False Positive in Microsoft Malware Protection

The OID: 1.3.6.1.4.1.25623.1.0.812238 referred with Malware Protection seems to be a false positive to me. I’ve running scan in many different windows hosts with the same characteristic and get the same result

Servers weren’t running Malware Protection as Windows Features (there’s a third partner endpoint running into them) and even if removing winSxS files for windows update, there are still reporting the same vulnerability. So, i don’t need to update the file as mentioned in solution provided.

On the other hand, there are servers with same config without this vulnerability.

Any one has the same issue here?

Hi and thanks for your report.

Please could you share some more details on your observation:

1. The used Windows version
2. The output of the specific plugin

The Malware Protection is a part of Windows Defender which is in turn directly integrated into Windows since Windows Vista/7.

In the case above the VT is checking the version of this Windows integrated engine via the EngineVersion entry of the HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates Registry-Key for a version lower then 1.1.14405.2 (see the output of the mentioned VT).

As this is an integrated part of Windows it shouldn’t matter if any third party endpoint is running on the target system and you still would need to update the Windows Defender to a later version to get this vulnerability fixed.

Please see output. Windows version used is Server 2016 x64 (Please note again we’ve removed the file indicated from both possible origins (WinSxS and Defender folder)

Summary

This host is missing an important security update according to Microsoft Security Updates released for Microsoft Malware Protection Engine dated 12/06/2017

Vulnerability Detection Result

Installed version: 1.1.14306.0 Fixed version: 1.1.14405.2

Impact

Successful exploitation will allow an attacker who successfully exploited this vulnerability to execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then:

• install programs

• view, change, or delete data

• create new accounts with full user rights.

Solution

Solution type: VendorFix

Run the Windows Update to update the malware protection engine to the latest version available. Typically, no action is required as the built-in mechanism for the automatic detection and deployment of updates will apply the update itself.

Affected Software/OS

Windows Defender on

Microsoft Windows 8.1

Microsoft Windows 7 SP1

Microsoft Windows 10 x32/x64

Microsoft Windows Server 2016 x64

Microsoft Windows 10 Version 1511 x32/x64

Microsoft Windows 10 Version 1607 x32/x64

Microsoft Windows 10 Version 1703 x32/x64

Microsoft Windows 10 Version 1709 x32/x64

Vulnerability Insight

Multiple flaws exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption.

Vulnerability Detection Method

Checks if a vulnerable version is present on the target host.

Details: Microsoft Malware Protection Engine on Windows Defender Multiple Remote Code Ex… (OID: 1.3.6.1.4.1.25623.1.0.812238)

Version used: 2019-05-03T12:31:27+0000

References

As previously explained the VT checking for this vulnerability requires that the EngineVersion entry of the HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates Registry-Key is reporting the updated / fixed version mentioned in the related Microsoft advisories for CVE-2017-11937 and CVE-2017-11940.

There is not that much what can be done from VT side if Windows internal files are manually deleted. If you’re sure that this deletion of some files are mitigating this vulnerability you could set an override as explained in Overrides and False Positives.

Thanks for clarify. This is a host issue here as you have noted before the last update (seems to be registry entry wasn’t cleared correctly even removing dll affected)