topic Absolute Software CTES - Multiple alerts - Variant Lazy in Endpoint Security

Absolute Software CTES - Multiple alerts - Variant Lazy

kelvin ortega — Mon, 02 Jun 2025 14:41:33 GMT

Hi everyone,

Had multiple machines alerting for Absolute Software CTES files:

Names: CtGeoPrvPackage.zip, GEO_Windows-GEO-1.0.13.6

SHA256: dcadf2ca20756544ac8a007a1da94e6f932770558128658280a5ece2828791da

Name: abwfscnEx.dll

SHA256: b3c1247951b553e062a3038d886562d5c80ff96abed729fb73524f3341a18931

All of this comming from the path: C:\ProgramData\CTES\

Detectión: Gen:Variant.Lazy

I'm pretty sure this is a false positive but I've had a look and cant find any information anywhere yet cause I think its quite recent, just wanted to check in and see if anyone else has experienced the same?

Cheers!

Re: Absolute Software CTES - Multiple alerts - Variant Lazy

Roman Valenta — Mon, 02 Jun 2025 19:16:08 GMT

Hi Kevin,

What engine is detecting this FP? Just navigate to the Event page then pivot to Device Trajectory and look under right side for the event details which engine complaints about this.

Then you can either exclude the files but preferably open TAC case and let us handle the detection directly. If it is true FP we will fix the disposition on our end.

FYI: the two SHA256 seem to be non malicious based on my quick search.

1: dcadf2ca20756544ac8a007a1da94e6f932770558128658280a5ece2828791da

VirusTotal Detections:6/66
ClamAV: Not Detected
TETRA: Not Detected
Sophos: Not Detected
McAfee: Not Detected
File Name: CtGeoPrvPackage.zip
File Size: 2,945 KB
File Type: ZIP
File Magic: Zip archive data, at least v2.0 to extract, compression method=deflate
First Seen: 2025-06-02 03:53:26 UTC
Last Scanned: 2025-06-02 17:30:43 UTC
threatgrid.com Threat Score: 66
Sample ID: 71425efb187c075c6a77fdfb6d46b495
File Size: 4,961 KB
File Magic: PE32 executable (console) Intel 80386, for MS Windows
Last Analyzed: 2025-06-02 17:36:03 UTC
threatgrid.eu No report returned.
threatgrid.ca No report returned.
threatgrid.com.au No report returned.
Talos Intel No report returned.
AMP Cloud NA Disposition: Unknown
EU Disposition: Unknown
APJC Disposition: Unknown
Threat Metascore: 43 ~ File appears to be benign << ----------

2: b3c1247951b553e062a3038d886562d5c80ff96abed729fb73524f3341a18931

VirusTotal Detections: 0/72
ClamAV: Not Detected
TETRA: Not Detected
Sophos: Not Detected
McAfee: Not Detected
File Name: ProviderHost
File Size: 863 KB
File Type: Win32 EXE
File Magic: PE32 executable (console) Intel 80386, for MS Windows
Absolute Software Corp. Expires: 10:15 PM 12/19/2027
SSL.com EV Code Signing Intermediate CA RSA R3 Expires: 05:44 PM 03/22/2034
SSL.com EV Root Certification Authority RSA R2 Expires: 06:14 PM 05/30/2042
Product Name: ProviderHost
Product Version: 1.0.0.3619
First Seen: 2025-03-05 09:29:44 UTC
Last Scanned: 2025-05-12 14:11:17 UTC
threatgrid.com Threat Score: 25
Sample ID: 5d3b4990ceacd70262f40ea92c866c2c
File Size: 863 KB
File Magic: PE32 executable (console) Intel 80386, for MS Windows
Last Analyzed: 2025-06-02 15:01:12 UTC
threatgrid.eu Threat Score: 24
Sample ID: 1e94b3660e74ff8c76d7fde59ece2684
File Size: 863 KB
File Magic: PE32 executable (console) Intel 80386, for MS Windows
Last Analyzed: 2025-05-19 07:07:06 UTC
threatgrid.ca No report returned.
threatgrid.com.au No report returned.
Talos Intel No report returned.
AMP Cloud NA Disposition: Unknown
EU Disposition: Unknown
APJC Disposition: Unknown
Threat Metascore: 25 ~ File appears to be benign << ----------

Re: Absolute Software CTES - Multiple alerts - Variant Lazy

kelvin ortega — Mon, 02 Jun 2025 18:35:59 GMT

Hi Roman

This events are Detected by the Tetra engines.

I've already opened a TAC case, awaiting a response.

Thank you for your comments, I will wait for the TAC's resolution.

Re: Absolute Software CTES - Multiple alerts - Variant Lazy

Roman Valenta — Mon, 02 Jun 2025 19:18:23 GMT

Sounds good If this is Tetra engine then it will be handled by our Internal Talos Team. TAC will just need the samples if you didn't provide them yet.

Re: Absolute Software CTES - Multiple alerts - Variant Lazy

Francis Skibicki III — Mon, 16 Jun 2025 21:30:33 GMT

Did you ever figure out anything with this? Seems to me, that Cisco is catching the fact these outdated CTES agents have a CVE. However I am not finding how to update the CTES.

Re: Absolute Software CTES - Multiple alerts - Variant Lazy

kelvin ortega — Thu, 03 Jul 2025 19:04:24 GMT

Hi Francis, Cisco passed the sample to TALOS and they confirmed it's a Falpos, and the signature was updated. However, some Absolute files are still pending, because now I'm seeing detections for NTAgent.exe. If it continues the same, I'll file another case to have the signature updated.

Re: Absolute Software CTES - Multiple alerts - Variant Lazy

Francis Skibicki III — Mon, 07 Jul 2025 15:24:42 GMT

Yes I have been seeing the same. Thanks for the update, I have just been Whitelisting for now.