[German]Users of Windows seem to have been startled in the last few weeks by false alarms from Windows Defender. Defender suddenly believed to have detected the Trojan Win32/Bluteal.B!rfn in regular files.
Advertising
First reports end of May 2018
In recent days, several users have reported false alarms on the forums of Bleeping Computer and other websites such as Tom's Hardware. For Tom's hardware, a user writes on June 1, 2018:
So yesterday Windows Defender notified me saying it found Bluteal.B!rfn trojan which I got it to quarantine and then remove. I couldn't find a lot of info after googling the trojan so decided to hopefully get some advice here.
I received the notification about the trojan when I was loading up Unity and Visual Studio, it said that the affected file was:C:\Windows\assembly\NativeImages_v4.0.30319_32
\Microsoft.Vde5ed89a#\457b4a4c20bed2246e03f1f9e5eaa1a5
\Microsoft.VisualStudio.Utilities.Internal.ni.dllCould Windows Defender be getting confused and it's just a false positive? I thought I had read somewhere that Windows Defender is okay for protection these days but maybe I should go back to Avast or Avira?
I've run a scan with Malware Bytes and a standard scan with Windows Defender but should I use something else to do a deeper scan if this was in fact a legit trojan? I've since made sure to update Windows 10 in case that has any part of this.
In the Technet forum there is this tread, which was started on June 1, 2018. A Trojan was also reported there in the Visual Studio component. The case is confirmed in this forum thread by several users. The developer community has already had this thread since May 31, 2018, which indicates the case.
Report at Bleeping Computer
At Bleeping Computer there is a forum post from a user reporting possible false alerts of Trojan:Win32/Bluteal.B!rfn in Windows Defender. Lawrence Abrams addressed this within this article. Windows Defender flags the following file, which is a legit Windows file.
C:\Windows\assembly\NativeImages_v4.0.30319_64
\Microsoft.C26a36d2b#\daf01e12fa59ed340363c44b7deff15e\
Microsoft.CertificateServices.PKIClient.Cmdlets.ni.dll
(Source: Bleeping Computer)
Advertising
Also at Microsoft Answers there is this thread where a user reported sporadic false alerts from Windows Defender.
been getting this trojan message through windows 10 defender periodically today which gets quarantined by defender. malewarebytes, microsoft safety scanner and adwcleaner do not find anything, is Trojan:Win32/Bluteal.B!rfn a false positive by windows 10 defender
At reddit.com there is this thread just started a few day ago, dealing also with the false alarm that file Microsoft.CertificateServices.PKIClient.Cmdlets.ni.dll is a trojan. Microsoft created a page about Trojan:Win32/Bluteal.B!rfn on May 18, 2018 (seems the date, where the definition is added to Defender).
I'm assuming it's a false alarm. There is no official statement from Microsoft. However, Microsoft has confirmed a false alarm to Bleeping Computer. It is recommended to check for new Defender updates. Then the problem should be solved. Were any of you concerned?
they removed and corrected the false detection when i submitted through their file submission website.
https://www.mountaincomputers.org/myBlog/myBlog.asp?mode=view&id=992
this blog entry has my details and suggestions for developers… especially if your code is fine until you renew your code signing certificate.