Anti-VM "Attack Intercepted"

I recently downloaded the netgear ProSAFE utility to configure a new switch that was just purchased.

Upon trying to install it, Sophos Intercept X advises that it's intercepted an attack. The information provided was "Anti-VM" - I could provide more data as well if needed.

The intercept notification also advises that no malicious files were detected, and a scan of the file in question turns up clean.

So my questions are: What is an "anti-VM" detection and how serious is this? All scans come up clean - yet this has occurred - so should I be concerned and/or should this machine be nuked to be safe?

  • Hello  

    We've seen this kind of detection on a previous version of Exploit Prevention. When malware with Anti-VM techniques (so-called ‘vm-aware’ or ‘sandbox-aware’ malware) detects a virtual machine, it will refuse to run because it assumes it is running inside a malware analyst’s automated sandbox or honeypot – the malware will simply self-terminate to conceal its hostile intentions. The Anti-VM test usually probes for a guest-to-host communication port used by virtualization software. 

    A previous post described Anti-VM on HMP test tool

    I'd like to know which Sophos product are you specifically using - is this on-premise or Sophos Central?

    Also, if you can send us the C:\ProgramData\HitmanPro.Alert\Logs\sophos.log file, and let us know the timestamp when the detection occurred, so that we have more information on the detection.

    Thanks!

  • In reply to DianneY:

    On a fresh reinstall of the OS and downloading the same file I observed the same alert.

     

    Mitigation   Anti-VM
    Timestamp    2019-12-03T09:37:05

    Platform     10.0.17763/x64 v368 06_9e
    PID          6956
    Application  C:\Users\[removed for privacy]\Downloads\ProSAFE_Plus_Utility 2.7.7\ProSAFE Plus Utility 2.7.7.exe
    Created      2019-01-04T18:27:12
    Modified     2019-12-03T09:21:21
    Description  Setup Launcher 2.7.7

    VMware
    Loaded Modules
    -----------------------------------------------------------------------------
    00400000-004F2000 ProSAFE Plus Utility 2.7.7.exe (NETGEAR                 ),
                      version: 2.7.7                                   
    75350000-7543F000 hmpalert.dll (SurfRight B.V.),
                      version: 3.7.13.1456
    10000000-101B4000 ISSetup.dll (Acresso Software Inc.),
                      version: 16.0.436
    06BD0000-06C71000 ISRT.dll (Acresso Software Inc.),
                      version: 16.0.432
    06D40000-06DC9000 _isres_0x0409.dll (Acresso Software Inc.),
                      version: 16.0.328

    Process Trace
    1  C:\Users\[removed for privacy]\Downloads\ProSAFE_Plus_Utility 2.7.7\ProSAFE Plus Utility 2.7.7.exe [6956]
    2  C:\Windows\explorer.exe [2060]
    3  C:\Windows\System32\userinit.exe [3532]

    Thumbprint
    75d41ac877595bfe4d5aa74bdf74984244bf02bd831244568845a1a4b79d7253

  • In reply to Oli Mar:

    Hello  

    Thanks for the information. Have you submitted a sample of the installer to Sophos Labs or are working with Support on this issue? If you are please DM me the ticket number so I can follow accordingly and post any updates.