Microsoft Defender falsely reports Trojans on Dell computers (March 2, 2022)

Sicherheit (Pexels, allgemeine Nutzung)[German]It looks like Microsoft Defender under Windows is falsely reporting a Trojan. Affected are probably systems from Dell, where the DellSupportAssistRemediationService is criticized. This is delivered with Dell computers via their SupportAssist. After a blog reader informed me about the issue, I include the available information here in the blog.


Reader report about Defender false alarm

German blog reader Martin B. contacted me a few hours ago via emailand pointed out that there seems to be a false positive in Microsoft Defender. He wrote:


MS Defender probably detects a trojan on Dell laptops, but it seems to be the DellSupportAssistRemediationService. I found this also on Reddit after the problem occurred in our system.

Thanks to Martin for pointing out this possible false alarm from Microsoft Defender, which is standard on Windows.

Also reports at

If you go searching on the web for the terms "DellSupportAssistRemediationService Defender", you should see this few hours old thread listed at

"CryptoStealBTC" and DellSupportAssistRemedationService.exe


We run Dell Latitude Laptops with Defender ATP and started getting alerts a few hours ago.

All the Alerts are for "CryptoStealBTC" Malware was prevented.

The alert history, we always see this "DellSupportAssistRemediationService.exe" interacting with a Inetcache file on disk volume shadow copy…

Looks to be a false positive?

Anyone else seeing this?

Defender: "CryptoStealBTC" and DellSupportAssistRemedationService.exe

A CryptoStealBTC Trojan is reported and sent to quarantine. The affected person still posted the above screenshot (can be enlarged by clicking on it). In the thread, several affected people confirm that this Defender false positive occurs on their Dell systems as well. In addition, a link to this forum post was posted, where the problem is also described.


Dell Support assist installing MalWare

Has anyone had reports of this? was informed we needed to start removing support assist due to MalWare, but the only articles i can find on it are from last year.

These hits were also confirmed by other users in this thread. It seems that a signature file for Microsoft Defender distributed on March 2, 2022, has the file DellSupportAssistRemediationService.exe located in the directory:

C:\Program Files\Dell\SARemediation\agent\

incorrectly classifies it as a Trojan. Martin sent me a link to this thread at There, a Trojan finding is also discussed and located with Dell devices and one participant writes:

Do you have Dell support assist installed? It looks like defender is flagging the Dell Support Remediation service under

C:\Program Files\Dell\SARemediation\agent\DellSupportAssistRemediationService.exe

Browsing through the hits in various posts, the finding occurs on various Dell computers. Assuming that the offending Dell file was not compromised via a supply chain attack, this only suggests a Defender false positive.

Most Dell PCs running Windows 10 will have SupportAssist installed. Dell says, this is a technology that keeps everything running smoothly on the PC. The feature can remove viruses, detect problems, tweak settings and alert the user when updates need to be made. My guess is that the Dell SupportAssist Remediation Service is part of this technology and runs as a recovery service right along with Windows.

This SupportAssist is always good for problems according to my research. A good 8 months ago there was this forum post at Kaspersky. Someone there writes that whenever "DellSupportAssistRemediationService" tries to create a backup, Kaspersky identifies a high risk trojan and tries to delete that file.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *