TMEdit executes (at random) a batch to cleanup his own installer from %temp%

More
1 year 2 weeks ago #289 by Kahuna
There was an issue with the build. I released a new build over the weekend. Please try that and let me know if there is still a problem.

Tim

Please Log in or Create an account to join the conversation.

More
1 year 3 weeks ago #288 by bendevriese
Hello Tim,

We bought TMedit and start to using it recently.
I love it, but our McAfee EPO anti-virus brought some strange activity to our attention.


Original Message
Subject: McAfee - Alert: 'File' class or access / Suspicious Double File Extension Execution / Exploit Prevention
Importance: High

Detection Date/Time: 11/16/18 01:53:10 UTC
Product: McAfee Endpoint Security 10.6.1.1128
Event: Exploit Prevention Files/Process/Registry violation detected

OS-type: Windows 10
Source ProcessName: SETUP_TMEDIT.EXE

Target FileName: C:\USERS\*******\APPDATA\LOCAL\TEMP\EXE127D.TMP.BAT
Target UserName: SYSTEM

Threat Action Taken: blocked

Threat Severity: Critical

Threat Category: 'File' class or access

Threat Name: Suspicious Double File Extension Execution

Threat Type: Exploit Prevention


TMEdit is installed on that machine (I use this machine as my “admin”-box).
At random, a batch-file is executed from my users %temp%-location.
This batch file tries to delete the original TMEdit installer from the temp-directory (Setup_TMEdit.msi).
Here is the code:
@echo off 
ATTRIB -r "\\?\C:\Users\***\AppData\Local\Temp\{3954D~1\SETUP_~1.MSI" 
:try 
del "\\?\C:\Users\***\AppData\Local\Temp\{3954D~1\SETUP_~1.MSI" 
if exist "\\?\C:\Users\***\AppData\Local\Temp\{3954D~1\SETUP_~1.MSI" goto try
ATTRIB -r "C:\Users\***\AppData\Local\Temp\EXE12EC.tmp.bat" 
del "C:\Users\***\AppData\Local\Temp\EXE12EC.tmp.bat" | cls

I checked the scheduled task (also in the SYSTEM context), but I don’t find a scheduled task that executes this batch file.

Does the TMEdit application itself triggers this batch file?
Can it be removed please? Because our Security department doesn’t like this.

I use TMEdit version 1.2.6.0 (Wil update to 1.3.0.0 ASAP).

Thank you for this (and all other free) great tool(s)!

Please Log in or Create an account to join the conversation.

Time to create page: 0.324 seconds
Go to top