Virus & Spyware

Last reply by 03-04-2022 Solved
Start a Discussion
2 Bronze
2 Bronze
9965

Dell Update triggers CryptoStealBTC warning with Microsoft Antimalware

Is this a known false positive? This reddit page seems to indicate the problem is widespread.

i cant remove or put in quarantine "trojan:html/cryptostealbtc" : antivirus (reddit.com)

 

Replies (19)
2 Bronze
2 Bronze
3062


We would appreciate if Dell Support would potentially expedite the investigation into this little potential false positive. In the Reddit threads, those individuals that contacted Dell Support have been suggested to perform a complete OS restore on their workstation. I'm not one in favor of a complete workstation rebuild to address an issue that has not been fully defined. There is something amiss, and for those of us with DELL workstations, we would really appreciate some focus on this rapidly escalating workstation issue and a recommendation from Dell on a solution. I am supporting Lenovo, HP, and ASUS client workstations in the same networks, but only the DELL devices are experiencing this particular issue.

My personal workstation information:

Dell Alienware M17r3
Windows 10 Pro, 21H2, Build: 19044.1526

Received the message >> Trojan:HTML/CryptoStealBTC

From MS Defender >>

Alert level: Severe
Status: Active
Date: 3/2/2022 7:26 PM <<this is US Eastern Daylight Time where I was located>>
Category: Trojan
Details: This program is dangerous and executes commands from an attacker.

Affected items: \Device\HarddiskVolumeShadowCopy5\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\N8HN5GXZ.htm->(SCRIPT0004)

Actions Taken>>

Action01: Result = Failed
MS Defender Quick Scan, identify, and attempt to perform Action = Remove

Action02: Result = Failed
MS Defender Quick Scan, identify, and attempt to perform Action = Quarantine

Action03: Result = Unknown
Full Malwarebytes (v4.5.5) scan did not detect any malware/viruses

Action04: Result = Failed
MS Defender Full Scan, identify, and attempt to perform Action = Remove

It appears the bloody target affected items file do not exist, but MS Defender on the DELL workstations continues to regurgitate the message that the Trojan persists. Some additional in-depth analysis from DELL would be appreciated.

2 Bronze
2 Bronze
2401

Eu também tive esse problema ontem, 02/03/2022, aqui no Brasil. É um sinal que o problema não é localizado.

I also had this problem yesterday, here in Brazil. It is a sign that the problem is not located.

2 Bronze
2 Bronze
2373

Until Dell decides to investigate this threat you can disable Dell SupportAssistAgent and Dell SupportAssistRemediation from running.  It appears to be repushing the update after successful remediation. So either it is a false positive or a real threat.  Until Dell investigates and publicly reports findings, I am disabling it.

2181

Not a good look for Dell here that 24 hours has elapsed and they still have no public statement one way or the other.  I also forwarded the threads to my account rep.

2 Bronze
2 Bronze
2142

As a follow up - we updated Defender's Signatures this morning, and tried again. The error has gone (it was repeatable yesterday). The Defender update log also shows that this signature was updated

HVec_0-1646320305257.png

On balance, I think this was ultimately a false positive.

2 Bronze
2 Bronze
1713

I'm agreeing with the false positive thoughts.

My actions taken on 03Mar2022

a) Alienware m17 R3 BIOS successfully updated from v1.13.0 to v1.14.0

b) Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 from v1.359.1239.0 to v1.359.1302.0

c) A full MS Offline Defender scan was performed and the Trojan threat was not reported

I'm not sure everyone would need to perform a BIOS update, but with the number of restarts performed, maybe the older volume shadow copy containing the perceived threat was rolled over or the previous attempts to remove the threat were finally performed. Don't know, but the threat has disappeared from the Defender radar. I still would like to know what occurred, if only to help lower my panic attack levels.

1328

Hi @DSGF 

Please try to update your Microsoft Defender to the latest version and rescan the system once again and please the share the result, request you to mention Defender version also.


DELL-Nikhil K
Social Media Support
#IWork4Dell
1092

Is this a false positive or not?!?  Why hasn't Dell released a statement here?  Does Dell seriously not know yet what is causing this?

We aren't using Defender, but we are a Dell shop so we are invested in what is taking place here.

1046

Looks like there is now a post on the main forum confirming this is a false positive.  Not sure why no one from Dell has acknowledged that in this thread.

Community Manager
2036

As pointed out above, here is an update on this.

Per the link: A recent update to Windows Defender has caused it to incorrectly identify SupportAssist as malware. Dell is working closely with Microsoft to resolve this issue and correct the false positive.

* User with SupportAssist auto updates enabled should not be impacted
* User with SupportAssist auto updates disabled should update Microsoft Defender virus definitions to version 1.359.1239.0 or higher

 

If still under warranty, click the "Get help now" icon on the right to start a live chat session.
Find your Service Tag

Latest Solutions
Top Contributor