Microsoft Security Essentials Detection

ComAsic
ComAsic
Joined: 26 Feb 12
Posts: 3
Credit: 1491809
RAC: 0
Topic 196310

Hi, I just wanted to raise awareness of a possible conflict with MSE (Microsoft Security Essentials) and an Einstein_S6LV1_1.13_windows_intelx86_SSE2.exe file BOINC downloaded on (28/4/2012) and attempted to run on (4/5/2012).
Application: Gravitational Wave S6 LineVeto search 1.13 (SSE2)

MSE Reports: Security Essentials detected items on your PC that it doesn't recognize. By sending the files listed below, you can help Microsoft analysts determine whether these items are malicious.

While i dont believe that there is a major problem with nasty hidden supprises in the code i would like to check with the good fellows in the forums.

Has anyone else had a sample submission request made by MSE on this file? or any other malware / security detection tools?

The full path to the file is reported as:
C:\ProgramData\BONIC\projects\einstein.phy.uwm.edu\einstein_S6LV1_1.13_windows_intelx86_SSE2.exe

Obviously something in the code it objects too.

If Microsoft decide it may contain a nasty bit of code even thought it may not be malicious(a false positive). it will soon start to cause some annoying popups from MSE and other security detection tools.

In the mean time ill move the .exe file out to a safe location and download it again. Run a few other tools on it and see what happens.

Anyone from the Einstein project itself feel like looking into this or passing comment?

Regards
COMAsic

Edit Addition of log content
Log file reports:
28/04/2012 04:28:59 | Einstein@Home | Started download of einstein_S6LV1_1.13_windows_intelx86__SSE2.exe
28/04/2012 04:29:30 | Einstein@Home | Finished download of einstein_S6LV1_1.13_windows_intelx86__SSE2.exe
.
.
.
04/05/2012 00:45:14 | Einstein@Home | Starting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 00:45:29 | Einstein@Home | Started upload of LATeah2457A_96.0_3500_-2.6e-11_1_0
04/05/2012 00:45:29 | Einstein@Home | Started upload of LATeah2457A_96.0_3500_-2.6e-11_1_1
04/05/2012 00:45:31 | Einstein@Home | Finished upload of LATeah2457A_96.0_3500_-2.6e-11_1_0
04/05/2012 00:45:31 | Einstein@Home | Finished upload of LATeah2457A_96.0_3500_-2.6e-11_1_1
04/05/2012 01:13:23 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 01:36:22 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 01:58:22 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 02:26:28 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 02:48:24 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 03:21:30 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 03:54:14 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 04:18:11 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 04:40:45 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 04:42:55 | | Project communication failed: attempting access to reference site
04/05/2012 04:42:57 | | Internet access OK - project servers may be temporarily down.
04/05/2012 04:57:33 | | Project communication failed: attempting access to reference site
04/05/2012 04:57:35 | | Internet access OK - project servers may be temporarily down.
04/05/2012 05:05:18 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 05:31:09 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 05:55:24 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 06:28:23 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 07:03:20 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 07:25:07 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 07:37:25 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 08:10:28 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 08:49:28 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 09:16:38 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 09:49:50 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 10:11:50 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 10:40:43 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 11:02:34 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 11:35:21 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 12:24:29 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 12:50:38 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 13:13:40 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 13:35:41 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 13:45:40 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 14:23:43 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 15:00:36 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 15:22:36 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 15:51:26 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 16:22:32 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 16:58:29 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 17:32:20 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 18:05:13 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 18:38:15 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 19:06:22 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 19:39:30 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 20:12:09 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 21:09:06 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 22:18:05 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 22:51:02 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 23:16:06 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
04/05/2012 23:38:05 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
05/05/2012 00:02:08 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
05/05/2012 00:23:57 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
05/05/2012 00:33:07 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
05/05/2012 00:45:35 | Einstein@Home | Sending scheduler request: To report completed tasks.
05/05/2012 00:45:35 | Einstein@Home | Reporting 1 completed tasks, not requesting new tasks
05/05/2012 00:45:38 | Einstein@Home | Scheduler request completed
05/05/2012 01:00:18 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
05/05/2012 01:32:19 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
05/05/2012 01:54:09 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
05/05/2012 02:19:04 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
05/05/2012 02:37:36 | | Project communication failed: attempting access to reference site
05/05/2012 02:37:39 | | Internet access OK - project servers may be temporarily down.
05/05/2012 05:48:09 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
05/05/2012 06:50:02 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
05/05/2012 08:01:29 | Einstein@Home | Restarting task h1_0241.55_S6GC1__719_S6LV1B_0 using einstein_S6LV1 version 113
05/05/2012 08:10:34 | Einstein@Home | Computation for task h1_0241.55_S6GC1__719_S6LV1B_0 finished
05/05/2012 08:10:36 | Einstein@Home | Started upload of h1_0241.55_S6GC1__719_S6LV1B_0_0
05/05/2012 08:10:40 | Einstein@Home | Finished upload of h1_0241.55_S6GC1__719_S6LV1B_0_0
05/05/2012 09:14:38 | Einstein@Home | Starting task h1_0241.55_S6GC1__711_S6LV1B_0 using einstein_S6LV1 version 113
05/05/2012 09:54:43 | Einstein@Home | Restarting task h1_0241.55_S6GC1__711_S6LV1B_0 using einstein_S6LV1 version 113
05/05/2012 11:01:26 | Einstein@Home | Restarting task h1_0241.55_S6GC1__711_S6LV1B_0 using einstein_S6LV1 version 113
05/05/2012 11:30:34 | Einstein@Home | Restarting task h1_0241.55_S6GC1__711_S6LV1B_0 using einstein_S6LV1 version 113

Richard Haselgrove
Richard Haselgrove
Joined: 10 Dec 05
Posts: 2143
Credit: 2976551093
RAC: 784338

Microsoft Security Essentials Detection

Quote:
Hi, I just wanted to raise awareness of a possible conflict with MSE (Microsoft Security Essentials) and an Einstein_S6LV1_1.13_windows_intelx86_SSE2.exe file BOINC downloaded on (28/4/2012) and attempted to run on (4/5/2012).


That's curious. The file on my system has a slightly different name from yours.

Yours:
v
[pre]Einstein_S6LV1_1.13_windows_intelx86_SSE2.exe
einstein_S6LV1_1.13_windows_intelx86__SSE2.exe[/pre]^
Mine:

I've submitted my copy to https://www.virustotal.com/, but it seems to be running slow today - I'll post any response I get later.

ComAsic
ComAsic
Joined: 26 Feb 12
Posts: 3
Credit: 1491809
RAC: 0

Richard, Yes you are very

Richard,

Yes you are very correct, in my haste to post i capitalised the first letter and missed the second underline. I should of used cut and paste but its on a different machine. Thank you for your keen eye for detail as this is always welcome and a good thing.

I will update the post.
it should be
v
einstein_S6LV1_1.13_windows_intelx86__SSE2.exe
^

Im just running test with various tools against the exe file now.. it may be that MSE (Microsoft security essentials) had not encountered a particular sequence of code and prompted me to submit the file as a precaution. MSE did not report it as a positive when re-tested, it just initially made a request to send a copy back to microsoft for analysis.
as MSE works on a principal of accumulation from several sources before making a positive report and making it an official nasty i dont think its going to flag up in many tools unless more people are prompted to submit the file by MSE.

I have also just checked using your link to Virus Total (good link by the way)

Your analysis gave a detection ratio of 0/40 it looks clean based on 40 or so other tests.

I have submitted my copy of the file and will re analyse it.

Thankyou for the feedback.

Regards
COM Asic

Richard Haselgrove
Richard Haselgrove
Joined: 10 Dec 05
Posts: 2143
Credit: 2976551093
RAC: 784338

It didn't take much of an eye

It didn't take much of an eye - I just saw that I had tasks from the same application on this system, copied your filename, and was surprised when a search of client_state.xml didn't find a match. I assumed it was probably just a manual transcription problem, but it's always a good idea to check back for reassurance. The file checks clean locally here, as well as that 0/40 online report.

ComAsic
ComAsic
Joined: 26 Feb 12
Posts: 3
Credit: 1491809
RAC: 0

Richard, Just got the

Richard,

Just got the result back from www.VirusTotal.com. on my copy of the .exe

All clear 0/40 result. So it just looks like MSE (Microsoft Security Essentials)was collecting data on the file that it had not seen before.

So ill treat this as a clean file for now.

I would still like Anyone who gets a MSE (Microsoft Security Essentials) popup
stating:

MSE Reports: Security Essentials detected items on your PC that it doesn't recognize. By sending the files listed below, you can help Microsoft analysts determine whether these items are malicious.

to reply to the post so that should it get a high interest from Microsoft that it does get marked as a false positive if some one looks it up.

but for now i thank you for your feed back and assistance.
Ill keep crunching the units and see what happens over time...

Regards
COM Asic

Donald A. Tevault
Donald A. Tevault
Joined: 17 Feb 06
Posts: 439
Credit: 73516529
RAC: 0

Yeah, I got the same message

Yeah, I got the same message a few days ago.

Nobody316
Nobody316
Joined: 14 Jan 13
Posts: 141
Credit: 2008126
RAC: 0

If I understand right with

If I understand right with what Microsoft is trying to do with cutting down the pirate copies of windows you just might start seeing alot more like this...

PC setup MSI-970A-G46 AMD FX-8350 8 core OC'd 4.45GHz 16GB ram PC3-10700 Geforce GTX 650Ti Windows 7 x64 Einstein@Home

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.