Community


Portable Viewer flagged as Trojan: Win32/Rundas!plock

Links used in this discussion
BartB, User (Posts: 41)
Feb 06, 2017 5:31:11 pm EST
I have the portable viewer on my work laptop (Win10 Pro) with Windows Defender. Today, all of a sudden, I couldn't launch the Viewer as it would close and disappear from my System Tray after double-clicking on it.  On a hunch, I checked Windows Defender, and sure enough there was a new detection, of the following virus: Trojan: Win32/Rundas!plock
https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3aWin32%2fRundas!plock&threatid=2147711527&enterprise=1

So now I'm unable to launch my Viewer, as the process gets killed right away. And for some reason, I'm unable to make an exception for it in Windows Defender, which may be a Group Policy in my corporate Windows 10.

This trojan has been around most of 2016, and most people claim it's a false positive, but being unable to add an exception for the Viewer exe in Defender, I'm stuck with no remote access.

Any suggestions?
Conrad, Support (Posts: 3049)
Feb 06, 2017 9:23:29 pm EST
Hello Bart,

Thank you for your message. Yes, this problem was also reported today by a few other users as well. We have already contacted Microsoft regarding this issue. Hopefully, they will fix it as soon as possible.

I perfectly understand your frustration because we are frustrated with these uncontrolled and irresponsible antivirus software behaviors too.

P.S. I will move this thread to the antivirus sub -forum.
BartB, User (Posts: 41)
Feb 07, 2017 11:35:30 am EST
Looks like the latest updates for Defender are allowing the Viewer to run in Windows 10.
Below is the current definition info:
Conrad, Support (Posts: 3049)
Feb 07, 2017 4:21:39 pm EST
Hello Bart,

This detection was strange from the very beginning. For example, when we tested it yesterday Windows Defender falsely notified as about this "trojan" but still allowed Viewer to run. Then why they call the Viewer a trojan in the first place? :)  

Anyway, we have already received a response from Microsoft and they asked some more information. We'll make sure that this issue is resolved soon.

Thanks.
BartB, User (Posts: 41)
Feb 08, 2017 2:30:53 pm EST
And we're back to being blocked. Defender just updated a few minutes ago, and immediately it killed the Viewer process. So looks like whatever MS has done yesterday, they undid it today.



Conrad, Support (Posts: 3049)
Feb 08, 2017 2:39:15 pm EST
Hello Bart,

Yesterday they told us that they issued new definitions which they believed would fix the issue. It seems like the issue still persists.

We can but write to them again and kindly ask for removal of this detection. Thank you for letting us know.
Ian Parker, User (Posts: 2)
Feb 09, 2017 6:13:37 pm EST
Support level: Free or trial
Still doing it after an defender update this morning and a fresh download of RU

:(
Conrad, Support (Posts: 3049)
Feb 09, 2017 6:42:54 pm EST
Hello Ian,

We submitted a new request to Microsoft yesterday just as they instructed but so far no news from them.

Sorry for any inconvenience. By the way, perhaps it would speed up the process if you could submit a request too. It only takes a minute. Here is a link https://www.microsoft.com/en-us/security/portal/submission/submit.aspx

The file which is falsely detected is rutview.exe, it's the Viewer executable file. It can be found in C:\Program Files\Remote Utilities - Viewer\. You need to zip the file before uploading - the form doesn't allow files more than 10Mb to be attached.

Thanks.
BartB, User (Posts: 41)
Feb 10, 2017 12:24:14 pm EST
It's working for me this morning, with the current definition updates:

BartB, User (Posts: 41)
Feb 10, 2017 12:49:34 pm EST

Conrad wrote:

Sorry for any inconvenience. By the way, perhaps it would speed up the process if you could submit a request too. It only takes a minute. Here is a link  https://www.microsoft.com/en-us/security/portal/submission/submit.aspx  

The file which is falsely detected is rutview.exe, it's the Viewer executable file. It can be found in C:\Program Files\Remote Utilities - Viewer\. You need to zip the file before uploading - the form doesn't allow files more than 10Mb to be attached.

Thanks.

Report submitted:

Submission ID: MMPC17021010805743
Submitted date: Feb 10, 2017 17:38 PM UTC

* Website time zone: America/New_York (UTC -5)