Question Did I download a malicious clone of WinMerge?

Please provide comments and solutions that are helpful to the author of this topic.
S

Studynxx

Level 8
Thread author
Verified
Well-known
Jan 20, 2023
429
369
667
I downloaded WinMerge to help with comparing source and backup files of the app I'm developing. I downloaded it from here: Download WinMerge - WinMerge clicked on the first blue button, was taken to WinMerge and hit download, then ran the installer through VirusTotal, came back clean, ran the installer, enabled Shell Integration (Explorer) and "Add to System PATH" and then ran the installer. What concerns me: Why did a powershell console with zero visible output (-silent probably) ran? For about 4-5 seconds then went away.

Kaspersky Total Security runs on my systems hardened, all unsigned code and apps automatically are put in the "High Restricted" category so basically can't do anything. Kaspersky never notified of any malicious activity.

I went into event viewer looking for the powershell logs, found only stuff related to MS Teams and its output wasn't malicious. I then wrote this script to find auto-runs:

Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, Location
nothing I didn't personally add.

then

Get-ChildItem -Path C:\ -Filter *.ps1 -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-2) } | Sort-Object LastWriteTime -Descending
This would find all the latest powershell files on the C drive but I found none.

Then I ran this to find WinMerge-related scheduled tasks: Get-ScheduledTask | Where-Object {$_.TaskName -like "*WinMerge*" -or $_.TaskName -like "*PowerShell*"}
Nothing.

Is it normal for WinMerge to run a powershell command with zero console output? Should I be concerned?
 
  • Like
Reactions: Dave Russo
The behavior you described is not typical for WinMerge. However, the fact that your security software didn't flag anything and your manual checks came back clean is a good sign. It's possible that the PowerShell console was part of the installation or setup process. If you're still concerned, consider uninstalling the software, then reinstalling it directly from the official WinMerge website or a trusted source.
 
If I do not understand badly, for Your words, WinMerge only ran for 4-5 seconds and auto terminated? 🤔

Have You checked KTS Application Control -> Manage Applications if something in Untrusted groups?

1751213791392.png
 
  • Like
Reactions: Berny, roger_m, Dave Russo and 2 others
harlan4096 said:
If I do not understand badly, for Your words, WinMerge only ran for 4-5 seconds and auto terminated? 🤔

Have You checked KTS Application Control -> Manage Applications if something in Untrusted groups?

View attachment 289340
Click to expand...
No, while the Installer was still active, a output-less Powershell script was running, no output in its console.

Nothing related or powershell-related is in the Untrusted group (nothing is in there actually).

1751214844408.png
 
  • Like
Reactions: Dave Russo and harlan4096
harlan4096 said:
Shouldn't You ask the tool developer better?
Click to expand...
I just looked through the powershell logs, this is what the installer was running:

if ((Get-AppxPackage -name WinMerge) -eq $null) { Add-AppxPackage "C:\Program Files\WinMerge\WinMergeContextMenuPackage.msix" -ExternalLocation "C:\Program Files\WinMerge" }

Looks like I'm good.
 
  • Like
Reactions: Dave Russo and harlan4096

You may also like...