False Positive? CryptoGuard detected ransomware in WINWORD.EXE

We just received an alert for one of our machines: CryptoGuard detected ransomware in C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

However, we can find no evidence of ransomware and believe this is a false positive. Has anyone else had issues with WINWORD.EXE? 

  • Hi,

    Can you provide the details in the event log? You're looking at event id 911 in the application event log.

    Regards,

    Jak

  • In reply to jak:

    Mitigation CryptoGuard

    Platform 6.1.7601/x64 v593 06_3f
    PID 6484
    Application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    Description Microsoft Word 14

    Filename C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

    \Device\Mup\domain.local\Shares\folder\~$filename.docx
    \Device\Mup\domain.local\Shares\folder\~$filename.docx
    \Device\Mup\domain.local\Shares\folder\~$filename.docx


    Process Trace
    1 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE [6484]
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "\\domain.local\Shares\folder\filename.docx"
    2 C:\Windows\explorer.exe [6736]
    3 C:\Windows\System32\userinit.exe [9012]
    4 C:\Windows\System32\winlogon.exe [6180]
    winlogon.exe
    5 C:\Windows\System32\smss.exe [6360]
    \SystemRoot\System32\smss.exe 00000000 00000048
    6 C:\Windows\System32\smss.exe [356]
    \SystemRoot\System32\smss.exe
    7 [4]

    Thumbprint
    caeb57822b00e79db13bf82c0dfe9ea02a3b138d02d953058cf89a29da7077c2

  • We just had the same thing happen, opening a PDF in word 2010 triggers it.