Dell false positive? Trojan:Win32/Vigorf.A

hello I have the same problem on the same dell inspiron 3000 windows defender marked "DellUpdateApp.msi" as a Trojan file

Same here... I assume it's a false positive.

Same here with Dell Laptop. Manually update Windows Security Information. With the new version all warnings are gone.

Hi everyone,

Thank you for reporting this issue to us. Could you please update Windows to the latest version and see if that resolves the problem?

If the issue persists, could you share the following information with us:

* SupportAssist version

* Windows OS Build version (e.g., Windows 11 24H2)

*SupportAssist Remediation from add/remove programs in control panel.

Additionally, a screenshot of the error would be very helpful.

Thank you!

I'm unable to upload a screenshot. All of my upload attempts have failed.

@T_G​ Same here. All uploads failed.

@DELL-Nat M​ 

I can at least say that I'm using the latest version of Windows (version 22H2 OS build 19045.5011) along with the latest version of Windows Defender (security intelligence 1.419.627.0) I've uninstalled Support Assist.

https://imgur.com/a/o8HC09G

The first two images show the alleged "Malware" that only Windows Defender seems to pick up. Third party tools like Malwarebytes don't detect it, even when I scan the relevant file. As you can see, I think both are tied to the Recovery tools Dell Support Assist and Dell Update install.

The third image is the initial detection, this one clearly is flagging the shadowcopies that Dell Update makes. I've since deleted every shadow copy and it seems to have stopped flagging it.

The fourth and final image shows that no matter how many times I either quarantine or delete the offending files, they get remade again. Which again, lends me to think it's something tied to System Recovery than get remade every time the file gets deleted or removed.

Windows Dell Trojan:Win32/Vigorf.A problem:

SupportAssist version 4.0.3.61632
Windows 10.0.19045 Build 19045

(Upload of screen shot failed. The screenshot is from the Protection History under the Virus and threat protection section of the Windows Security thingy.)

@DELL-Nat M​ 

It seems like it's trying to flag Recovery files. I deleted my shadowcopies and Windows Defender stopped flagging them. But now it's flagging:

\Recovery\Customizations\Apps.ppkg->\ICB\0\MachineSpecific\File\C$\Windows\Installer\213ce.ms

And

\Recovery\Customizations\Apps.ppkg->\ICB\0\MachineSpecific\File\C$\Program Files (x86)\Dell\UpdateService\Service\InvColPC.exe->(ZipSfx)->Thunderbolt_Reg/BIOS_Tool/G7ArTbtPower64.exe->(VFS:DBUtil_2_3.Sys)

Both file are remade each time I remove or quarantine them with Windows Defender. Which leads me to think that they're legit files pertaining to System Recovery. Furthermore, my copy of Malwarebytes just did an automatic scan and said no threats are detected.

I'm using the latest update and builds of both Windows and Windows Defender.

From AnonT2298 imgur =

@DELL-Chris M​ 

Thanks for uploading those pics.

For context: The first two show the latest detection shorty after turning on my PC this morning. I did a full shutdown last night and even disconnected it from the internet. As you can see it's signaling out two files that are located in my Recovery folder. Both files seem to get remade every time I quarantine or remove them. I haven't tried manually removing them, and I honestly think that's a bad idea, given how people report bricking their PCs or having chaining BSODs from screwing around in there.

The third photo is the first detection, as you can see, it's listing Shadowcopies from the DellUpdateApp.msi. I've since deleted my shadowcopies and I've not get the same detection since. I've also uninstalled Dell Update and Dell Support Assist.

The fourth and final photo is the list of the many flags Windows Defender has made. As you can see, three of them were removed, and one was quarantined and the threats still keep popping up.

@DELL-Nat M​ I too have problem but affecting other areas as well.  Am a novice so may not be giving appropriate info.  Received a Remediation Incomplete notice on PC yesterday morning but did not know it until checked today because got several notices last night on laptop.  Ran offline scan on Laptop last night.  Checked this morning and several more notices received, several quarantined later.  Thought problem solved on laptop, but got another Remediation Incomplete, Severe at the moment I logged onto laptop this morning.  The others quarantined then "removed or restored" were for other areas of Dell Updates other than ShadowCopy3.  It doesn't appear this one was able to be Quarantined.  I was not able to copy the screenshot into this message so am copying and pasting this latest on laptop:
Affected files:
file: \Device\HarddiskVolumeShadowCopy3\Windows\{11A89B9C-E4A8-479A-9C38-07489C2FC153}\DellUpdateApp.msi
file: \Device\HarddiskVolumeShadowCopy3\Windows\{6D0E596C-59BC-4529-917C-0B86AFC2823D}\DellUpdateApp.msi

AM CONCERNED ABOUT WHAT TO DO.

@DELL-Nat M​ 

Same here.

Alienware m17

Processor Intel(R) Core(TM) i9-8950HK CPU @ 2.90GHz   2.90 GHz
Installed RAM 32.0 GB (31.8 GB usable)

System type 64-bit operating system, x64-based processor
Pen and touch No pen or touch input is available for this display

SupportAssist 4.0.3

Edition Windows 10 Pro
Version 22H2
Installed on ‎24/‎09/‎2020
OS build 19045.5011
Experience Windows Feature Experience Pack 1000.19060.1000.0

Cannot upload the Defender image. Here is the text...

Remediation incomplete
22/10/2024 4:50 AM

Detected: Trojan:Win32/Vigorf.A
Status: Failed
This threat or app might not be completely remediated.

Date: 22/10/2024 4:50 AM
Details: This program is dangerous and executes commands from an attacker.

Affected items:
file: \Device\HarddiskVolumeShadowCopy21\Windows\11A89B9C-E4A8-479A-9C38-07489C2FC153\DellUpdateApp.msi

@DELL-Nat M​    
Re previous msg:
DellLap
(OS Build 19045.5011)

Can't find SupportAssist info.

Did not give info in previous msg re Desktop, but Windows is up to date and Remediation Incomplete Severe notice is for HarddiskVolumeShadowCopy23 of DellUpdateApp.