Persistent installation request...RarSFX0\bddeploy.exe

Digger

I recently uninstalled an old version of Bitdefender Antivrus Free and Bitdefender Agent (via Windows 10 “Uninstall or change a program” panel). I then downloaded and installed the latest version.

Subsequent to that, each time I turned on my laptop, logged in to W10 and connected to wi-fi, a dialogue box would appear asking “Do you want to allow this app to make changes to your device?”. It was for Bitdefender Installation file, Verified Publisher Bitdefender SRL, Program location ……...App Data\Local\Temp\RarSFX0\bddeploy.exe. There seems to be no reason for this, as Bitdefender loads and appears to be functioning as it should. I deleted the temporary file, but the problem arose again when I next connected to wi-fi. I again deleted the temporary file, then uninstalled Bitdefender and did a fresh install.

None of those actions resolved the issue...I still get the Installation File request every time I connect to wi-fi.

Any suggestions for eliminating this persistent and annoying bug?

BitFiddler44

I am seeing this as well, except for slightly different "RarsFX<n>" directory.

zpointe

I am having a similar problem with this as well. When I download the exe from central to downloads, the uac prompt shows that the program is located in Users\<username>\AppData\Local\Temp\RarXFS0\bddeploy.exe. I don't see or understand a need for this.

Mark12

I am having the same problem and believe that Bitdefender's app has been hacked / corrupted in some way and is trying to download malware onto our computers. Interestingly, the file disappears when I try to locate it. As soon as I find the file, RarXFS0 or RarXFS1 the file disappears. The fact that Bitdefender has not responded to this is concerning.

Very concerning and poor support from Bitdefender in not responding to this issue.

SuperMatico

I have the same problem too, and here I saw a lot of solutions from the support, good

jmal377

Same problem except I looked at the IP it is sending to and it is CloudFlare. Bitdefender has a few warnings about CloudFlare. I made a rule blocking that IP address. But it added a rule to allow Bddeploy to run (without asking).

Morongo

Yeah, same here, sorta:

"C:\windows\Temp\RarSFX0\bddeploy.exe - Windows can not access the specified Device, Path or File. you may not have the appropriate permissions to access them."

*My BD setup:* Bitdefender Antivirus Free Build 27.0.14.78 Last Procuct Update: 7/15/2023 - Threat information updates: 13490054 Engine version 7.94977 Last engine update: 7/16/2023 4:02 AM

So, *what* is calling this and why? This looks like it's calling an installer. BD is successfully installed, running and updating with no errors. There should be no need to call bddeploy.exe once installed.

Running Ultrsearch on this shows no files by that name anywhere on my C:\ drive.

The directory C:\windows\temp only has a \bd_B.tmp subdirectory and that subdirectory has one file: xii1C.tmp: 14,227KB with user permissions set to *read-only*.

A hex editor shows this is an executable (exe or dll) with MZ magic and a PE header. I would guess this is the renamed 'bddeploy.exe'. I don't have a VM running so I'm not going to rename it and try to run it.

So again, *what* in the BitDefender ecosphere is calling it? And why?

@jmal77: I checked my firewall logs and, sure, BD does access both Google and Cloudflair, but Cloudflair is just a CDN (a reverse proxy) to hide the originating IP.

I'd do that too if I didn't want DDOS attempts shutting me down and I needed fast access worldwide though their delivery network, nothing suspicious about it. As for Google, BD probably has servers there, among other locations, just like Amazon aws, etc.

*Support*, reply to some of this stuff!

Thanks.