[German]It looks like Microsoft Defender under Windows is falsely reporting a Trojan. Affected are probably systems from Dell, where the DellSupportAssistRemediationService is criticized. This is delivered with Dell computers via their SupportAssist. After a blog reader informed me about the issue, I include the available information here in the blog.
Advertising
Reader report about Defender false alarm
German blog reader Martin B. contacted me a few hours ago via emailand pointed out that there seems to be a false positive in Microsoft Defender. He wrote:
Hello,
MS Defender probably detects a trojan on Dell laptops, but it seems to be the DellSupportAssistRemediationService. I found this also on Reddit after the problem occurred in our system.
Thanks to Martin for pointing out this possible false alarm from Microsoft Defender, which is standard on Windows.
Also reports at reddit.com
If you go searching on the web for the terms "DellSupportAssistRemediationService Defender", you should see this few hours old thread listed at reddit.com.
"CryptoStealBTC" and DellSupportAssistRemedationService.exe
Hi,
We run Dell Latitude Laptops with Defender ATP and started getting alerts a few hours ago.
All the Alerts are for "CryptoStealBTC" Malware was prevented.
The alert history, we always see this "DellSupportAssistRemediationService.exe" interacting with a Inetcache file on disk volume shadow copy…
Looks to be a false positive?
Anyone else seeing this?
A CryptoStealBTC Trojan is reported and sent to quarantine. The affected person still posted the above screenshot (can be enlarged by clicking on it). In the thread, several affected people confirm that this Defender false positive occurs on their Dell systems as well. In addition, a link to this reddit.com forum post was posted, where the problem is also described.
Advertising
Dell Support assist installing MalWare
These hits were also confirmed by other users in this thread. It seems that a signature file for Microsoft Defender distributed on March 2, 2022, has the file DellSupportAssistRemediationService.exe located in the directory:
C:\Program Files\Dell\SARemediation\agent\
incorrectly classifies it as a Trojan. Martin sent me a link to this thread at reddit.com. There, a Trojan finding is also discussed and located with Dell devices and one participant writes:
Do you have Dell support assist installed? It looks like defender is flagging the Dell Support Remediation service under
C:\Program Files\Dell\SARemediation\agent\DellSupportAssistRemediationService.exe
Browsing through the hits in various reddit.com posts, the finding occurs on various Dell computers. Assuming that the offending Dell file was not compromised via a supply chain attack, this only suggests a Defender false positive.
Most Dell PCs running Windows 10 will have SupportAssist installed. Dell says, this is a technology that keeps everything running smoothly on the PC. The feature can remove viruses, detect problems, tweak settings and alert the user when updates need to be made. My guess is that the Dell SupportAssist Remediation Service is part of this technology and runs as a recovery service right along with Windows.
This SupportAssist is always good for problems according to my research. A good 8 months ago there was this forum post at Kaspersky. Someone there writes that whenever "DellSupportAssistRemediationService" tries to create a backup, Kaspersky identifies a high risk trojan and tries to delete that file.
