topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Tuesday May 11, 2021, 6:38 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Auslogics Disk Defrag Portable is suddenly malicious?  (Read 1199 times)

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,326
    • View Profile
    • Donate to Member
Auslogics Disk Defrag Portable is suddenly malicious?
« on: March 11, 2021, 04:59 PM »
I've had a portable .exe of Auslogics Disk Defrag Portable sitting in a folder on my PC for years, and frequently used it. The most recent time I used it a few days ago, out of nowhere Windows Defender marked it as malicious. I went into Windows Security center and told it to allow/restore it, but after I rebooted my computer today for the most recent Windows Update, it's gone! That leads me to two questions:

#1: Is it feasible that this portable app has had some hidden trojan all these years and only now is it being properly picked up by anti-virus scanners, or is it most likely just a sudden false positive? I uploaded the file to Jotti and VirusTotal before it disappeared, and there were several AVs flagging it as malicious. So it's not just Windows Defender acting up. Again, this is a file I've had for years. It's not like I just downloaded a new or updated version that changed the code.

#2: Does anyone know how to restore a file that Windows Defender got rid of? I don't see the usual "allow" or "restore" options in Windows Security. In fact, Windows Security tells me that it failed to remediate the problem. I'm attaching relevant screenshots if it helps to see what I'm seeing.

Windows Security - Removed or Restored.pngAuslogics Disk Defrag Portable is suddenly malicious?

Windows Security - Remediation Incomplete.pngAuslogics Disk Defrag Portable is suddenly malicious?

EDIT: Nevermind about #2. I had a backup in my Dropbox folder.
« Last Edit: March 11, 2021, 05:37 PM by Deozaan »

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,795
    • View Profile
    • Donate to Member
Re: Auslogics Disk Defrag Portable is suddenly malicious?
« Reply #1 on: March 11, 2021, 10:34 PM »
A good example for applying the 3-2-1 rule when back-upping.

For those unfamiliar with that rule:
You should have 3 copies of your data (your production data and 2 backup copies) on two different media (disk and tape) with one copy off-site for disaster recovery.


And a reasonably interesting blog post on why this rule sucks...  ;)

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,326
    • View Profile
    • Donate to Member
Re: Auslogics Disk Defrag Portable is suddenly malicious?
« Reply #2 on: March 11, 2021, 10:58 PM »
A good example for applying the 3-2-1 rule when back-upping.

After I found the backup in my Dropbox folder, I immediately made an extra copy on a thumb drive. I didn't even know 3-2-1 was a thing and I unintentionally started following that strategy after this incident. :Thmbsup:

KodeZwerg

  • Honorary Member
  • Joined in 2018
  • **
  • Posts: 627
    • View Profile
    • Donate to Member
Re: Auslogics Disk Defrag Portable is suddenly malicious?
« Reply #3 on: March 12, 2021, 01:22 AM »
My guess why AntiVirus tools cry: "Portable-Edition" (RarSfx)

Programs that extract programs to run them are in general "bad" for scanning tools.
It looks like Windows Defender does not like your program extras (the *.bpl files, those are Delphi binary packages).

How-To-Fix: Extract *.exe Rar-file and play with extracted :-)

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,326
    • View Profile
    • Donate to Member
Re: Auslogics Disk Defrag Portable is suddenly malicious?
« Reply #4 on: March 12, 2021, 11:41 AM »
My guess why AntiVirus tools cry: "Portable-Edition" (RarSfx)

Programs that extract programs to run them are in general "bad" for scanning tools.
It looks like Windows Defender does not like your program extras (the *.bpl files, those are Delphi binary packages).

How-To-Fix: Extract *.exe Rar-file and play with extracted :-)

Oh! It makes so much sense now. I didn't realize the RarSfx meant self-extracting RAR. It seems so obvious in retrospect! I extracted the files manually and I see there are some Google Analytics related files. And since there doesn't appear to be any way to turn off analytics in the settings, I deleted the GoogleAnalyticsHelper.dll and GASender.exe yet the main executable still seems to work just fine without them.

Speaking of the main executable, now when I run the extracted .exe file it opens so much faster!


But those Delphi packages are still causing trouble:

vclie160.bpl on VirusTotal

AxComponentsRTL.bpl on VirusTotal

Most AVs just give them the generic "potentially unwanted" label, which is a pretty good indicator that it's likely a false positive. But one of them specifically labels it as adware/virus, which is a little concerning. However, I don't think I've ever seen a random ad, inside or outside of the application, in all the years I've been using this program. So I think I'll chalk this one down to a false positive until/unless I get more information that convinces me otherwise.

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,795
    • View Profile
    • Donate to Member
Re: Auslogics Disk Defrag Portable is suddenly malicious?
« Reply #5 on: March 12, 2021, 01:17 PM »
To put your mind even more at ease, download and run the following software:
Cure It!  from Dr Webb is free to download and run (for private use). On a reasonable system a full checkup lasts about 15 minutes (1 TByte spinning rust disk, about 50% full). Unless it finds malware issues on the system, then it will take longer, depending on how many malware is actually on the system and if you want the problematic files deleted, moved or cured.

Not a small download (200+ MByte) and nowadays you need to give your mail address, so have a disposable one ready. However, it really is very helpful when you are in need of finding/fixing malware. Usually the downloaded software works for a few days and then it tells you it is out of date.

Instead of downloading new signature files, you will need to download the whole thing again. It also generates a random filename after each download. There is more than enough malware/adware that is aware of file names from software that is able to remove malicious software and/or file names from software that allows you to see what is running in the background (like Process Explorer). The random file name will prevent malware /adware to block this software.

So, if you have software like Process Explorer on your system and you cannot start it, your system has been infected with malware/adware and you are definitely in need of software like ADWCleaner (free/private use), JRT, RKill and Cure It!.

** edit: additions
« Last Edit: March 12, 2021, 01:53 PM by Shades »

KodeZwerg

  • Honorary Member
  • Joined in 2018
  • **
  • Posts: 627
    • View Profile
    • Donate to Member
Re: Auslogics Disk Defrag Portable is suddenly malicious?
« Reply #6 on: March 12, 2021, 04:02 PM »

1. - Speaking of the main executable, now when I run the extracted .exe file it opens so much faster!
2. - But those Delphi packages are still causing trouble:

1. you are welcome and sure it does. no need to write stuff to temp folder, execute and wait in background to delete when done using.(if it works that way)
2. Upload of "Portable-Edition" possible? I could anal with debugger the target and its extra libraries.
2a. If I would need to guess again, the bpl files are not the ones that delphi compiler produced once, they are compressed somehow.
2b. Or they are compiled with a specific Delphi Version (Delphi 7) that has been blacklisted on all major antivirus sites.

KodeZwerg

  • Honorary Member
  • Joined in 2018
  • **
  • Posts: 627
    • View Profile
    • Donate to Member
Re: Auslogics Disk Defrag Portable is suddenly malicious?
« Reply #7 on: March 12, 2021, 04:39 PM »
I have another idea now why AV cry by reading what those bpl are made for.

file: vclie160.bpl
Description: WebBrowser Components
was shipped with Delphi version 9 (Official Name should be Delphi 2009 if I am right)

file: AxComponentsRTL.bpl
is part of Components Package and developed by TweakBit, digitally signed by Auslogics Labs Pty Ltd

my guesses:
vclie160.bpl - can call the internet because it is made for that purpose. there might be blacklisted parts of code due low security methods what in conclusion can be a high risk on your side.
(example bank-accounting, you would never do with outdated software or software that can act risky)

AxComponentsRTL.bpl - might use code to direct access media. there is good code and outdated (risky) code, since AV happen to react I do guess it is outdated.


another wild guess by reading digital signed = it is digitally outdated. you can check by right-click one of those files, open properties, watch digital signature data


Warning: Never run Defrag on SSD media! Such software is only made for mechanical harddrives and do harm SSD!

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,326
    • View Profile
    • Donate to Member
Re: Auslogics Disk Defrag Portable is suddenly malicious?
« Reply #8 on: March 12, 2021, 05:13 PM »
2. - But those Delphi packages are still causing trouble:

2. Upload of "Portable-Edition" possible? I could anal with debugger the target and its extra libraries.
2a. If I would need to guess again, the bpl files are not the ones that delphi compiler produced once, they are compressed somehow.
2b. Or they are compiled with a specific Delphi Version (Delphi 7) that has been blacklisted on all major antivirus sites.

I guess I now have another backup. :D

KodeZwerg

  • Honorary Member
  • Joined in 2018
  • **
  • Posts: 627
    • View Profile
    • Donate to Member
Re: Auslogics Disk Defrag Portable is suddenly malicious?
« Reply #9 on: March 12, 2021, 07:31 PM »
Hmmm very strange. My system (Windows 10 Pro, latest updates) with internal Windows Defender = nothing.

Aslong my AV dont yell at me, what to do?

Maybe this updated version works better for you? (I do hope that english text is included, downloadeded from german server)

At the end it is the same just uptodate, new gui and stuff....

Auslogics Disk Defrag Portable Version 10.0.0.4 is appended.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,326
    • View Profile
    • Donate to Member
Re: Auslogics Disk Defrag Portable is suddenly malicious?
« Reply #10 on: March 15, 2021, 07:25 PM »
Auslogics Disk Defrag Portable Version 10.0.0.4 is appended.

I uploaded your attached version to Jotti and VirusTotal and got a few hits still:

https://virusscan.jo...lescanjob/gspf2cgyyy
https://www.virustot...259c7b95a9/detection

KodeZwerg

  • Honorary Member
  • Joined in 2018
  • **
  • Posts: 627
    • View Profile
    • Donate to Member
Re: Auslogics Disk Defrag Portable is suddenly malicious?
« Reply #11 on: March 15, 2021, 07:55 PM »
I uploaded your attached version to Jotti and VirusTotal and got a few hits still:
Just to be sure I now bought a Kaspersky License, re-downloaded from here, run local = no virus warning popped up.

Either you or Auslogic may get in contact with DrWebb and GData to adjust their result.
(Both claim it is "unwanted" not that is virus BTW.)

More I can not do for you, so sorry!

@mouser, please act by decide to delete my post with appended file on your own judgement. I do not want to infect the world with "unwanted" things, I like to stay safe here. However you judge, it is fully okay to me, love ya  :-*

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,326
    • View Profile
    • Donate to Member
Re: Auslogics Disk Defrag Portable is suddenly malicious?
« Reply #12 on: March 16, 2021, 02:33 AM »
Thanks for helping investigate the problem. I think it's probably just false positives. :)