I received a rather urgent email from a customer today that Malware was being detected by Windows Defender on fresh images.

The first thing that was going through my mind was that we had some kind of infection in the Gold Image.

Below is a screen shot of Windows Defender in action on the initial Scan today.

Obviously, this could be quite concerning to an end user that just had a PC delivered to have Malware on it.

Where exactly did this come from? Well a few weeks back I remember that an HP Driver had a hole left in it that had a keylogger included.

http://www.zerohedge.com/news/2017-05-12/hp-laptops-discovered-be-spying-users-keylogger

It appears that on May 17th, the Definition Updates for Windows Defender were updated to include a removal for this:

It is actually quite high on the list on Microsoft’s page

https://www.microsoft.com/en-us/security/portal/threat/threats.aspx


If you click on that link you get information on the Malware: MonitoringTool:Win32/MicTrayDebugger


Here is a summary of what this Malware does. (Courtesy Microsoft)

Windows Defender AV detects and removes this threat.

This threat is a flaw in an out-of-date Conexant HD Audio Driver installation that is pre-installed on some models of HP PCs. As part of debugging code that was accidently left in by Conexant, this outdated driver can log keystrokes to a file that can be accessed by other users logged into the same PC and under some configurations can be accessed remotely by other people on your local network. It is important to note that any data logged is erased each time a user logs off or restarts their PC.

This detection removes the Conexant component that causes this keylogging. Doing so also disables the keyboard short cut that turns the microphone on and off.  The keylogging was caused by debug code that was unintentionally left by Conexant and was not meant to be included in the final shipped version. No keylogging data is sent to HP or Conexant. HP has fixes available and these fixes are installed automatically for customers who use Windows Update.  These fixes remove any logging of keys, and also automatically remove the logfile.  See their security advisory for more information.

To restore functionality of the laptop microphone shortcuts after this detection, install the latest version of the Conexant HD Audio Drivers automatically provided through Windows Update or download it from HP.COM. You can check for Windows updates manually from the following sites:

Alternatively, you can manually download and install the updates to your device from HP:

You can also refer to the following content from HP for additional information:

What we are going to do moving forward is to Remove the Conexant HD Audio Driver and find a new version that isn’t infected.

This is a major issue as so many PC’s could be infected with this.

That it is so high on Microsoft’s hit list.

Thank you Microsoft, for having our backs and getting the fix out so fast for this.

Hope this helps you,

Dave

Advertisements