Hello, yesterday I downloaded and installed Workstation Pro from the official VMWare website and activated the free trial period.
Today Windows Defender, while doing a full system scan, flagged as trojan some files that were in the VMware installation directory (InstallerCache, SetupBrowser and some .cab files, but also EFI32.ROM and 1e1d33.msi). I also have Malwarebytes installed and it didn't flagged any suspicious file. A subsequent scan with Microsoft Safety scanner also showed no infected files.
Is it possible that those files were detected as false positives or should I start to worry about the safety of my system?
(I can add photos with the full scan results if that can help)
Hi! I have the same issue.
Detection time(UTC time): 1/30/2021 12:00:10 PM Malware file path: containerfile:_C:\Program Files (x86)\Common Files\VMware\InstallerCache\{95096479-66A1-454B-9378-234DF3B31727}.msi;containerfile:_C:\Program Files (x86)\VMware\VMware Workstation\x64\EFI32.ROM;containerfile:_C:\Windows\Installer\c03c8c.msi;file:_C:\Program Files (x86)\Common Files\VMware\InstallerCache\{95096479-66A1-454B-9378-234DF3B31727}.msi->Workstation.cab->_EFI32.ROM->{20BC8AC9-94D1-4208-AB28-5D673FD73486}->NvmExpressDxe;file:_C:\Program Files (x86)\VMware\VMware Workstation\x64\EFI32.ROM->{20BC8AC9-
Remediation action: NoAction
Action status: Succeeded
Checked the sha256 4e96fd7b6290fc29d7a0095fadb0fb36daa54c767530d91c55f70c38d88d4747 against virustotal and 26/70 tells malware.
Someone who can tell anything?
I have installed vmware workstation pro on a fresh install of 20H2 win10 pro. I get the same Threat blocked..... VMWare what's the deal here please?
Note that VMTN is a user community forum, and not an official method of communicating with anyone in particular at VMware.
Hello @scott28tt , sorry for posting this help request here but I did not know where else to put it in order to get some help from people who definitely know VMware products more than me...
That being said, how could I contact someone from VMware in order to get some help to resolve this issue (or, hopefully, just a confirmation that Defender is seeing these files as a false positive)?
Also, has anybody who has had my same issue found a solution? I tried to scan my system again with both Malwarebytes and Kaspesky and they did not find any thread, but you can never be too sure I guess...
also @tjsk did you managed to find a solution to your problem?
Thanks to anybody who will reply and try to help!
In my case Windows Defender found this. Not sure if it's a false positive or not but managed to remove it with Defender and subsequently did 2 more complete scans and seems to be gone now
Program:Win32/Uwasson.A!ml
Affected items:
containerfile: C:\Program Files (x86)\Common Files\VMware\InstallerCache\{F838A98A-9A53-4983-9D1E-134EC757A162}.msi
containerfile: C:\Program Files (x86)\VMware\VMware Workstation\x64\EFI32.ROM
containerfile: C:\Users\username\AppData\Local\VMware\vmware-download-0454\cdstmp_ws-windows_16.1.0_17198959\VMware-workstation-16.1.0-17198959.exe
However, there are 4 folders with this DIFXAPI.dll file in the Temp directory and these files/folders can't be renamed or deleted even with Admin rights:
1. HICD752.tmp.dir
2. OWAA62C.tmp.dir
3. WGIC9A.tmp.dir
4. ZMH98A2.tmp.dir
Seems as if the installer has been compromised?
No need to apologise, I was just making you aware so you have realistic expectations.
The one person I am aware of at VMware who might be able to help is @Mikero
Windows defender clean up everything @intertesting
My concern is that this is something like solarwinds. And hoped someone from vmware could explain why some many antimalware take the installer of the workstaition like malware?