Automate (Labtech) Issues

So I started testing the new EDR beta functions on my local machine and have been having the following false positives. It go so bad it even prevented me from starting the Automate Control Center on my machine, and I had to uninstall and roll back to normal.

'DynamicShellcode' exploit prevented in LTClient

'DynamicShellcode' exploit prevented in LTTray

No ammount of exceptions fixes this, as the PID and Detection ID change every time. I've included the raw data for the LT Client issue, but wasn't sure who to give this too.

 

itigation   DynamicShellcode
Timestamp    2020-06-03T15:01:10

Platform     10.0.18362/x64 v321 6f_02
PID          34160
Application  C:\Program Files (x86)\LabTech Client\LTClient.exe
Created      2020-05-13T22:43:46
Modified     2020-05-13T22:43:46
Description  LTClient 3.0

Shellcode (HHA) (0x00060000 bytes)
Owner of CALLER: (anonymous; clr.dll)

OwnerModule
Name         clr.dll
Thumbprint   7a33ad00e22a53d91dd1a6f097fd37d9c8a9cd3bd512070eb7ce988aaf722733
SHA-256      8c9899bf565c54bc2ee2fa11edf9b6840f44de77f1ecb050623f7560c7bfa807
SHA-1        1fb0ebc06f188e57f410cb2961d891ddbb314880
MD5          4853b707346cfb69b2052b9a00ae55b6

09AE44F8  ffd2                     CALL         EDX
09AE44FA  c6460801                 MOV          BYTE [ESI+0x8], 0x1
09AE44FE  833d4820da7300           CMP          DWORD [0x73da2048], 0x0
09AE4505  7407                     JZ           0x9ae450e
09AE4507  50                       PUSH         EAX
09AE4508  e8737dc369               CALL         0x7371c280
09AE450D  58                       POP          EAX
09AE450E  c745e800000000           MOV          DWORD [EBP-0x18], 0x0
09AE4515  8bf8                     MOV          EDI, EAX
09AE4517  e8a49cb969               CALL         0x7367e1c0
09AE451C  8bc7                     MOV          EAX, EDI
09AE451E  8b7ddc                   MOV          EDI, [EBP-0x24]
09AE4521  897e0c                   MOV          [ESI+0xc], EDI
09AE4524  8d65f4                   LEA          ESP, [EBP-0xc]
09AE4527  5b                       POP          EBX
09AE4528  5e                       POP          ESI

----- SNIP HERE -----
AAMFAQBArgn4RK4JAACuCQBQAADkBQQAi/DotKG5aYvGi3XYiXcMjWX0W15fXcMFBACQIpoHBQQAiCKaB9CWpwdXVovxuTiWpwfoivB4+I14BIPGGLk4BQMA86VeX8MFAgCoIpoHBQQAoCKaBwCWpweLQTjDBRgAAgUDAOi7sLhpXgUCAAydpwcFBAD0AwUAAAUAAAUAAAX2ALAimgcMnacHVYvsV1ZTg+wgiUXwZIs1KA4FAgDHRdik/WZzx0XUSED3+YtGDIlF3Ilt7MdF6AUEAI1F2IlGDIvZi/qLTfDoLfXEaYtF8ItAFIsQ/3UI/3UMV1PHReAQBQMAiWXkx0Xo+kSuCcZGCAD/0sZGCAGDPUgg2nMAdAdQ6HN9w2lYx0XoBQQAi/jopJy5aYvHi33ciX4MjWX0W15fXcIIBQAABQAABQAABQAABQAABQAABQAABQAABQAABQAABdMA
----- END SNIP -----

Loaded Modules
-----------------------------------------------------------------------------
003F0000-01DDE000 LTClient.exe (), 
                  version: 
75310000-75410000 hmpalert.dll (SurfRight B.V.), 
                  version: 3.7.17.317
75110000-7514E000 SOPHOS~1.DLL (Sophos Limited), 
                  version: 10.8.7.1000
6FF60000-709B5000 System.ni.dll (Microsoft Corporation), 
                  version: 4.8.4001.0 built by: NET48REL1LAST_C
5D3E0000-5D583000 System.Drawing.ni.dll (Microsoft Corporation), 
                  version: 4.8.3752.0 built by: NET48REL1
5A9A0000-5B806000 System.Windows.Forms.ni.dll (Microsoft Corporation), 
                  version: 4.8.4150.0 built by: NET48REL1LAST_C
6F1E0000-6F9F8000 System.Core.ni.dll (Microsoft Corporation), 
                  version: 4.8.4180.0 built by: NET48REL1LAST_B
5BED0000-5C2EB000 WindowsBase.ni.dll (Microsoft Corporation), 
                  version: 4.8.4180.0 built by: NET48REL1LAST_B
60130000-6025F000 CefSharp.Core.dll (), 
                  version: 57.0.0
0FC60000-13D73000 libcef.dll (), 
                  version: 3.2987.1601.gf035232
76E70000-76E7D000 UMPDC.dll (), 
                  version: 
600B0000-60124000 chrome_elf.dll (The Chromium Authors), 
                  version: 57.0.2987.133
70BF0000-70CF5000 System.Configuration.ni.dll (Microsoft Corporation), 
                  version: 4.8.3752.0 built by: NET48REL1
6EA60000-6F1D4000 System.Xml.ni.dll (Microsoft Corporation), 
                  version: 4.8.3752.0 built by: NET48REL1
59C10000-5A84C000 PresentationCore.ni.dll (Microsoft Corporation), 
                  version: 4.8.4180.0 built by: NET48REL1LAST_B
57940000-58D25000 PresentationFramework.ni.dll (), 
                  version: 
575F0000-577F3000 System.Xaml.ni.dll (Microsoft Corporation), 
                  version: 4.8.4180.0 built by: NET48REL1LAST_B
60060000-600A7000 System.Numerics.ni.dll (Microsoft Corporation), 
                  version: 4.8.3752.0 built by: NET48REL1
70DF0000-70F68000 SophosAmsiProvider.dll (Sophos Limited), 
                  version: 1.3.237.0

Process Trace
1  C:\Program Files (x86)\LabTech Client\LTClient.exe [34160]
2  C:\Windows\explorer.exe [10504]
3  C:\Windows\System32\userinit.exe [10316]
4  C:\Windows\System32\winlogon.exe [104]
winlogon.exe
5  C:\Windows\System32\smss.exe [920]
\SystemRoot\System32\smss.exe 000000e8 00000084 
6  C:\Windows\System32\smss.exe [608]
\SystemRoot\System32\smss.exe

Thumbprint
54ce4109bfd09310394331cd311a82ceb4b7b83e540307f4289f3cda924688a1
Module based thumbprint
7a33ad00e22a53d91dd1a6f097fd37d9c8a9cd3bd512070eb7ce988aaf722733
Parents Reply Children
  • Hi Ronan,

    I will send you a PM about the detections that you have seen for a few weeks; we will be addressing those soon. 

    Regarding the more recent issue with Automate not opening:

    - is this on Clients or Servers?
    - what version of Intercept X is running on the affected devices?
    - are the affected devices in the Early Access Program (EAP)?
    - does the issue resolve itself if you remove the device from the EAP?

    Has anyone else in this thread who had detections against Automate now seen issues with it not opening?

    Regards,

    Stephen

  • - is this on Clients or Servers?

    Client


    - what version of Intercept X is running on the affected devices?

    2.0.17 BETA


    - are the affected devices in the Early Access Program (EAP)?

    Yes


    - does the issue resolve itself if you remove the device from the EAP?

    I can turn off "Dynamic shellcode protection" and all works. But would like to keep the machines as secure as possible.