VMware Communities
intertesting
Contributor
Contributor
‎01-31-2021 08:17 AM

Workstation Pro 16.1 identified as Trojan Win32/Ymacco.AA32 and Win32/Ymacco.AA0F by WindowsDefender

Hello, yesterday I downloaded and installed Workstation Pro from the official VMWare website and activated the free trial period.

Today Windows Defender, while doing a full system scan, flagged as trojan some files that were in the VMware installation directory (InstallerCache, SetupBrowser and some .cab files, but also EFI32.ROM and 1e1d33.msi). I also have Malwarebytes installed and it didn't flagged any suspicious file. A subsequent scan with Microsoft Safety scanner also showed no infected files.

Is it possible that those files were detected as false positives or should I start to worry about the safety of my system?

(I can add photos with the full scan results if that can help)

Labels (1)
Labels
0 Kudos
7 Replies
tjsk
Contributor
Contributor
‎01-31-2021 10:41 PM

Hi! I have the same issue.

Detection time(UTC time): 1/30/2021 12:00:10 PM Malware file path: containerfile:_C:\Program Files (x86)\Common Files\VMware\InstallerCache\{95096479-66A1-454B-9378-234DF3B31727}.msi;containerfile:_C:\Program Files (x86)\VMware\VMware Workstation\x64\EFI32.ROM;containerfile:_C:\Windows\Installer\c03c8c.msi;file:_C:\Program Files (x86)\Common Files\VMware\InstallerCache\{95096479-66A1-454B-9378-234DF3B31727}.msi->Workstation.cab->_EFI32.ROM->{20BC8AC9-94D1-4208-AB28-5D673FD73486}->NvmExpressDxe;file:_C:\Program Files (x86)\VMware\VMware Workstation\x64\EFI32.ROM->{20BC8AC9-

Remediation action: NoAction
Action status: Succeeded

Checked the sha256 4e96fd7b6290fc29d7a0095fadb0fb36daa54c767530d91c55f70c38d88d4747 against virustotal and 26/70 tells malware.

Someone who can tell anything?

 

0 Kudos
jmfoottit
Contributor
Contributor
‎02-01-2021 12:26 AM

I have installed vmware workstation pro on a fresh install of 20H2 win10 pro. I get the same Threat blocked..... VMWare what's the deal here please?

 

0 Kudos
scott28tt
VMware Employee
VMware Employee
‎02-01-2021 01:00 AM

@jmfoottit 

Note that VMTN is a user community forum, and not an official method of communicating with anyone in particular at VMware.

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos
intertesting
Contributor
Contributor
‎02-01-2021 11:17 AM

Hello @scott28tt , sorry for posting this help request here but I did not know where else to put it in order to get some help from people who definitely know VMware products more than me...

That being said, how could I contact someone from VMware in order to get some help to resolve this issue (or, hopefully, just a confirmation that Defender is seeing these files as a false positive)?

Also, has anybody who has had my same issue found a solution? I tried to scan my system again with both Malwarebytes and Kaspesky and they did not find any thread, but you can never be too sure I guess...

also @tjsk did you managed to find a solution to your problem?

Thanks to anybody who will reply and try to help!

Tags (1)
0 Kudos
GaryF_MAC
Contributor
Contributor
‎02-01-2021 12:27 PM

 

In my case Windows Defender found this. Not sure if it's a false positive or not but managed to remove it with Defender and subsequently did 2 more complete scans and seems to be gone now

Program:Win32/Uwasson.A!ml

Affected items:

containerfile: C:\Program Files (x86)\Common Files\VMware\InstallerCache\{F838A98A-9A53-4983-9D1E-134EC757A162}.msi

containerfile: C:\Program Files (x86)\VMware\VMware Workstation\x64\EFI32.ROM

containerfile: C:\Users\username\AppData\Local\VMware\vmware-download-0454\cdstmp_ws-windows_16.1.0_17198959\VMware-workstation-16.1.0-17198959.exe

 

However, there are 4 folders with this DIFXAPI.dll file in the Temp directory and these files/folders can't be renamed or deleted even with Admin rights:

1. HICD752.tmp.dir

2. OWAA62C.tmp.dir

3. WGIC9A.tmp.dir

4. ZMH98A2.tmp.dir

Seems as if the installer has been compromised?

0 Kudos
scott28tt
VMware Employee
VMware Employee
‎02-01-2021 12:56 PM

@intertesting 

No need to apologise, I was just making you aware so you have realistic expectations.

The one person I am aware of at VMware who might be able to help is @Mikero 

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos
tjsk
Contributor
Contributor
‎02-01-2021 10:10 PM

Windows defender clean up everything @intertesting 

My concern is that this is something like solarwinds. And hoped someone from vmware could explain why some many antimalware take the installer of the workstaition like malware?

0 Kudos