Could this be a false positive from VirusTotal?

Hello everybody. I'm in a trial period for Bitdefender Total Security. After checking Virustotal gave the following return of the executables below. Is something wrong? Thanks.


"C:\Program Files\Bitdefender\Bitdefender Security\hntwhlpr.exe"

Crowdsourced YARA rules

-Matches rule INDICATOR_SUSPICIOUS_VM_Evasion_MACAddrComb by ditekSHen from ruleset indicator_suspicious at https://github.com/ditekshen/detection Detects executables referencing virtualization MAC addresses


"C:\Program Files\Bitdefender\Bitdefender Security\obkch.exe"

Crowdsourced YARA rules

-Matches rule Adobe_XMP_Identifier by InQuest Labs from ruleset Adobe_XMP_Identifier at https://github.com/InQuest/yara-rules-vt This signature identifies Adobe Extensible Metadata Platform (XMP) identifiers embedded within files. Defined as a standard for mapping graphical asset relationships, XMP allows for tracking of both parent-child relationships and individual revisions. There are three categories of identifiers: original document, document, and instance. Generally, XMP data is stored in XML format, updated on save/copy, and embedded within the graphical asset. These identifiers can be used to track both malicious and benign graphics within common Microsoft and Adobe document lures.


"C:\Program Files\Bitdefender\Bitdefender Security\wsccommunicator.exe"

Crowdsourced Sigma Rules

-Matches rule File deletion via CMD (via cmdline) by Ariel Millahuel at SOC Prime Threat Detection Marketplace Detects "cmd" utilization to self-delete files in some critical Windows destinations.

-Matches rule Failed Code Integrity Checks by Thomas Patzke at Sigma Integrated Rule Set (GitHub) Code integrity failures may indicate tampered executables


"C:\Program Files\Bitdefender\Bitdefender Security\wsccommunicator_ls.exe"

Crowdsourced Sigma Rules

-Matches rule Failed Code Integrity Checks by Thomas Patzke at Sigma Integrated Rule Set (GitHub) Code integrity failures may indicate tampered executables.

Answers

  • Gjoksi
    Gjoksi Defender of the month mod
    edited March 2023

    Hello.

    Only the malware researchers at Bitdefender Labs can help you with the issue.

    You should report the file(s) and the VirusTotal link(s) as false positive to Bitdefender Labs here:

    Regards.

  • Scott
    Scott ✭✭✭✭✭
    edited March 2023

    Hi @Joelson

    In general, wsccommunicator is the .exe that communicates with Windows security to give you the green check mark on the Windows shield icon (that the two are syncing together)

    The obk's, the obkche is part of the Safepay module. It looks like as it says, a clean-up .exe for maybe when you exit out of Safpay? I routinely use the obk.exe to create a desktop shortcut for Safepay.

    And the other, I have in my Program files too, I just haven't had my morning coffee to check into it more :)


    Scott

    All Bitdefender Home Product User Guides: https://www.bitdefender.com/consumer/support/user-guides/ Using BD Antivirus Plus along with Glasswire free.

  • The detection seems to be valid. Even kaspersky detects the file as malicious.

    https://www.virustotal.com/gui/file/7deeadab4ddb0c0416902267ce5f24f9e450984e662add1c235d988cae3c2a11?nocache=1

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • nalced
    nalced just someone who thinks they have a virus rn

    I see this and I think I have malware because i seem to have a file that is in Norton antivirus and I don't have it installed and it is in the wrong location that is commonly used by malware and this has one detection, but would you say for me to wait or just do it or just not.

  • Flexx
    Flexx mod
    edited April 2

    Kindly create a new post since you are replying to a post that is a year old. This post is closed for further comments.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

This discussion has been closed.