Dell Update triggers CryptoStealBTC warning with Microsoft Antimalware

I got the crytosteal warning also and that Reddit thread has become pretty active with people asking about it.  Anyone from Dell can you post here to let us know if this is a false positive?

I have just got it on Dell Xps 15 9510, my dell is 3 days old and I didn't have time to download anything.

If you start a complete scan you can quarantine it...

I have a 9510 as well, about a month old running Windows 11. Mine should be up to date, as I run updates as soon as I can. I just received this notification a few minutes ago.

Windows Defender is flagging this so this might be a Microsoft issue vs. a Dell issue.

When I got this notification I went into protection history and selected the action to remove the threat and it said that the remediation is incomplete and failed. Then I did a full scan, got the notification and when I selected the remove action protection history shows that the threat was removed. Another full scan now shows no threats detected.  So false positive with inconsistent removal results? 

Dell, where are you??

Just received this notification on my work laptop: Dell Latitude 9420.

These sure appear to be false positives, but it would be great to get confirmation.

As an aside, Dell hasn't done itself any favors with the apparent typo in the related executable name (note the missing "i" after the second "d" in "DellSupportAssistRemedationService.exe")

I pinged my Dell contacts earlier today and provided the link to this thread and to the Reddit thread.

Stay tuned...

We would appreciate if Dell Support would potentially expedite the investigation into this little potential false positive. In the Reddit threads, those individuals that contacted Dell Support have been suggested to perform a complete OS restore on their workstation. I'm not one in favor of a complete workstation rebuild to address an issue that has not been fully defined. There is something amiss, and for those of us with DELL workstations, we would really appreciate some focus on this rapidly escalating workstation issue and a recommendation from Dell on a solution. I am supporting Lenovo, HP, and ASUS client workstations in the same networks, but only the DELL devices are experiencing this particular issue.

My personal workstation information:

Dell Alienware M17r3
Windows 10 Pro, 21H2, Build: 19044.1526

Received the message >> Trojan:HTML/CryptoStealBTC

From MS Defender >>

Alert level: Severe
Status: Active
Date: 3/2/2022 7:26 PM < >
Category: Trojan
Details: This program is dangerous and executes commands from an attacker.

Affected items: \Device\HarddiskVolumeShadowCopy5\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\N8HN5GXZ.htm->(SCRIPT0004)

Actions Taken>>

Action01: Result = Failed
MS Defender Quick Scan, identify, and attempt to perform Action = Remove

Action02: Result = Failed
MS Defender Quick Scan, identify, and attempt to perform Action = Quarantine

Action03: Result = Unknown
Full Malwarebytes (v4.5.5) scan did not detect any malware/viruses

Action04: Result = Failed
MS Defender Full Scan, identify, and attempt to perform Action = Remove

It appears the bloody target affected items file do not exist, but MS Defender on the DELL workstations continues to regurgitate the message that the Trojan persists. Some additional in-depth analysis from DELL would be appreciated.

Until Dell decides to investigate this threat you can disable Dell SupportAssistAgent and Dell SupportAssistRemediation from running.  It appears to be repushing the update after successful remediation. So either it is a false positive or a real threat.  Until Dell investigates and publicly reports findings, I am disabling it.

Eu também tive esse problema ontem, 02/03/2022, aqui no Brasil. É um sinal que o problema não é localizado.

I also had this problem yesterday, here in Brazil. It is a sign that the problem is not located.

Not a good look for Dell here that 24 hours has elapsed and they still have no public statement one way or the other.  I also forwarded the threads to my account rep.

As a follow up - we updated Defender's Signatures this morning, and tried again. The error has gone (it was repeatable yesterday). The Defender update log also shows that this signature was updated

On balance, I think this was ultimately a false positive.