topic Retrospective Detections for DevHome files in Endpoint Security

Retrospective Detections for DevHome files

ARB65 — Sat, 25 May 2024 21:16:11 GMT

Anybody else getting retrospective detections for these files? They are created by legitimate svchost.exe

Looks like they must be components of Dev Home

Dev Home for Windows Developers | Microsoft Learn

DevHome.RegistryPreview.exe
47f2ecbbc1f812b63042c8b0a1132956e8fd3ebad3296b8fd4e65f89d5b1cdd5

File full path:

c:\program files\windowsapps\microsoft.windows.devhome_0.1401.505.0_x64__8wekyb3d8bbwe\devhome.registrypreview.exe

DevHome.EnvironmentVariables.exe
c22d299aadceb1c008c1feeb2a94ec9d7c9af537f21506fbc6dde91107a2ae20

File full path: c:\program files\windowsapps\microsoft.windows.devhome_0.1401.505.0_x64__8wekyb3d8bbwe\devhome.environmentvariables.exe

Re: Retrospective Detections for DevHome files

Ken Stieers — Sat, 25 May 2024 21:31:32 GMT

I am not currently, but my dev guys may not have it..

For a quick fix you can set these file to allowed.

Submit the Sha256 for each file to Talosintelligence.com so they can figure out what is marking them and possibly fix it.

Re: Retrospective Detections for DevHome files

ARB65 — Sat, 25 May 2024 21:37:32 GMT

I did but I got an automated close response saying they'd already been submitted.

I opened the TAC case

Re: Retrospective Detections for DevHome files

EricHatt — Sun, 26 May 2024 02:25:17 GMT

I’m seeing them too. Assumed false positive but the ThreatGrid Indicators aren’t ones we can ignore until Cisco confirms or not. Hoping to receive another routine “Known False Positive” email from them soon.

Re: Retrospective Detections for DevHome files

hanculak — Sun, 26 May 2024 09:32:38 GMT

I am seeing CSE retrospectively quarantining these files from MS DevHome app:

DevHome.EnvironmentVariables.exe - c22d299aadceb1c008c1feeb2a94ec9d7c9af537f21506fbc6dde91107a2ae20
DevHome.HostsFileEditor.exe - 7628f84be0ca01762351718d01af3a9c5e7b44ea40508173c53cb178be8d2ee9
DevHome.RegistryPreview.exe - 47f2ecbbc1f812b63042c8b0a1132956e8fd3ebad3296b8fd4e65f89d5b1cdd5

VT check says that there are only 2 detections for these files (Google, ClamAV)
These are parts of new 0.14 version which included those files from PowerToy:
"Utilities are now in Dev Home, including Hosts File Editor, Registry Preview, and Environment Variables editor from PowerToys. (#2795)"
https://github.com/microsoft/devhome/releases/tag/v0.1401.505.0

Seems like a False Positive to me.

Re: Retrospective Detections for DevHome files

MidwestCyber — Sun, 26 May 2024 11:11:11 GMT

100 new detections this morning

Re: Retrospective Detections for DevHome files

gresco-amp — Sun, 26 May 2024 13:53:15 GMT

Had the same detection yesterday.

Re: Retrospective Detections for DevHome files

ARB65 — Sun, 26 May 2024 14:15:40 GMT

When I spoke to the engineer for my TAC case he said TALOS would not be reviewing these until Monday. When I told him that was unacceptable due to the type of files being detected he submitted them to TALOS as high priority to get them to be reviewed sooner. I would suggest you do the same if you are getting these detections.

Re: Retrospective Detections for DevHome files

Roman Valenta — Mon, 27 May 2024 16:32:49 GMT

Yes there was incident over the weekend, TALSO already rectified these on Sunday so there shouldn't be more incidents.

These 6 files were flagged by Secure Malware Analytics. After review, we determined that they are all benign, and was actually flagged piggybacking ClamAV detection. The cloud dispositions have been reverted back to 'unknown.' And we went ahead and removed the ClamAV detection as well.

c22d299aadceb1c008c1feeb2a94ec9d7c9af537f21506fbc6dde91107a2ae20
47f2ecbbc1f812b63042c8b0a1132956e8fd3ebad3296b8fd4e65f89d5b1cdd5
7557d33ec129946d026caa456e3480d01d44b637abbbc0a92bbf4d023c214273
726d06e31ffadc0ebb5eb196b8337d21e102f298e8f32e42978ccda29e4272da
7628f84be0ca01762351718d01af3a9c5e7b44ea40508173c53cb178be8d2ee9
b74d7d744e5a91b285e34b4b5359803d2bf46da18dbe3747aaf1dd1e4be34a41

How ever they might be other. So far I was able to collect this list The last 5 are new that were just submit for review.

849f5e35c3e4da91815655ee0008f460abfd62ed6ed82f1d86c60ac1030e6fb3 Pas.WebApi.exe
33f59d71810ca02406d550732b1909cf652a3fd574847829271f2e4339117fbd parallelsclient.exe
f45504fd5ce917e6c7b18ad1a02dd7161f4acd48083b68f458bc97cd2b1ee6ba Veradigm.PartnerPortal.Api.exe
672d756a15fb144b8cbbc4a0e64dfaed62f6e00cd32423a39148a584a13b40d4 ConsoleApp2.exe
e12308ab1846b1ae4403fe62fa803cf7c96b6848b5e64e16468c8591109e248c payload.vsix
c22d299aadceb1c008c1feeb2a94ec9d7c9af537f21506fbc6dde91107a2ae20 DevHome.EnvironmentVariables.exe
47f2ecbbc1f812b63042c8b0a1132956e8fd3ebad3296b8fd4e65f89d5b1cdd5 DevHome.RegistryPreview.exe
7557d33ec129946d026caa456e3480d01d44b637abbbc0a92bbf4d023c214273 dotnet-apphost-pack-6.0.30-win-x64.msi
726d06e31ffadc0ebb5eb196b8337d21e102f298e8f32e42978ccda29e4272da dotnet-apphost-pack-7.0.19-win-x64.ms
7628f84be0ca01762351718d01af3a9c5e7b44ea40508173c53cb178be8d2ee9 DevHome.HostsFileEditor.exe

NEW reported on 05/27

I suspect these other 5 files are generated using dotnet so most likely related to the main event.

849f5e35c3e4da91815655ee0008f460abfd62ed6ed82f1d86c60ac1030e6fb3 Pas.WebApi.exe 33f59d71810ca02406d550732b1909cf652a3fd574847829271f2e4339117fbd parallelsclient.exe f45504fd5ce917e6c7b18ad1a02dd7161f4acd48083b68f458bc97cd2b1ee6ba Veradigm.PartnerPortal.Api.exe 672d756a15fb144b8cbbc4a0e64dfaed62f6e00cd32423a39148a584a13b40d4 ConsoleApp2.exe e12308ab1846b1ae4403fe62fa803cf7c96b6848b5e64e16468c8591109e248c payload.vsix

Hope this help...

Re: Retrospective Detections for DevHome files

DaphneG — Mon, 27 May 2024 17:08:05 GMT

The disposition for the following 5 hashes have already been updated to "Unknown."

849f5e35c3e4da91815655ee0008f460abfd62ed6ed82f1d86c60ac1030e6fb3 Pas.WebApi.exe 33f59d71810ca02406d550732b1909cf652a3fd574847829271f2e4339117fbd parallelsclient.exe f45504fd5ce917e6c7b18ad1a02dd7161f4acd48083b68f458bc97cd2b1ee6ba Veradigm.PartnerPortal.Api.exe 672d756a15fb144b8cbbc4a0e64dfaed62f6e00cd32423a39148a584a13b40d4 ConsoleApp2.exe e12308ab1846b1ae4403fe62fa803cf7c96b6848b5e64e16468c8591109e248c payload.vsix

Re: Retrospective Detections for DevHome files

Roman Valenta — Mon, 27 May 2024 19:20:56 GMT

Adding 6 more new one identified and already rectified as well.

abd7293f22247cbee87e176e61d366d0aa52e623473e9fd045b1e4a22c24f5a1
cacc4a48f9ca12940ea7cd6660d548978b5a40656c28321bedcca60d35b03dfe
b76acc53d2cc28f51291fad5b82a1bcbc519518ba8c5daa6af6bd0ac3a74f6ee
76a618bf49e8238dad4cd993b0358b76a751e205c44489c015b9853f22f169a0
fdf33cb9b86d3b50cfb40096738e7d9aef9565a585a3e40d9d6a003b4cb3b58f
80f9f1f0108bca538aed1dcd0a7aedcbec89b3ff44c50e03ac7b01ea75cf53f8