Wererommel Posted May 6, 2021 Posted May 6, 2021 I have been using Vortex on the PC for years. Today, when I attempted to boot it up, Malwarebytes shut it down and gave me this report: Malwarebyteswww.malwarebytes.com-Log Details-Protection Event Date: 5/5/21Protection Event Time: 5:15 PMLog File: 1fd4ab38-ae00-11eb-af45-b06ebf84830d.json-Software Information-Version: 4.3.0.98Components Version: 1.0.1273Update Package Version: 1.0.40149License: Premium-System Information-OS: Windows 10 (Build 19042.928)CPU: x64File System: NTFSUser: System-Exploit Details-File: 0(No malicious items detected)Exploit: 1Malware.Exploit.Agent.Generic, C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NonInteractive -InputFormat None -Command Get-AuthenticodeSignature 'C:\Users\[Name]\AppData\Local\Vortex\pending\temp-vortex-setup-1.4.12.exe' | ConvertTo-Json -Compress | ForEach-Object { [Convert]::ToBase64String([system.Text.Encoding]::UTF8.GetBytes($_)) }, Blocked, 0, 392684, 0.0.0, ,-Exploit Data-Affected Application: VortexProtection Layer: Application Behavior ProtectionProtection Technique: Exploit payload process blockedFile Name: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NonInteractive -InputFormat None -Command Get-AuthenticodeSignature 'C:\Users\[name]\AppData\Local\Vortex\pending\temp-vortex-setup-1.4.12.exe' | ConvertTo-Json -Compress | ForEach-Object { [Convert]::ToBase64String([system.Text.Encoding]::UTF8.GetBytes($_)) }URL:(end) Apparently, it thinks the start-up program in the Pending folder is some kind of exploit. I had this problem before, but wrote an exclusion for the virus checker. This time, there was a different startup program in the folder, and it was detected as malware. I then attempted to write an exclusion for the entire folder, but no luck. Whatever is generated there gets detected as malware.
Wererommel Posted May 6, 2021 Author Posted May 6, 2021 Some more information: The boot file: temp-vortex-setup-1.4.12.exe is marked Run As Administrator. I had actually started Vortex as Administrator some months ago, but quickly realized my mistake and removed the Administrator flag. However, I cannot remove it from the boot file. There is nothing to uncheck in Properties, it was never checked. I have tried checking and unchecking it but nothing works. Deleting the boot file doesn't help, Vortex just generates a new file, also marked Administrator. Just today, I tried running it in Test mode under the Compatibility tab in Properties. That worked. I saved the settings and ran it again, and it still worked, even though the Administrator icon is still there.
Tannin42 Posted May 6, 2021 Posted May 6, 2021 The Vortex *installer* is run as admin because it installs into the write-protected c:\program files. That is expected. Vortex itself doesn't need to run as admin because for the most part it only reads from write-protected directories. The installer has been virus checked by over 60 virus scanners (through virustotal.com) and none found a problem.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.