topic Re: Workstation Pro 16.1 identified as Trojan Win32/Ymacco.AA32 and Win32/Ymacco.AA0F by WindowsDefe in VMware Workstation Pro Discussions

Workstation Pro 16.1 identified as Trojan Win32/Ymacco.AA32 and Win32/Ymacco.AA0F by WindowsDefender

intertesting — Sun, 31 Jan 2021 16:18:52 GMT

Hello, yesterday I downloaded and installed Workstation Pro from the official VMWare website and activated the free trial period.

Today Windows Defender, while doing a full system scan, flagged as trojan some files that were in the VMware installation directory (InstallerCache, SetupBrowser and some .cab files, but also EFI32.ROM and 1e1d33.msi). I also have Malwarebytes installed and it didn't flagged any suspicious file. A subsequent scan with Microsoft Safety scanner also showed no infected files.

Is it possible that those files were detected as false positives or should I start to worry about the safety of my system?

(I can add photos with the full scan results if that can help)

Re: Workstation Pro 16.1 identified as Trojan Win32/Ymacco.AA32 and Win32/Ymacco.AA0F by WindowsDefe

tjsk — Mon, 01 Feb 2021 06:41:35 GMT

Hi! I have the same issue.

Detection time(UTC time): 1/30/2021 12:00:10 PM Malware file path: containerfile:_C:\Program Files (x86)\Common Files\VMware\InstallerCache\{95096479-66A1-454B-9378-234DF3B31727}.msi;containerfile:_C:\Program Files (x86)\VMware\VMware Workstation\x64\EFI32.ROM;containerfile:_C:\Windows\Installer\c03c8c.msi;file:_C:\Program Files (x86)\Common Files\VMware\InstallerCache\{95096479-66A1-454B-9378-234DF3B31727}.msi->Workstation.cab->_EFI32.ROM->{20BC8AC9-94D1-4208-AB28-5D673FD73486}->NvmExpressDxe;file:_C:\Program Files (x86)\VMware\VMware Workstation\x64\EFI32.ROM->{20BC8AC9-

Remediation action: NoAction
Action status: Succeeded

Checked the sha256 4e96fd7b6290fc29d7a0095fadb0fb36daa54c767530d91c55f70c38d88d4747 against virustotal and 26/70 tells malware.

Someone who can tell anything?

Re: Workstation Pro 16.1 identified as Trojan Win32/Ymacco.AA32 and Win32/Ymacco.AA0F by WindowsDefe

jmfoottit — Mon, 01 Feb 2021 08:26:41 GMT

I have installed vmware workstation pro on a fresh install of 20H2 win10 pro. I get the same Threat blocked..... VMWare what's the deal here please?

Re: Workstation Pro 16.1 identified as Trojan Win32/Ymacco.AA32 and Win32/Ymacco.AA0F by WindowsDefe

scott28tt — Mon, 01 Feb 2021 09:00:08 GMT

@jmfoottit

Note that VMTN is a user community forum, and not an official method of communicating with anyone in particular at VMware.

Re: Workstation Pro 16.1 identified as Trojan Win32/Ymacco.AA32 and Win32/Ymacco.AA0F by WindowsDefe

intertesting — Mon, 01 Feb 2021 19:20:07 GMT

Hello @scott28tt , sorry for posting this help request here but I did not know where else to put it in order to get some help from people who definitely know VMware products more than me...

That being said, how could I contact someone from VMware in order to get some help to resolve this issue (or, hopefully, just a confirmation that Defender is seeing these files as a false positive)?

Also, has anybody who has had my same issue found a solution? I tried to scan my system again with both Malwarebytes and Kaspesky and they did not find any thread, but you can never be too sure I guess...

also @tjsk did you managed to find a solution to your problem?

Thanks to anybody who will reply and try to help!

Re: Workstation Pro 16.1 identified as Trojan Win32/Ymacco.AA32 and Win32/Ymacco.AA0F by WindowsDefe

GaryF_MAC — Mon, 01 Feb 2021 20:27:07 GMT

In my case Windows Defender found this. Not sure if it's a false positive or not but managed to remove it with Defender and subsequently did 2 more complete scans and seems to be gone now

Program:Win32/Uwasson.A!ml

Affected items:

containerfile: C:\Program Files (x86)\Common Files\VMware\InstallerCache\{F838A98A-9A53-4983-9D1E-134EC757A162}.msi

containerfile: C:\Program Files (x86)\VMware\VMware Workstation\x64\EFI32.ROM

containerfile: C:\Users\username\AppData\Local\VMware\vmware-download-0454\cdstmp_ws-windows_16.1.0_17198959\VMware-workstation-16.1.0-17198959.exe

However, there are 4 folders with this DIFXAPI.dll file in the Temp directory and these files/folders can't be renamed or deleted even with Admin rights:

1. HICD752.tmp.dir

2. OWAA62C.tmp.dir

3. WGIC9A.tmp.dir

4. ZMH98A2.tmp.dir

Seems as if the installer has been compromised?

Re: Workstation Pro 16.1 identified as Trojan Win32/Ymacco.AA32 and Win32/Ymacco.AA0F by WindowsDefe

scott28tt — Mon, 01 Feb 2021 20:57:33 GMT

@intertesting

No need to apologise, I was just making you aware so you have realistic expectations.

The one person I am aware of at VMware who might be able to help is @Mikero

Re: Workstation Pro 16.1 identified as Trojan Win32/Ymacco.AA32 and Win32/Ymacco.AA0F by WindowsDefe

tjsk — Tue, 02 Feb 2021 06:10:38 GMT

Windows defender clean up everything @intertesting

My concern is that this is something like solarwinds. And hoped someone from vmware could explain why some many antimalware take the installer of the workstaition like malware?