TMEdit executes (at random) a batch to cleanup his own installer from %temp%

1 year 10 months ago #289 by Kahuna
There was an issue with the build. I released a new build over the weekend. Please try that and let me know if there is still a problem.


Please Log in or Create an account to join the conversation.

1 year 10 months ago #288 by bendevriese
Hello Tim,

We bought TMedit and start to using it recently.
I love it, but our McAfee EPO anti-virus brought some strange activity to our attention.

Original Message
Subject: McAfee - Alert: 'File' class or access / Suspicious Double File Extension Execution / Exploit Prevention
Importance: High

Detection Date/Time: 11/16/18 01:53:10 UTC
Product: McAfee Endpoint Security
Event: Exploit Prevention Files/Process/Registry violation detected

OS-type: Windows 10
Source ProcessName: SETUP_TMEDIT.EXE

Target UserName: SYSTEM

Threat Action Taken: blocked

Threat Severity: Critical

Threat Category: 'File' class or access

Threat Name: Suspicious Double File Extension Execution

Threat Type: Exploit Prevention

TMEdit is installed on that machine (I use this machine as my “admin”-box).
At random, a batch-file is executed from my users %temp%-location.
This batch file tries to delete the original TMEdit installer from the temp-directory (Setup_TMEdit.msi).
Here is the code:
@echo off 
ATTRIB -r "\\?\C:\Users\***\AppData\Local\Temp\{3954D~1\SETUP_~1.MSI" 
del "\\?\C:\Users\***\AppData\Local\Temp\{3954D~1\SETUP_~1.MSI" 
if exist "\\?\C:\Users\***\AppData\Local\Temp\{3954D~1\SETUP_~1.MSI" goto try
ATTRIB -r "C:\Users\***\AppData\Local\Temp\EXE12EC.tmp.bat" 
del "C:\Users\***\AppData\Local\Temp\EXE12EC.tmp.bat" | cls

I checked the scheduled task (also in the SYSTEM context), but I don’t find a scheduled task that executes this batch file.

Does the TMEdit application itself triggers this batch file?
Can it be removed please? Because our Security department doesn’t like this.

I use TMEdit version (Wil update to ASAP).

Thank you for this (and all other free) great tool(s)!

Please Log in or Create an account to join the conversation.

Time to create page: 0.415 seconds
Go to top