Trojan detected inside “logrotate_run.exe” file of release 2.20 for Windows

  • Document ID:KM02760363
  • Creation Date:27-Mar-2017
  • Modified Date:27-Mar-2017
    • Micro Focus Products:
      uft mobile 2.20

Summary

The following article enlists the necessary related details on the vulnerability of HPE Software Product "Mobile Center" on the name “Trojan detected inside “logrotate_run.exe” file of release 2.20 for Windows”.

Question

Mobile Center: Trojan detected inside “logrotate_run.exe” file of release 2.20 for Windows

HPE has investigated the vulnerability issue of Trojan detection on Windows release of Mobile Center 2.20. This document provides required actions that must be performed to mitigate this vulnerability.

Affected Releases: 2.20

ACTION: Review all details in instructions provided in this paper to address the vulnerability.

HPE SW recommend to address this information as soon as possible.

Answer

Mobile Center

HPE Mobile Center release 2.20 distributes an executable named “logrotate_run.exe” as part its installation package. This executable is used to package the log files generated during execution of Mobile Center service on Microsoft Windows into archive files, in order to reduce disk usage.

This executable is detected by latest version of McAfee antivirus (VirusScan Enterprise 8.8, DAT version: 8451, Engine 5800.7501) as a Trojan, even if Windows Defender is not detecting it. This executable is performing advanced operations with execution of an embedded batch script, which could be interpreted as a Trojan common mechanism, but this is not exposing any vulnerability to the machine.

Mitigation Actions

You can avoid being impacted by the vulnerability Trojan detection on Windows release of Mobile Center 2.20 in the following ways:

1.     If you have not executed yet the installation package (for upgrade or initial installation), it is necessary to download the updated ISO of Mobile Center 2.20,

2.     If you have already installed Mobile Center 2.20, it is necessary to remove the problematic file by executing specific script commands.

1. Download the new ISO of Mobile Center 2.20

You can download the updated ISO of Mobile Center 2.20 for Microsoft Windows via HPE SaaS website.

2. Remove the “logrotate_run.exe” file

If you have already installed Mobile Center 2.20 for Microsoft Windows and the file “logrotate_run.exe” has been deleted by the antivirus, you can restore the original behavior of Mobile Center by applying the following operations:

·         Create a new batch file named “patch.bat” inside the installation folder “<MC install dir>\server” (for Mobile Center Server) or “<MC install dir>\connector” (for Mobile Center Connector),

·         Edit this new file with Notepad or any text editor, and type the following content:

@echo off

set LOGROTATE_DIR=%~dp0\logrotate

del /Q /F "%LOGROTATE_DIR%\logrotate_run.exe" >nul 2>&1

schtasks.exe /delete /F /TN "logrotate" >nul 2>&1

schtasks.exe /create /SC MINUTE /MO 5 /RU "system" /TN "logrotate" /TR "'%LOGROTATE_DIR%\logrotate.exe' '%LOGROTATE_DIR%\logrotate.conf'" >nul 2>&1

IF ERRORLEVEL 1 GOTO error

echo Mobile Center installation successfully updated.

GOTO end

:error

echo Failed to update Mobile Center installation.

:end

·         Launch this new batch file via “Run as administrator”,

·         After completion, you can delete this file.