Bluteal.B!rfn Malware detected by Windows Defender

This morning we had two machines that are running Windows Defender found that named virus in the directory:

C:\Users\judson.xxx.edwards\AppData\Local\BigFix\Enterprise Console\bfconsole.xx.xxx.xxx\judson.edwards\Sites\SCM Reporting\sha1. Sha1 is the named possibly infected file. This was on two other machine not mine but the path\directory\file is on my machine.

Simultaneously, when I went to log into my machine and I got the error “File error “class FileMoveError” on “C:\Users\judson.xxx.edwards\AppData\Local\BigFix\Enterprise Console\bfconsole.xx.xxx.xxx\judson.edwards” and “C:\Users\judson.xxx.edwards\AppData\Local\BigFix\Enterprise Console\bfconsole.xx.xxx.xxx\judson.edwards”: Windows Error 0x5%: Access is denied.” on my local machine but logged in fine on my VM.

Logging in as the administrator does not give that error. Is this a false positive?

Jud

I do believe this is a false positive (https://www.virustotal.com/#/file/c46d7edb3c57053e4c2d66d921602cffd7cd2acd15fb67c2ed7f26cf3f95dbb7/detection) but we will look into this further.

3 Likes

Additionally I am not running windows Defender I am running McAfee and my file(sha1) does not trigger McAfee. Is there any other information that I could give to help?

both Windows7
both console users
version 9.5.8.38 Client/Console

Any word on this? These machines have been off since Wednesday. We need to ship them to forensics or whitelist if it is a false positive.

This is a false positive. We have been distributing this executable for years for use by our Synchronize Custom Checks dashboard. If it matches the below size/sha information, then it is a valid utility that we ship:

q: (name of it, size of it, sha1 of it, sha256 of it) of file "sha1s.exe" of folder "BigFix\Enterprise Console\bfserver\Steve\Sites\SCM Reporting" of folder (value of variable "LOCALAPPDATA" of environment)
A: sha1s.exe, 3222933, 926c7db4340715ca9906fe0460cc492f5f596e20, c46d7edb3c57053e4c2d66d921602cffd7cd2acd15fb67c2ed7f26cf3f95dbb7
2 Likes

Perfect, we will check and let you know if it is the original file.