit file ?
I'd appreciate if someone help me to realize if I should consider this file as legit
Hash :c6f979139deb11e25e93e9cfb6e037ce50f633fd69fed3b70bc2a60ec007dbf9
associated file hash
b344af400a81f80044be41660a7adbeaa75dbb995cf45f21c6e14cf1765ae603
Thanks,
RoHe
10 Elder
10 Elder
•
43.8K Posts
0
March 23rd, 2021 13:00
InvColPC.exe is an executable file for Inventory Collector, a part of the Dell Client System Update program developed by Dell Inc. The software is usually about 23.7 MB in size. The .exe extension of a file name displays an executable file.
Some other apps, eg Fortinet, may flag it too, so this could be just a false positive...
What PC model and version of Windows?
DCClinton
4 Posts
0
April 6th, 2021 08:00
Crowdstrike is also identifying this file as SHA256 3ddb25bc9584e311575fab1feb2575f2a6995b71eec4a48463e220b216abfb9e and terminating it as potentially malicious. I'm more concerned if Dell updates were compromised.
DCClinton
4 Posts
0
April 6th, 2021 08:00
InvCol.exe SHA1 is: 65f97217e4e20be5e50e597da025881ca9d8f69c
kimball.don
1 Message
0
April 6th, 2021 08:00
I am getting a bunch of these detections also...
Command Line: "C:\Program Files (x86)\Dell\UpdateService\Service\InvColPC.exe" -outc=C:\ProgramData\Dell\UpdateService\Temp\Inventory.tmp
Nathan4546
5 Posts
0
April 6th, 2021 08:00
We are also seeing this today. Any info that can be provided would be appreciated.
Enzo Simoni
1 Message
0
April 6th, 2021 08:00
Need an answer from Dell please ASAP.
https://www.joesandbox.com/analysis/667715
dell_anon
1 Message
0
April 6th, 2021 09:00
Has Dell responded to this inquiry. I've started to see the same Crowdstrike alerts today 4.6.21. I think they are false positive but I am worried about Dell update compromise.
DCClinton
4 Posts
0
April 6th, 2021 09:00
Not yet. However, if InvCol.exe (the initial file that was executed) was compromised, Dell's cert would be compromised as well, which would be a much larger issue. I think this is a false positive, but need to get some additional feedback as well.
kyawde
2 Posts
0
April 6th, 2021 09:00
Same happened to me!!
Chris_246AK
1 Message
0
April 6th, 2021 09:00
Same here. First alert around 10:10AM CST.
kyawde
2 Posts
0
April 6th, 2021 09:00
I manually ran this on a couple more Dell machines and got the same alert. My guess is Crowdstrike has misclassified the executable and therefore is generating these alerts.
DCClinton
4 Posts
0
April 6th, 2021 09:00
I've downloaded DellSupportAssistLauncher.exe from the Dell Website, and allowed Dell to determine if any updates are needed (auto mode) from the websites product support page. Crowdstrike just fired off the same alert and event that I received for another user.
I'm not yet convinced this is a false positive, but very likely since the files being extracted initially (InvCol.exe) was signed using Dell Inc; Entrust Extended Validation Code Signing CA - EVCS1; Entrust.net
JoshHargis
2 Posts
1
April 6th, 2021 09:00
I am seeing this too.
JPP_GSB
1 Message
0
April 6th, 2021 09:00
Having the same issue. I used to buy licenses for Crowdstrike directly from Dell with new machines. They have since ended their agreement and I have only a handful of machines out there with Crowdstrike Falcon still operating on them.
Aliwen
1 Message
0
April 6th, 2021 10:00
I am also having this same issue. Trying to figure out is false positive or not!