MS Defender alert "Trojan:Win32/Malgent!MSR" for AutoCtrl_2024.3.14.0.exe

[Charlie]

It seems like an update for the native component of AutoControl is flagged as malicious by windows defender. The file is also detected als malware by "Bkav Pro", according to VirusTotal: https://www.virustotal.com/gui/file/832308d7600119a62d12b33b0655cdd532ee84aed4d4cb147bf6329ae8c42370

The defender alert kept popping up repeatedly. ..\AppData\Local\AutoControl\AutoCtrl_2024.3.14.0.exe was immediately removed by Defender, but also kept reappearing immediately. This stopped after AutoControl was uninstalled.

Please advise if this is a false positive or not.

[AutoControl support]

Yes, those are false positives. Please make sure your antivirus database is up to date.

You should also update AutoControl as version 2024.3.14 is rather old at this point (it came out in March) and it's no longer being distributed by the Chrome Web Store. The current version is 2024.6.19.

If the problem keeps happening, please mention the malware detection name reported by your antivirus so we can report the false positive to the vendor.

[Charlie]

Thanks for the confirmation. It seems a bit suspicious that the update AutoCtrl_2024.3.14.0.exe kicked in today, despite it being released in march.. I'm from a small company and the AV alert appeared on the machine of a colleague. We've advised him to stop using AutoControl, just to be safe.

As stated in this topic's subject, the malware detection name reported by Defender is "Trojan:Win32/Malgent!MSR". VirusTotal now also reflects this.

Kind regards!

[AutoControl support]

Thanks for your report. The false positive has been submitted to Microsoft a few minutes ago. These cases are usually solved in about 24 hours. We'll update this thread when there are news.

[AutoControl support]

Microsoft responded to our false positive submission with the following:

"We have determined that the files meet our criteria for malware. At this time the detection will remain in place."

This means they still think AutoCtrl_2024.3.14.0.exe is malware, in spite of all other versions not deemed malware, such as AutoCtrl_2024.2.7.0.exe or  AutoCtrl.2024.6.19.exe.

This determination can be easily demonstrated to be incorrect by making an insignificant change to AutoCtrl_2024.3.14.0.exe and then resubmit.

This is the signature of the original AutoCtrl_2024.3.14.0.exe as can be seen in VirusTotal:

Sections

Name

Virtual Address

Virtual Size

Raw Size

Entropy

MD5

Chi2

.text

4096

515155

515584

6.59

487dc83782f9817a571ee77dfc04ece4

2921997.75

.rdata

520192

114866

115200

5.46

e69ec80c59f09d494116453aaa1c1a7c

4316608.5

.data

638976

25464

8192

4.5

39bede946757b3fd44a47606ee00a493

306582.69

.gfids

667648

524

1024

2.33

7461dd5071ac665247eb62426e2ad140

144802

.tls

671744

25

512

0.02

8e3343efa9afc26ac6caf49228cbe049

130049

.rsrc

675840

21248

21504

6.22

8b0a3703982b553253f63af13efd0ad9

244753.8

.reloc

700416

28812

29184

6.67

933838dbb3096ff6e991f469a057fa18

113705.81

And this is the signature of the same file with an insignificant modification:

Sections

Name

Virtual Address

Virtual Size

Raw Size

Entropy

MD5

Chi2

.text

4096

515155

515584

6.59

487dc83782f9817a571ee77dfc04ece4

2921997.75

.rdata

520192

114866

115200

5.46

e69ec80c59f09d494116453aaa1c1a7c

4316608.5

.data

638976

25464

8192

4.5

39bede946757b3fd44a47606ee00a493

306582.69

.gfids

667648

524

1024

2.33

7461dd5071ac665247eb62426e2ad140

144802

.tls

671744

25

512

0.02

8e3343efa9afc26ac6caf49228cbe049

130049

.rsrc

675840

21248

21504

6.22

cdd343217df95e36a6258af9409dd21e

244836.16

.reloc

700416

28812

29184

6.67

933838dbb3096ff6e991f469a057fa18

113705.81

Both files are identical except for their .rsrc section (which doesn't contain code), and yet one is detected as malware by Microsoft and the other is not.

This means that Windows Defender is not detecting anything in the file, instead it's just retrieving the file signature from a database.

As to why did AutoCtrl_2024.3.14.0.exe end up in a malware list, we can only speculate, but most likely because some AutoControl user wrote a script using functions like ACtl.runCommand() or ACtl.getFile() or ACtl.getClipboard(), and Windows Defender saw that activity as suspicious.

In any case, version 2024.3.14 is an old release from March 2024 and the Chrome Web Store stopped distributing that version at the end of May when version 2024.5.30 was released. The current version is 2024.6.19.

If anybody is still affected by this problem, please make sure to update and the problem should go away.