29
Views
5
Comments
ServiceStudio updater - Treat detected ServiceStudio-11.10.1.35288.exe
Discussion


I am getting a series of Microsoft Protection Threat alerts from the ServiceStudio updater program on multiple machines.  I created an incident with OutSystems 12 hours ago as critical, but since then has been downgraded to High.  No subsequent information has been provided from OutSystems to confirm or deny that downloaded file in question is or is not infected.  Most virus scanners use some AI when parsing assemblies; assemblies can falsely flagged by calling a certain chain sequence or an calling a specific API without the assembly (or assemblies) having an elevated code and assembly signing.  Thus the detected threat could be reported falsely.

Both the standard and beta versions of the ServiceStudio are installed on the machines reporting this threat.  I am unclear if the two applications share the same update service or not.

Once Microsoft detects the threat, the file is removes the file from the temp download folder.  The ServiceStudio updater then redownloads the suspect file again, triggering yet another threat alert.

First encountered 12/11/2020 4:30PM CST


mvp_badge
MVP
Rank: #17

Hi Erik,

This problem is also already communicated to OutSystems through the OutSystems MVP program.

I shared your question there also. As soon as I get some feedback from OutSystems I will share it here.

Regards,

Daniel

Champion
Rank: #99

Hi,

I already open a support case for that too. If I have news I post it here to centralize all info related with this topic.


Best regards,

Ricardo M Pereira

Champion
Rank: #99

Hi,


New info related here: https://www.outsystems.com/forums/discussion/66931/why-is-the-installer-not-signed-it-causes-security-concerns/


So far I believe that this is solved.


Best regards,

Ricardo M Pereira

Staff
Rank: #21365

Hi Erik,


The problem was first reported and identified on Monday, 7th of December, where we decided to remove that version from availability until we figured out the issue. After analyzing the issue we came to the conclusion that this was a false positive. This type of false positives have happened before with other Antivirus software. On Wednesday, 9th of December, a new version of Windows Defender was released and our installer was no longer considered as a threat. Since then the version has been once again available. We have updated and tested it yesterday with the latest version of Windows Defender and did not consider our installer as a threat. Our recommendation is to delete your current Development Environment installer file, install the latest Windows Updates, or at least the Windows Defenders updates, reboot your machine and download once again the latest version. 


If the problem persists, please let us know!


Thank you,

Nuno Borges!

Rank: #442

Midday Saturday the 12th was the last time the updater downloaded version 35288.exe and then went silent until Tuesday the 15th, where version 36429 was downloaded without a threat detection.  Today I finally restarted Service Studio beta and was upgraded to version 36429.  All is good now.  Thanks for rolling back the 35288 build to stop the threat alerts.

My hunch is that Dec 7 build had something unsigned in it around the service studio updater.  The same issue existed in the next build that was publish on Friday the the 11th.  However the Microsoft detection rules became now were stricter because an untrusted application was downloading components from the web and the downloaded component contained even more untrusted components.

I have seen this pattern before with another threat detection application:  

  • A service would dynamically load an assemble based on an injected configuration file.
  • The service would also update these dynamic loaded assemblies over the web.
  • The dynamically loaded assembly scanned and read files from local storage using elevated privileges.
  • When a read file contained a hackerish term,  the threat detection application would kill off the entire service process.