Is this a known false positive? This reddit page seems to indicate the problem is widespread.
Solved! Go to Solution.
We would appreciate if Dell Support would potentially expedite the investigation into this little potential false positive. In the Reddit threads, those individuals that contacted Dell Support have been suggested to perform a complete OS restore on their workstation. I'm not one in favor of a complete workstation rebuild to address an issue that has not been fully defined. There is something amiss, and for those of us with DELL workstations, we would really appreciate some focus on this rapidly escalating workstation issue and a recommendation from Dell on a solution. I am supporting Lenovo, HP, and ASUS client workstations in the same networks, but only the DELL devices are experiencing this particular issue.
My personal workstation information:
Dell Alienware M17r3
Windows 10 Pro, 21H2, Build: 19044.1526
Received the message >> Trojan:HTML/CryptoStealBTC
From MS Defender >>
Alert level: Severe
Date: 3/2/2022 7:26 PM <<this is US Eastern Daylight Time where I was located>>
Details: This program is dangerous and executes commands from an attacker.
Affected items: \Device\HarddiskVolumeShadowCopy5\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\N8HN5GXZ.htm->(SCRIPT0004)
Action01: Result = Failed
MS Defender Quick Scan, identify, and attempt to perform Action = Remove
Action02: Result = Failed
MS Defender Quick Scan, identify, and attempt to perform Action = Quarantine
Action03: Result = Unknown
Full Malwarebytes (v4.5.5) scan did not detect any malware/viruses
Action04: Result = Failed
MS Defender Full Scan, identify, and attempt to perform Action = Remove
It appears the bloody target affected items file do not exist, but MS Defender on the DELL workstations continues to regurgitate the message that the Trojan persists. Some additional in-depth analysis from DELL would be appreciated.
Eu também tive esse problema ontem, 02/03/2022, aqui no Brasil. É um sinal que o problema não é localizado.
I also had this problem yesterday, here in Brazil. It is a sign that the problem is not located.
Until Dell decides to investigate this threat you can disable Dell SupportAssistAgent and Dell SupportAssistRemediation from running. It appears to be repushing the update after successful remediation. So either it is a false positive or a real threat. Until Dell investigates and publicly reports findings, I am disabling it.
Not a good look for Dell here that 24 hours has elapsed and they still have no public statement one way or the other. I also forwarded the threads to my account rep.
As a follow up - we updated Defender's Signatures this morning, and tried again. The error has gone (it was repeatable yesterday). The Defender update log also shows that this signature was updated
On balance, I think this was ultimately a false positive.
I'm agreeing with the false positive thoughts.
My actions taken on 03Mar2022
a) Alienware m17 R3 BIOS successfully updated from v1.13.0 to v1.14.0
b) Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 from v1.359.1239.0 to v1.359.1302.0
c) A full MS Offline Defender scan was performed and the Trojan threat was not reported
I'm not sure everyone would need to perform a BIOS update, but with the number of restarts performed, maybe the older volume shadow copy containing the perceived threat was rolled over or the previous attempts to remove the threat were finally performed. Don't know, but the threat has disappeared from the Defender radar. I still would like to know what occurred, if only to help lower my panic attack levels.
Please try to update your Microsoft Defender to the latest version and rescan the system once again and please the share the result, request you to mention Defender version also.
Is this a false positive or not?!? Why hasn't Dell released a statement here? Does Dell seriously not know yet what is causing this?
We aren't using Defender, but we are a Dell shop so we are invested in what is taking place here.
As pointed out above, here is an update on this.
Per the link: A recent update to Windows Defender has caused it to incorrectly identify SupportAssist as malware. Dell is working closely with Microsoft to resolve this issue and correct the false positive.
* User with SupportAssist auto updates enabled should not be impacted
* User with SupportAssist auto updates disabled should update Microsoft Defender virus definitions to version 1.359.1239.0 or higher