Virus infection of churchsupportselfprovision.exe

[emperornortoni]

I consistently receive computers for my stake without the self-provisioning software pre-installed. That, in and of itself, is it's own problem.

Today, I prepared to set up a new computer by downloading the churchsupportselfprovision.exe file from the link in the clerk computer setup wiki, and received a notification from my personal computer's antivirus software that the file I was trying to download was infected with a trojan Win/Polazert.A

Has anyone else received this notice from any other antivirus software? Is it just me? I run very strict privacy controls on my browser, but I don't think that's the problem.

[Mikerowaved]

I just now uploaded the churchsupportselfprovision.exe tool to VirusTotal for analysis and 5 of 75 security vendors flagged it as malicious. It kind of makes sense, since it has similar activities with some malicious programs. For example, it does the following:

Matches Rules:
PowerShell Create Local User
Winlogon Helper DLL
User Added to Local Administrator Group
Powershell Detect Virtualization Environment
Powershell LocalAccount Manipulation
File Download From Browser Process Via Inline URL
PSScriptPolicyTest Creation against Applocker.
Suspicious Get Local Groups Information
Local User Creation
A Member Was Added to a Security-Enabled Global Group

Of course, it uses all the above tools to setup Windows exactly as they want it.

The file is digitally signed by the following:

Signers
Intellectual Reserve, Inc.
DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
DigiCert Trusted Root G4
DigiCert

Counter Signers
DigiCert Timestamp 2023
DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
DigiCert Trusted Root G4
DigiCert

x509 Certificates
DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Intellectual Reserve, Inc.
DigiCert Timestamp 2023
DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
DigiCert Trusted Root G4

In my opinion, this is a safe file to use and can be trusted to get the job done.

[markcrego]

I received the message from my antivirus (McAfee+ Advanced) that churchsupportselfprovision.exe has a clear pattern that Polazert.A is within the code. As a certified master technology architect and retired IT security professional, I don't accept the idea that McAfee is being triggered by the specific activities that the program should be providing, as Mikerowaved suggests. I'd like to hear an official answer from Church IT leadership on this.

[Mikerowaved]

I received the message from my antivirus (McAfee+ Advanced) that churchsupportselfprovision.exe has a clear pattern that Polazert.A is within the code. As a certified master technology architect and retired IT security professional, I don't accept the idea that McAfee is being triggered by the specific activities that the program should be providing, as Mikerowaved suggests. I'd like to hear an official answer from Church IT leadership on this.

I'm not saying you're wrong, but I'm sure with your background you understand there's always a slim possibility of a false-positive with any antivirus tool. This forum is mostly user-to-user help. Some developers check in on occasion, but it's pretty rare. I suggest expressing your concerns directly to the Meetinghouse Technology group at mht@churchofjesuschrist.org.

[markcrego]

I'm not saying you're wrong, but I'm sure with your background you understand there's always a slim possibility of a false-positive with any antivirus tool. This forum is mostly user-to-user help. Some developers check in on occasion, but it's pretty rare. I suggest expressing your concerns directly to the Meetinghouse Technology group at mht@churchofjesuschrist.org.

i agree, and I did put in a FIR. thanks.