PDA

View Full Version : Windows Defender calls out Applian binaries as PUA of PUADI



cb831
12-28-2021, 03:11 PM
I see once in a while that Defender calls out Applian software as potentially unwanted.

E.g I just got this:

-------------------
App Quarantined

Detected: PUADIManager:Win32/InstallCore
Status: Quarantined
To remove this app select Actions->Remove. To allow it, select Actions -> Allow.

Date: 2021-12-28 22:30
Details: This program has potentially unwanted behavior.

Affected items
file: D:\Download\RVCSetup7.4.1.exe
-------------------

FileInfo:

-------------------
D:\Download> Get-FileHash .\RVCSetup7.4.1.exe

Algorithm Hash Path
--------- ---- ----
SHA256 5B74D24A14346A8DD13141DA5B5226E236A6688321B885877A 52FBE0BBEB9AC0 D:\Download\RVCSetup7.4.1.exe

-------------------
D:\Download> Get-Item .\RVCSetup7.4.1.exe | fl *


PSPath : Microsoft.PowerShell.Core\FileSystem::D:\Download\ RVCSetup7.4.1.exe
PSParentPath : Microsoft.PowerShell.Core\FileSystem::D:\Download
PSChildName : RVCSetup7.4.1.exe
PSDrive : D
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
Mode : -a----
VersionInfo : File: D:\Download\RVCSetup7.4.1.exe
InternalName: SetupRVC
OriginalFilename: suf_launch.exe
FileVersion: 7.4.0.0
FileDescription: Replay Video Capture Setup Application
Product: Replay Video Capture
ProductVersion: 7.0.0.0
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language: English (United States)

BaseName : RVCSetup7.4.1
Target : {}
LinkType :
Name : RVCSetup7.4.1.exe
Length : 21403928
DirectoryName : D:\Download
Directory : D:\Download
IsReadOnly : False
Exists : True
FullName : D:\Download\RVCSetup7.4.1.exe
Extension : .exe
CreationTime : 2015-11-07 15:01:23
CreationTimeUtc : 2015-11-07 14:01:23
LastAccessTime : 2021-12-28 23:07:32
LastAccessTimeUtc : 2021-12-28 22:07:32
LastWriteTime : 2015-11-07 15:01:56
LastWriteTimeUtc : 2015-11-07 14:01:56
Attributes : Archive
-------------------

As you can see a 6y+ old file, making stuff even more weird.

Any comments?

Thanks
Claus

Cheryl Wester
01-01-2022, 01:50 PM
I use the same Firewall and have not had that reported at all. I am also not getting other reports of this with Windows Defender. I have both version 7 and 8 of our program installed. This is what I would call a false positive.

cb831
01-02-2022, 12:30 PM
I use the same Firewall and have not had that reported at all. I am also not getting other reports of this with Windows Defender. I have both version 7 and 8 of our program installed. This is what I would call a false positive.

Anyway to verify that the checksum of my binary is correct ?

D:\Download> Get-FileHash .\RVCSetup7.4.1.exe

Algorithm Hash Path
--------- ---- ----
SHA256 5B74D24A14346A8DD13141DA5B5226E236A6688321B885877A 52FBE0BBEB9AC0 D:\Download\RVCSetup7.4.1.exe

http://downloads2.applian.com/prev/RVCSetup7.4.1.exe doesn't seem to exist anymore.

Edit: url does exist, but my browser (Edge Chromium) rejects to download with this message
"
RVCSetup7.4.1.exe has been blocked as a potentially unwanted app by Microsoft Defender SmartScreen
"
which essentially is the same as the original error.