Strange file

[ForgottenSeer 69673]

I was trying to install an intel user file. V T says it is clean but when trying to install the file Voodoo says 16 engines say a spawned exe is bad along with malwarebytes.

 

[darko999]

You could use Hybrid-Analysis to check if file does some dangerous stuff.

 

[oldschool]

Have you run it in the Cuckoo Sandbox?

 

[bjm_]

I was trying to install an intel user file. V T says it is clean [...]

VirusTotal makes use of the

checkmark symbol to indicate that the given file was not detected in any way by the antivirus under consideration. We do not use the word "clean" or "innocuous" because antivirus solutions do not tell you whether a file is goodware, they just flag maliciousness.
-
https://support.virustotal.com/hc/en-us/articles/115002093769-The-antivirus-result-displays-a-green-circle-with-a-white-tick-mark-what-does-this-mean-
-
FWIW ~
Um, is this your Intel file?

Intel Common User Interface for Windows 10 (64-bit) - Legion Y740-15ICHg, Legion Y740-17ICHg - Lenovo Support US

support.lenovo.com

Hybrid-Analysis
https://www.hybrid-analysis.com/sample/d1e0ed64ae16358390389070cec88e493afea7faa86dff884366b6efb86b1b28
-
VoodooShield dialog points to driver package installer?

 

[oldschool]

VoodooShield dialog points to driver package installer?

Big companies like M$, etc. are famous for employing un-signed files and Lenovo probably isn't an exception.

 

[bjm_]

Well, nmly01af09en.exe < #4 > has Signers.
IDK re driver package installer.
-
FWIW ~
Edit: here's dpinst.exe

Hybrid-Analysis
https://www.hybrid-analysis.com/sample/b6323db4d3829487b5fd72807652848dc083fcb34e922ef6d0523b68e5192227

 

[93803123]

I was trying to install an intel user file. V T says it is clean but when trying to install the file Voodoo says 16 engines say a spawned exe is bad along with malwarebytes.

huh.txt provides a link to a file other than the one blocked, which is dpinst.exe.

You could use Hybrid-Analysis to check if file does some dangerous stuff.

Have you run it in the Cuckoo Sandbox?

They're essentially the same and the user won't be able to interpret the results anyway.

VirusTotal makes use of the

checkmark symbol to indicate that the given file was not detected in any way by the antivirus under consideration. We do not use the word "clean" or "innocuous" because antivirus solutions do not tell you whether a file is goodware, they just flag maliciousness.
-
https://support.virustotal.com/hc/en-us/articles/115002093769-The-antivirus-result-displays-a-green-circle-with-a-white-tick-mark-what-does-this-mean-
-
FWIW ~
Um, is this your Intel file?

Intel Common User Interface for Windows 10 (64-bit) - Legion Y740-15ICHg, Legion Y740-17ICHg - Lenovo Support US

support.lenovo.com

Hybrid-Analysis
https://www.hybrid-analysis.com/sample/d1e0ed64ae16358390389070cec88e493afea7faa86dff884366b6efb86b1b28
-
VoodooShield dialog points to driver package installer?

Big companies like M$, etc. are famous for employing un-signed files and Lenovo probably isn't an exception.

dpinst.exe is digitally signed by Intel and ships with Intel Extreme Tuning Utility.

 

[ForgottenSeer 69673]

Well, nmly01af09en.exe < #4 > has Signers.
IDK re driver package installer.
-
FWIW ~
Edit: here's dpinst.exe
View attachment 226277
Hybrid-Analysis
https://www.hybrid-analysis.com/sample/b6323db4d3829487b5fd72807652848dc083fcb34e922ef6d0523b68e5192227

Yes that is correct. VT does not say nmly01af09en.exe is bad nor does hybrid analysis but the spawned file from the install dpinst.exe is found bad.

 

[bjm_]

huh.txt provides a link to a file other than the one blocked, which is dpinst.exe.

dpinst.exe is digitally signed by Intel and ships with Intel Extreme Tuning Utility.

FWIW ~
Yes, the VirusTotal link in "huh.txt" points to nmly01af09en.exe

d1e0ed64ae16358390389070cec88e493afea7faa86dff884366b6efb86b1b28
nmly01af09en.exe

With the VirusTotal info. I made post #4 n' #6.
dpinst.exe Properties did not show Digital Signatures.

 

[bjm_]

VT does not say nmly01af09en.exe is bad nor does hybrid analysis but the spawned file from the install dpinst.exe is found bad.

Yes