xkbcomp.exe reported as trojan #27
Replies: 2 comments 2 replies
-
|
virustotal correctly detects this installation file vcxsrv-64.21.1.13.0.installer.exe as a trojan |
Beta Was this translation helpful? Give feedback.
-
|
correctly!? |
Beta Was this translation helpful? Give feedback.
-
|
Any answer on this? It looks bad, really. I tried downloading it and now I have to explain why to IT Security, like I'm a suspect for something. |
Beta Was this translation helpful? Give feedback.
-
|
At this stage, I do not believe this software to be a trojan as well. My personal firewall did not detect any troubling incoming activities (no prompt to whitelist any inbound traffic, no traffic logs). However, in a corporate environment, you cannot take any bet. The correct approach is to proactively uninstall the software then investigate the root causes and wait for a greater quality assurance prior reinstalling it. The author/maintainer went AWOL or is utterly uninterested in challenging any AV alerts. Such behavior cannot be trusted by any cybersec team. The community is far too small to offer any valuable insight on the source code or compiled binaries. This software is way too confidential for any AV editors to offer a valuable feedback to the public as well. First, apologize to your IT sec team for installing a third-party tool without their consent/knowledge which is probably meant to be non-compliant event by their policies/standards. Then, offer an honest explanation for its use (e.g. one of the most up-to-date x server available for WSL) in line with your work or role and responsibilities. Eventually, identify together any alternative that may be suitable against their requirements. Move on. |
Beta Was this translation helpful? Give feedback.
-
The installation file vcxsrv-64.21.1.13.0.installer.exe is now identified as a malware named after Vigorf by Microsoft Defender for EndPoint AV solution. Yet, VirusTotal is not reporting this install file as a threat.
https://www.virustotal.com/gui/url/6da36d6a669f02e613a403b74758efb74acc3b3d7b15318e5bf4853e55b37556/detection
Therefore, one may be tempted to consider this potential threat as a false positive.
However, the xkbcomp binary is also reported as a threat (Trojan:Win32/VBClone) which is shared by 8 AV vendors out of 75
https://www.virustotal.com/gui/file/5e76de6e07913392c7f5d20a0b63305744c784bf1743a2b1c36e5dc9a7ba35e9/detection
Could you provide your feedback to the community?
Audit Trail
8/9/2024 8:58:52 AM
explorer.exe interacted with file vcxsrv-64.21.1.13.0.installer.exe
SHA1 775c04b737da218ea8e0cf00c15e7212960dd200
Path xxxx\vcxsrv-64.21.1.13.0.installer.exe
Size 39 MB
Is PE True
Creation time Aug 9, 2024 8:58:38 AM
Last modified time Aug 9, 2024 8:58:40 AM
Is run time packed True
PE metadata vcxsrv-64.21.1.13.0.installer.exe
Mark of the web Internet
Remediation details Defender detected and quarantined 'Trojan:Win32/Vigorf.A' in file 'vcxsrv-64.21.1.13.0.installer.exe', preventing attempted open by 'explorer.exe'
'Vigorf' malware was prevented New Prevented Informational
8/7/2024 2:04:29 PM
8/7/2024 10:31:09 AM
powershell.exe interacted with file xkbcomp.exe
SHA1 3ac55f00570121dce48e97bd2f47a2287a2cb7f0
Path C:\Program Files\VcXsrv\xkbcomp.exe
Size 302 KB
Is PE True
Remediation details Defender detected and quarantined 'Trojan:Win32/VBClone' in file 'xkbcomp.exe', preventing attempted open by 'powershell.exe'
'VBClone' malware was prevented New Prevented Informational
Additional related files
Beta Was this translation helpful? Give feedback.
All reactions