Suspicious behaviour Aurora.exe

Nige · 2024-01-29T11:23:24+00:00

There was an error rendering this rich post.

Hi there,

I have been using Project Aurora (RGB utility) for some months without issue.

Recently, Bitdefender started to flag up Suspicious Behaviour involving explorer.exe and Aurora.exe and then ‘disinfects’, which completely breaks the Aurora installation.

I can consistently reproduce the issue. If I copy and paste anything anywhere on the system when Aurora.exe is running, then the Suspicious behaviour issue flags up.

I’m certain aurora.exe is not infected. I have scanned its .exe using Bitdefender and MalwareBytes and it’s reported clean. I have submitted the file to Bitdefender as a False Postivie, but not heard back yet.

Does anyone have any technical explanation as to why this is happening?

Thanks.

Find more posts tagged with

Comments

Flexx

https://community.bitdefender.com/en/discussion/98613/suspicious-behaviour-aurora-exe

@Alexandru_BD Can you check if any requests related to the same have been sent to malware researchers and if there is any update on this?

Also, I would like to inform you that whether a file is malicious or not is confirmed only after a maximum of 72 hours. This is the maximum time during which malware researchers analyze the file. It may take more or less time to analyze the file.

Also, when I checked the complete software on VirusTotal, none of the antimalware programs flagged it as malicious. Below is the VirusTotal link for the complete software:

https://www.virustotal.com/gui/file/951c99285ad5416fbede4a459866af3e5bfc773a80f4b49668c5532eb9bf7645

This indicates that it must have been the behavior blocker that detected the file as malicious, which will not be shown in the normal scan by Bitdefender.

Regards.

Nige

Thanks for your reply.

It has been less than 72 hours since I reported the issue to Bitdefender, so I shall wait and see.

Alexandru_BD

Hello @Nige,

Did you get a ticket number for your inquiry? I can't seem to find a recent ticket when searching using your email address. I have noticed that no security vendors flagged this file as malicious, including Bitdefender, based on the virustotal link above. But then again, they might have whitelisted it already. Can you try again and perhaps add an exception for the aurora.exe file in the Advanced Threat Defense security module? Here are the steps to do this:

https://www.bitdefender.com/consumer/support/answer/2393/

Thanks.

Alex

Nige

Thanks for your reply.

I did Submit the form. My browser remember all the answers I put in the other day.

I just repeated the process. When I click the Submit button, the form just refreshes to blank. No error or confirmation. That was using Edge browser. I just repeated the same using the Chrome browser and the same happened.

You may want to check with your web guys that the form is working properly!

I just got an email confirmation, so probably your form isn't working in Edge but does work in Chrome.

I also just got this error when tried to post the link to the form that I used.

Flexx

https://community.bitdefender.com/en/discussion/comment/334162#Comment_334162

This is not an issue with the forum. Since you are a new user, you will not be allowed to post links due to the default forum settings. I have promoted you to level 2 now. Kindly check if you are able to post the links or not.

Secondly, it's not your browser that remembers the comment. It's another default Bitdefender forum setting that stores your non-submitted comment in drafts. You can remove the stored draft by clicking on your icon at the top right and then clicking on 'Drafts' to remove the respective comment from there.

@Alexandru_BD any thing to add here

Regards

Nige

Thanks for the reply and the promotion.

It still remains that when I submitted the form using Edge, then the form wasn’t submitted at all, but at least now I know that this is an issue.

Alexandru_BD

Nothing to add here, you've explained it well @Flexx.

@Nige I confirm the sample was successfully sent to our laboratories. The case was last updated yesterday afternoon. Not sure exactly what happened with the form during submission. I think clearing cache & cookies should normally resolve the error.

Regards,

Alex

Nige

22 days later. Not heard anything at all about the file I submitted.

What;s the usual timeline for this kind of thing?

Nige

I suspect that my current subscription for Bitdefender will have expired and I will have switched to another AV provider before I get any response to the file I submitted 26 days ago.

It seems that Bitdefender has gone that way of many other AV companies: As the primary product becomes increasingly bloated and overly-complex the price goes up and customer service goes down.

Alexandru_BD

Hello @Nige,

Please send a follow up message on the Support case and ask for an update. Certainly, there has to be a good reason behind this delay. I'm unsure if your subscription has expired yet, but you can check this by accessing your Central account or the Bitdefender app. The validity is displayed in both platforms.

Regards,

Alex

Nige

140 days remaining on my subscription. There’s a very good chance that it will end before these issues are solved.

It’s not great customer service is it? The customer has to chase for an update on what may be a serious issue.

My faith in Bitdefender and its products is virtually nil at the moment.

Alexandru_BD

Hello @Nige,

Your inquiry has been further escalated to Tier 3 technical and this means an investigation is being carried out by the engineering teams. The task is no longer in the hands of customer service, thus they are not the ones in charge of the fix, but they will communicate the resolution to you as soon as the developers complete the troubleshooting process. I think it's important to mention that the task at hand is no longer related to your initial inquiry concerning the Aurora.exe utility, as based on my findings this request has been addressed in a different case/file submission.

Your latest inquiry has to do with the antivirus settings not being preserved between system restarts and this is something the developers could reproduce during internal testing for the most recent builds 27.0.30.135 and 27.0.30.136. This being said, the debugging process is ongoing and we are expecting a fix soon.

Regards,

Alex

Alexandru_BD

fyi

https://community.bitdefender.com/en/discussion/comment/335364#Comment_335364

Nige

@Alexandru_BD

Thanks for at least trying to clarify the issue.

”the task at hand is no longer related to your initial query”

What does that mean? All I was expecting was a yes/no answer (i.e. it’s a false positive or not).

When I refer to “customer service” I mean the responsiveness and thoroughness of a company’s dealings with customer issues in general. I was not referring to a specific department. First line response staff are not responsible for management decisions on how to deal with customer. Management needs to ensure that communication between senior techs and first line support is as good as it possibly can be and that first line support are communicating with customers promptly and comprehensively. Overall, I find Bitdefender communication is poor and has been getting worse of late.

To be fair, in the past comms were better than they have been recently. Even the repeated holding responses (“we’re still working on it”) are better than nothing.

Ok, so of the 2 issues I recently reported, the false positive report is now a “task in hand no longer related” to my original query. Do I take that to mean that the aurora.exe flag was a false positive, or not?

The second query looks like it’s been a known issue since at least November 2023 (according to the link you posted). So why didn’t first line support respond to my initial report with “this is a known issue and we’re working on it”?

It doesn’t matter how technically skilled your back-end staff are and how robust your product is if your customer support offer is poor and your communications are lacking in promptness and clarity. Customers like me will get to the point where the overall offer just doesn’t cut it and move to a different product which offers better support.

Alexandru_BD

Hi,

You are most welcome!

Is Aurora.exe working as expected now? If yes, the detection was a false positive which has been corrected. Based on my findings, that case has been resolved on January 31. I don't have visibility to the Labs' findings, but I think it was a false positive by the looks of it.

Since the security researchers receive quite a large number of samples on a daily basis, Labs proceed with the analysis, but they don't reply on the submissions. There should be an automated message that informs users who submit samples regarding this. However, this process is likely to change in the next quarter. The usual resolution timeframe for fp/fn sample analysis is 72 hours and users can check later to see if the detection has been removed or not. The Labs are not part of the Support teams and the samples are sent directly to them. If detection stays, it's usually for good reasons.

it’s been a known issue since at least November 2023 - This is incorrect, the issue you have reported on the ticket no. 1009052813 manifested itself after the latest update 27.0.30.136. For this, a hotfix will be released soon. Maybe the agent that took your case wanted to make sure the behavior you have encountered was not caused by something else, so they followed the standard procedure. Only after you submitted the logs, the case was linked with the known issue.

Regards,

Alex

Nige

@Alexandru_BD

Thanks again for the reply.

Aurora was always working as expected. It's Bitdefender's detection that's in question!

I added Aurora as an exception but it was the behaviour that Bitdefender flagged, not the actual .exe In fact, Bitdefender also flagged up a couple of Windows systems processes. I was copying and pasting text while Aurora was active that triggered Bitdefender.

Ok, I'll take your word for it that scan settings not being saved between reboots is a new issue, but the thread that you linked to explicitly mentioned (in November 2023) an issue with BD saving scan settings after a reboot. Also that thread that you linked to specifically mentions a fix has been released. Maybe you can see where the confusion arose here.

Good communication can resolve many a confusion. Poor comms leads to more issues.

Alexandru_BD

Hi @Nige,

Yes, there are a couple of threads on the forum regarding the scan settings issue and these were posted just recently:

https://community.bitdefender.com/en/discussion/98888/bitdefender-not-keeping-scheduled-scan

https://community.bitdefender.com/en/discussion/98938/bd-is-update-custom-scans-disappear-settings-reset-automatically

I still have to check if there are any updates here, as far as I know the situation is still under investigation.

Regards,

Alex