Windows Defender Finds Infection in Acronis 2021 Installer
I woke up this morning to the following report from Windows Defender (see attached images). In essence it is saying there is a Win32/CVE-2018-8120 exploit in the following files. Note that I do a full scan every night and just before it runs I do a security intelligence update.
containerfile: C:\Windows\Installer\6d2a6b6.msi
containerfile: S:\Acronis 2021\AcronisTrueImage2021.exe (The S drive contains my system backup. I maintain a copy of the Acronis installer there in case of a full meltdown.)
file: C:\Windows\Installer\6d2a6b6.msi->Binary.tnd_msi_x86
file: S:\Acronis 2021\AcronisTrueImage2021.exe->(ZipSfx)->AcronisTrueImage.msi->Binary.tnd_msi_x86
I have run the Remove process to fully delete the files.
I know in the past Windows Defender and other antivirus programs give false alarms. I will ditch these files and download a new installer just to be safe.
Currently I am running Acronis True Image 2021 Build 39287
I downloaded a clean copy of the Build 39287 installer from the Downloads Page (see attached) of my account and a scan of the file with Windows Defender shows the same threat (see attached).
Perhaps at this point I will update to Acronis Cyber Backup. I did download the installer for it and it tested clean with Windows Defender. But I got a warning that Acronis Cyber Backup is not compatible with my current backup plan (see attached).
- I went to the upgrade procedure website that is listed in the note but there is no clear plan to upgrade from Acronis True Image 25.10.39287 to Acronis Cyber Backup SCS 12.5.
- Do I have to start over and create new plans?
- Will I be able to keep my current backups? I backup my data to one USB drive and the system to another USB drive.
- Can I use my Perpetual License or do I need to purchase a subscription?
Hi Steve,
I will open a ticket with Acronis. And probably install the new product.
Warren, Acronis Cyber Backup is a business subscription product - you may want to look instead at Acronis Cyber Protect Home Office which is the follow on product to ATI 2021 but is also subscription.
Acronis no longer provides any perpetual licenses and any existing ones only apply to the products they were bought for.
Note: I am still running ATI 2021 on my own system, installed from the same file that now gives the Defender warning, and am not getting any such warnings for the installed application!
(I have also sent an email to some Acronis contacts to alert them to this issue!).
Hi Steve - I am sending an email now and keep on using the ATI 2021. I hope that when the installer ran in 2021 that we didn't compromise our systems!
It is interesting that users of other protection products have not reported this issue. The PC I am using at the moment runs ATI 2021 so I will do a full scan of Norton 360 to see if anything is reported.
Ian
Hi Ian,
Interesting indeed! I am also running Malwarebytes Premium and it hasn't spotted the infection. If you go to Microsoft Security Intelligence and search for Exploit:Win32/CVE-2018-8120 you'll see that the exploit was first noted in 2018 by Windows Defender so Windows Defender virus signatures have the ability of picking up on the infections. I suppose because it it takes advantage of a flaw in Windows OS. But why was it just discovered this morning when I've had ATI 2021 for a year? And I've been using Windows Defender full scan for a long time! Baffling! What is worrisome is whether our PCs were compromised when we initially installed ATI 2021 or did the installers get corrupted just recently? Note that even the clean copy of ATI 2021 available from your account downloader is infected.
Warren
Steve Smith wrote:Warren, Acronis Cyber Backup is a business subscription product - you may want to look instead at Acronis Cyber Protect Home Office which is the follow on product to ATI 2021 but is also subscription.
Acronis no longer provides any perpetual licenses and any existing ones only apply to the products they were bought for.
Note: I am still running ATI 2021 on my own system, installed from the same file that now gives the Defender warning, and am not getting any such warnings for the installed application!
(I have also sent an email to some Acronis contacts to alert them to this issue!).
Steve,
I got this reply from Acronis. Of course they just told me to remove the infection and upgrade to the newest product. They're not going to fix the installer. I suppose they won't do it because ATI 2021 is no longer supported. Then they should remove the installer from the download window and say you must do the upgrade. And they should issue an alert to all ATI 2021 folks who have their products registered and tell them how to safely remove the installer files!!
Thank you for sharing screenshot - upon your concern I would like to inform you that quarantined is special storage that is used to isolate infected and suspected file on your machine or any data to avoid potential harmful you can minimize the current thread message - I would request you to click on action and choose the desire option
As always, we recommend upgrading to the most current version to ensure your Acronis software is up-to-date so you enjoy the latest features and fixes.
I have found the installer going back to backups from April. I will delete the system backups altogether and start fresh.
Apparently Windows Defender didn't go inside of the backed up files and flag them.
Warren, I haven't had any response to my own direct email to my Acronis contacts as yet, but you may want to go back to your contact and ask why they are continuing to distribute this installer via their own Acronis Product Updates page (with the browser page title 'Trusted cybersecurity') when concerns over a virus have been raised?
I suspect that this might be a false positive, especially as Defender has never flagged this on all the systems I have ATI 2021 installed on, but it is possible that there is some obscure file within the installer. I note that the suspect file includes 'tnd' which suggests this is related to the Try & Decide feature which already is known to conflict with Windows Integrity if attempted to be enabled!
Further point to make here is that ATI 2021 #39287 was only released on 2022-01-27 as part of a series of 'security' updates to recent Acronis True Image versions (2017 to 2021). I have run a defender scan on the other updated installer files and only 2021 gives this 'severe exploit' warning! However, scanning the ACPHO #39703 installer also gives the same!
Whatever Acronis introduced in the 2021 installer is being propagated forward into the new version installers coming after it!
I did a scan with Norton 360 and none of the recent builds of ATI or ACPHO were flagged. Will run a scan tomorrow (after doing an update to Norton) and report the results.
Ian
Steve Smith wrote:
Hi Steve,
Warren, I haven't had any response to my own direct email to my Acronis contacts as yet, but you may want to go back to your contact and ask why they are continuing to distribute this installer via their own Acronis Product Updates page (with the browser page title 'Trusted cybersecurity') when concerns over a virus have been raised?
I replied this to Acronis support:
Please consider informing current Acronis True Image 2021 registered users that if they still have the installer on their PC they should delete all instances at once because of the infection being found! You should inform them how to find the files affected and safely remove them. PLEASE NOTE that the "clean download" of the installer that is linked to the users account is also infected! The Acronis True Image 2021 downloads should either be taken down or the virus removed from them and a new build posted ASAP! [This was sent before I knew that they are continuing to issue security updates. I sent a new reply as indicated below]
As an aside, I get warnings about using hyperlinks in my responses. How do I get the privilege of using them?
I suspect that this might be a false positive, especially as Defender has never flagged this on all the systems I have ATI 2021 installed on, but it is possible that there is some obscure file within the installer. I note that the suspect file includes 'tnd' which suggests this is related to the Try & Decide feature which already is known to conflict with Windows Integrity if attempted to be enabled!
It possibly is a false positive as you point out but as you say why do they continue to include the 'tnd' file if it is known that it conflicts with Windows Integrity? Has this warning been loud and clear? It's the first that I heard of it! I don't think I ever used that feature. I upgraded ATI from 2014 to 2015 to 2021 via the Perpetual License program
Further point to make here is that ATI 2021 #39287 was only released on 2022-01-27 as part of a series of 'security' updates to recent Acronis True Image versions (2017 to 2021). I have run a defender scan on the other updated installer files and only 2021 gives this 'severe exploit' warning! However, scanning the ACPHO #39703 installer also gives the same!
That is an excellent point to make! I included that in another reply to their response. Until now I was unaware that our installers are receiving automatic security updates. Do they automatically update the executable ATI 2021 as well when they come across security issues?
Whatever Acronis introduced in the 2021 installer is being propagated forward into the new version installers coming after it!
Excellent point!
So an update to my backups. I did start with a clean slate of OS System backups after making sure the affected "msi" file was indeed deleted permanently. Also took the opportunity to make the backup encrypted. These days you can't be too careful!
Hello,
I can confirm that I have the same problem. Windows 11 Defender reportedly finds
Win32/CVE-2018-8120 in the installer. It's a fresh ATI2021 installation in Win11 from yesterday.
When I uninstall ATI2021, Defender doesn't find anything anymore.
I'm assuming it's a false positive. Should one possibly exclude the container file in
windows/installer with the threat in Defender?
By the way, moving to quarantine didn't work.
It possibly is a false positive as you point out but as you say why do they continue to include the 'tnd' file if it is known that it conflicts with Windows Integrity? Has this warning been loud and clear? It's the first that I heard of it! I don't think I ever used that feature.
Warren, for reference on the Windows memory integrity topic:
Topic: Does win10 Memory Integrity feature work with TI2019?
What happens if I let Defender delete the 'infected' file in windows/installer folder ? I assume I will get the same warning again when ATI2021 updates ?
Warren, I have received the following from my Acronis contact:
Thanks a lot that you highlight this issue, it’s critical for our product to be absolutely clean and transparent in terms of anti-malware.
We are investigating this case, I will inform you, as soon as I get new information.
Thanks a lot that you highlight this issue, it’s critical for our product to be absolutely clean and transparent in terms of anti-malware.
We are investigating this case, I will inform you, as soon as I get new information.
That’s excellent news! At least they will investigate and take action!
Steve Smith wrote::
Thanks a lot that you highlight this issue, it’s critical for our product to be absolutely clean and transparent in terms of anti-malware.
We are investigating this case, I will inform you, as soon as I get new information.
This is the curt remark I got from Acronis. I just pointed out what you said Steve that ATI 2021 #39287 was only released on 2022-01-27 as part of a series of 'security' updates to recent Acronis True Image versions (2017 to 2021). But just to close the case is not right! I'm hoping that your connection gets some results from the investigation!
Thank you for your reply and your feedback is definitely appreciated
I am going to close this particular case # xxxxxxxx but please feel free to contact our team whenever you come across any additional questions with regard to Acronis software.
Stay safe and healthy
Warren, in my experience first line support are next to useless. Fortunately, higher up the corporate ladder this issue is apparently being taken very seriously.
Not sure when there will be a fix, but if it is a serious issue there will be a fix.
Ian
IanL-S wrote:Warren, in my experience first line support are next to useless. Fortunately, higher up the corporate ladder this issue is apparently being taken very seriously.
Not sure when there will be a fix, but if it is a serious issue there will be a fix.
Ian
Hi Ian,
I totally agree! Many times the first line of support is a bit shaky! I am very hopeful with the connection that Steve has made.
Update received this morning from my Acronis contact:
Our cyber security team investigated the case and found out that it was false positive in MS defender.
They fixed it already, you can check here: https://www.virustotal.com/gui/file/9a611164d3dbe8e4b709f96a64d406c935192fb28d4eaff11e40a603ddd5da87
Above from VirusTotal that detection appeared and was fixed in 2 days by Microsoft:
I am currently running a full Defender scan of my folder storing Acronis installers and will advise if I still see any warnings given (none so far).
Steve Smith wrote:Update received this morning from my Acronis contact:
Our cyber security team investigated the case and found out that it was false positive in MS defender.
Above from VirusTotal that detection appeared and was fixed in 2 days by Microsoft:
I am currently running a full Defender scan of my folder storing Acronis installers and will advise if I still see any warnings given (none so far).
That's great news Steve! I will try to download the installer again and scan it. No infection found on the clean download!
HG wrote:Hello,
I can confirm that I have the same problem. Windows 11 Defender reportedly finds Win32/CVE-2018-8120 in the installer. It's a fresh ATI2021 installation in Win11 from yesterday. When I uninstall ATI2021, Defender doesn't find anything anymore. I'm assuming it's a false positive. Should one possibly exclude the container file in windows/installer with the threat in Defender? By the way, moving to quarantine didn't work.
Hi HG,
Try downloading a clean copy of the installer from your Acronis Account page. If you go to the Products Tab you should see a Go to Downloads link. Download the latest installer which is 39287. They just updated it in the last couple of days. I tested the installer with Windows Defender full scan using the latest virus signature and it found no threats. The installer itself showed the threats last week when I tried to download a clean copy.
I would download a clean copy of the installer and then right click on it and scan with Windows/Microsoft Defender. If it reports no infection I would uninstall ATI 2021 and install a clean copy from the installer you just downloaded. Good Luck! Let us know how it goes!
Warren
Hi Warren, thanks for the reply.
The issue more or less resolved itself because it was a Win11 Defender issue.
Only my message was only published here after days.
Since a Defender update this week, it no longer finds any malware, even with the old installer.
HG wrote:Hi Warren, thanks for the reply. The issue more or less resolved itself because it was a Win11 Defender issue. Only my message was only published here after days. Since a Defender update this week, it no longer finds any malware, even with the old installer.
Hi HG,
I guess that’s what got fixed is Windows Defender virus definitions. Good to know!
Warren