{"id":6887,"date":"2018-09-08T00:35:57","date_gmt":"2018-09-07T22:35:57","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=6887"},"modified":"2019-01-07T19:38:09","modified_gmt":"2019-01-07T18:38:09","slug":"windows-defender-reports-osk-exe-as-malware","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2018\/09\/08\/windows-defender-reports-osk-exe-as-malware\/","title":{"rendered":"Windows Defender reports osk.exe as malware"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" height=\"47\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2018\/09\/07\/windows-defender-meldet-osk-exe-als-trojaner\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]A curious story that German blog reader Paul B. just told me about. Windows Defender triggers a false alarm on a Windows native file reporting a Trojan Win32.AccessibilityEscalation.<\/p>\n<p><!--more--><\/p>\n<p>Paul wrote within a private e-mail that he observed a strange behavior of Windows Defender since the last signature update. I've translated the text below:<\/p>\n<blockquote><p>After today's update of the virus signatures for the Defender KB2267602 it detects the \"osk.exe\" from Microsoft, found in the \\system32 directory, as Trojan infected.<\/p>\n<p>This is the \"On Screen Keyboard\" the Windows own on-screen keyboard.<\/p>\n<p>Fun with Microsoft!<\/p><\/blockquote>\n<p><img decoding=\"async\" title=\"Defender-Fehlalarm\" src=\"https:\/\/i.imgur.com\/U68niYt.jpg\" alt=\"Defender-Fehlalarm\" \/><\/p>\n<p>The above screenshot is proof, it shows the Windows Defender notification. Searching the internet doesn't revealed other people affected. Microsoft included the detection for the malware <a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Behavior%3AWin32%2FAccessibilityEscalation.A\" target=\"_blank\" rel=\"noopener\">Win32\/AccessibilityEscalation.A<\/a> in Defender:<\/p>\n<blockquote><p>This generic detection for suspicious behaviors is designed to catch potentially malicious files. If you downloaded a file or received it through email, ensure that it is from a reliable source before opening it.<\/p><\/blockquote>\n<p>My German blog readers could not confirm that \u2013 but shortly after publishing the German edition of this article, another reader left <a href=\"https:\/\/www.borncity.com\/blog\/2018\/09\/07\/windows-defender-meldet-osk-exe-als-trojaner\/#comment-62343\" target=\"_blank\" rel=\"noopener\">this comment<\/a>. He observed a similar behavior of his Defender.<\/p>\n<h2>Addendum: It's by design<\/h2>\n<p>It's not a false alarm. Microsoft's malware scan engine will trigger an\u00a0 <a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Behavior%3AWin32%2FAccessibilityEscalation.A\" target=\"_blank\" rel=\"noopener\">Win32\/AccessibilityEscalation.A<\/a>-Alert, if a system file (like <em>utilman.exe<\/em> has been manipulated). Such attempts are used within the\u00a0<em>utilman.exe\u00a0<\/em>hack to receive admin rights on a blocked Windows (see my blog post\u00a0<a href=\"https:\/\/borncity.com\/win\/2016\/12\/09\/activate-build-in-administrator-account-in-windows-ii\/\" rel=\"bookmark\">Activate Build-in Administrator account in Windows \u2013 II<\/a>\u00a0and\u00a0<a href=\"https:\/\/www.technibble.com\/bypass-windows-logons-utilman\/\" target=\"_blank\" rel=\"noopener\">this article<\/a>\u00a0for\u00a0instance). Since August\/September 2018 those hacks won't work anymore, if Microsoft's Defender or Microsoft Security Essentials are running.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]A curious story that German blog reader Paul B. just told me about. Windows Defender triggers a false alarm on a Windows native file reporting a Trojan Win32.AccessibilityEscalation.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[773,194],"class_list":["post-6887","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-defender","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/6887","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=6887"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/6887\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=6887"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=6887"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=6887"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}