Edge 116: Mysterious files bgaupdate.exe and bgaupsell.exe

[German]I received reports from users, that the Microsoft Edge browser has been installing the mysterious files bgaupdate.exe and bgaupsell.exe for quite some time. While these were not functional until now, something seems to have changed with Edge 116. Bloat- and malware is mentioned in hints from readers. I'll try to gather the information I have on this.

A first reader report

The topic was brought to me the last few days by my readers. In this German comment blog reader Thorky informed me about this and wrote:

Since updating to 116, Edge suddenly wants two files shared in the firewall, bgaupdate.exe and bgaupsell.exe:

Click to zoom

I uploaded the files to VirusTotal, there they are without malware findings. But what are their tasks?

I'v answered here, that bgaupdate.exe belongs to the "Microsoft Bing Service 2.0", but has been without function until now (see also the German article at Computerbase). The service probably ensures that people also get their Bing wallpapers, is speculated. For bgaupsell.exe some users write that it is malware. Later Thorky still wrote:

Both files were saved at almost the same time. Meanwhile, the bgaupdate.exe disappeared without my intervention. I only got rid of the bgaupsell.exe when I sent it to ThisIsMyFile. The process had to be terminated first.

My impression: It is also from Microsoft. It would be quite a coincidence, if within a few minutes two files with almost identical names log into the firewall, but only one of them is kosher.

It is also astonishing that these file(s) have been around for a year, but yesterday they reported to me actively for the first time. Since they were blocked immediately, they had no internet connection.

Later he added: In the meantime there's a new Edge update, but no successor files have been installed so far.

Another reader report

In addition, Fabio from Switzerland contacted me by mail a few hours later because he also wondered about the files and wrote:

BGAUpsell.exe new arrived on my system today.

Have you read about something like this?

Does this mean anything to you? BingUpdate stuff? Strange that it goes to an IP that is malicious when you click there.

I noticed it because of Glasswire.com software:

Click to zoom

Fabio sent me the screenshot above, which shows the first network activity. He also had the file checked on hybrid-analysis.com and Virustotal. There you get the hint that it might be spyware or that the file is malicious, but the probability is not very high (a scanner of 70 on Virustotal). Especially the explanations on the linked page hybrid-analysis are worth reading.

Bringing more light into the matter

There was another hint on August 25, 2023 by HugBunter0815 in this comment, where he wrote the following:

Well, Microsoft is also actively fighting Chrome again right now, this time also with its own adware […] Turned up on my own today, […]

as well as posted some links (see the following notes) and referred to a corresponding YouTube video. The file BGAUPsell.exe belongs to the "Microsoft Bing 2.0 Service", is rolled out for Windows 10 and 11 and is supposed to increase the security of Bing because it makes it SHA 2.0 capable, the video says. In addition, the module displays notifications (about Bing or AI-powered Bing) in Chrome, uses the Microsoft API, and acts as a security update for Bing.

Mentions on the internet

About the comment of HugBunter0815 including the links and my own research, I then still found sites on the Internet, where the topic is addressed.

Discussion on reddit.com

HugBunter0815 referred in his comment to the reddit.com post BGAUpsell – what is this bing popup? where the following popup was shown:

Thus, it is the pop-up that is displayed to set up Bing as a search engine in Windows – the typical annoying pop-up from Microsoft – so the classification as adware or malware is justified.

This German-language reddit.com post also addresses the program. In the Microsoft Answers forum, someone asks how to get rid of it as early as April 2023. One should assume that this keeps coming via update (with Edge) to the systems with Windows 10/11.