PowerISO 7.6 installer - identified as Trojan.GenericKD.33887387

DSperber · 2020-05-25T19:34:17+00:00

There was an error rendering this rich post.

Also, when actually trying to do the download of the x64 installer from the PowerISO web site, BitDefender blocks the page, and I must manually accept it:

PowerISO is a legitimate operation, not malware. The page on which the download link occurs is:

https://www.poweriso.com/download.php

Find more posts tagged with

Comments

Flexx

Hi Member,

It is understood that PowerISO is a genuine software, but instead of only installing its own software it comprises of bundled software within its setup file. As you can see in the image, the setup of PowerISO is bundled with Bytefence, which according to majority of AV vendors is a pup/ pua.

Though the setup is not a trojan but it is definitely a bundler which comes in the classification of pup/ pua. So if PowerISO will remove the bundled software from its setup file, the detection for the same software will be removed, until then the detection will stay.

If this helps, kindly select accepted

Regards

Flex

(Bitdefender beta tester 2019/ 2020)

DSperber

Well, I understand that it includes this bundled software in its Setup file. And of course I simply push the DECLINE button to skip its installation, because I'm naturally paying attention as I install this non-free software (which I have paid a license fee for!) bein well aware that it very likely might include something like this. At least they allow me to opt-out, as long as I'm paying attention.

Of course I would only expect this type of trickery in a "free" product, not one for which I had to pay to license.

However there are other "free" products which also include this exact same type of bundled software in the primary product installer EXE, but which BitDefender does NOT identify as a "threat" during scans. Now they may not specifically include ByteFence as their bundled software, but they certainly offer 3rd-party products... again avoided by me through pushing of the DECLINE button.

Just for example, the free versions of PotPlayer, IMGBurn, and Partition Wizard, ALL include 3rd-party software offered during their install dialog, and ALL of them allow opt-out with a DECLINE button. This method of offering and presenting both a DECLINE and ACCEPT button (with ACCEPT pre-selected as default, so you have to be aware of that and consciously push the DECLINE button instead of just pushing NEXT) seems to be quite typical. I believe the actual 3rd-party software offered is not a constant, but changes or rotates through a list of several products that can be pushed out in this way. I've seen WebAdvisor, AVAST, etc., any and all of which I DECLINE when offered. I thought you might get different 3rd-party product offers over time, even when using the identical installer EXE... kind of like an advertisement server that simply "dishes out" different software product offers.

So, are you saying it happens to be ByteFence in particular which is the particular offender, rather than the PowerISO installer itself? That's certainly not obvious from the diagnostic message put out by your scan which resulted in the quarantine of the installer EXE. I think it would be very helpful if a more explicit and informative message were produced by BitDefender SCAN, so that I could take appropriate action such as contacting the vendor.

I will contact the PowerISO people to see if the offer of ByteFence is FIXED into their installer and never changes, or if it just happens to be one of a set of unpredictable rotating 3rd-party products offered through a "software server". I guess it must be "fixed" in the installer itself, if BitDefender found it, rather than being a variable run-time 3rd-party product offered by a "software server" initiated through the PowerISO installer.

Note that I didn't have this issue with the previous 7.5 version of their licensed product. Only this new 7.6 installer file includes the 3rd-party software offer of ByteFence. Or perhaps the 7.5 installer also offered some "benign" 3rd-party product but maybe not ByteFence in particular. So maybe it just never showed up until now.

Anyway, I will let you know what they say.

Thanks.

Flexx

https://community.bitdefender.com/en/discussion/comment/295624#Comment_295624

Well if you consider the sample is incorrectly detected, you can directly lodge a request for removal of detection via below link with the malware research team.

https://www.bitdefender.com/submit/

If the malware researchers agree that the detection is incorrectly classified then the detection will be removed in maximum of 72 hours. If the detection is still available even after 72 hours, you should assume that the detection will stay as per malware researchers.

Regarding the other software containing bundler (PotPlayer, IMGBurn, and Partition Wizard), you can also share these files directly with the malware researchers through above forum only for verification.

At the end it comes down to malware analyst only. They are the ones who will create or remove the detection's. Every AV vendor has different policy of classifying a particular sample as pup/ pua/ malware.

ADDITIONALLY, YOU SHOULD NOTE THAT BUNDLERS CAN BE PART OF GENUINE SOFTWARE. SO THERE IS NO WAY OF REMOVING A BUNDLER DIRECTLY FROM A SOFTWARE SETUP FILE, SINCE BUNDLERS SETUP IS MERGED IN THE SETUP FILE OF THE MAIN SOFTWARE.

BY INCLUDING 3RD PARTY BUNDLERS INTO THE ORIGINAL INSTALLATION FILE 2 THINGS HAPPEN

1) The Original company generates revenue from the 3rd party company.

2) The 3rd party companies product gets promoted by getting included in other software.

If this helps, kindly select accepted

Regards

Flex

DSperber

Heard back from the PowerISO people.

Turns out I had actually downloaded the "free" version installer which is what is provided through their DOWNLOAD page (without actually advising that this is not the FULL version but the FREE version), which does come with that bundled 3rd-party software that I have reported here. In fact I had paid for the licensed version, and at the time of purchase the online dialog provided a different download link... for the FULL VERSION (which has some additional features). And the FULL VERSION installer does NOT include any imbedded bundled 3rd-party software offer.

Their DOWNLOAD page doesn't actually provide a link to the FULL version. But their email to me today reminded me of that, and provided again the special link to download the official non-free licensed FULL VERSION of 7.6, which I've now downloaded and installed (replacing the free 7.6 which I'd mistakenly downloaded and installed).

And sure enough the non-free FULL version doesn't contain any 3rd-party software offer, and is not detected as a problem by BitDefender.

Case closed. Thank you.

Flexx

If your issue has been resolved, kindly select accepted

Regards

Flex

DSperber

https://community.bitdefender.com/en/discussion/comment/295656#Comment_295656

I would, if I knew how to do that.

Where is this "accepted" button? I see no such thing. At least it's not very obvious to me, if it's present somewhere.

Flexx

https://community.bitdefender.com/en/discussion/comment/295683#Comment_295683

Hi Member,

You can go forward & click on agree.

Regards

Flex