Malware with Crimson? Or False-Positive? - AMDJoe

Discussion in 'Videocards - AMD Radeon Drivers Section' started by Blackfyre, Nov 28, 2015.

  1. Blackfyre

    Blackfyre Maha Guru

    Messages:
    1,384
    Likes Received:
    387
    GPU:
    RTX 3090
    EDIT: The thread was closed and I just got it opened. Please if you want to comment, make sure you've at least read the main post, and a few comments to see if what you're saying has already been said and answered. The 'Original Post' is highlighted below in BLUE, and I will be adding some updates below that in RED. Please read the Updates before commenting.

    Hi Everyone,

    I'm 99.9% sure this is a false-positive.

    Just ran Malwarebytes Anti-Malware and here is an image showing Shader Cache being recognized as Malware.

    https://www.dropbox.com/s/zgd9j9glbsh1z3r/Screenshot%202015-11-29%2003.20.18.png?dl=0

    Can someone else please run it too to confirm whether or not this is an independent issue happening on my part, or whether it's being recognized as Malware for everyone?

    If so, is there data being transferred back to AMD via the driver suite? And if so why weren't we told about this?

    :puke2:

    I also just realized having looked at the image, this is pointing towards the wrong directory... Not where Shader Cache should be. Does anyone else have this directory?

    :bang:

    I'm going to remove it and restart my computer anyway.


    UPDATES:

    Update #001: To duplicate the issue, make sure you're running Windows 10 (updated) and you have Shader Cache forced (enabled) globally. In order to do so, you have to be using a third-party app like RadeonMod or editing the registry yourself. Then play a few games that don't have profiles in AMD Settings so that Shader Cache files are written obviously; so run about 8 games, run around for a bit, fast travel, etc. Then run Malwarebytes Anti-Malware on your OS Drive. Use the free-version of the program, no need to run the trial.

    NOTE: I am baffled that even after two pages some commented saying "why would you even use a third-party app, just apply per profile"... It has already been well documented that AMD Radeon Settings (formerly known as CCC) doesn't force enable Shader Cache for "unsupported" games. Nor leaving it on "AMD Optimized" globally mean that it is enabled; that just means it'll work for supported games like Witcher 3.

    Hopefully AMD fixes this issue soon.

    30th November, 2015 - Update #002: Thanks to PrMinisterGR for looking deeply into the issue. We have found that "Malwarebytes detects the shader as a trojan, because it contains code created by LogonUI (its shaders), and it's being packed in System32. LogonUI itself is a critical system component and a primary target for viruses and especially trojans. So when Malwarebytes detects a file "feeding" code to LogonUI, it flags it. The location itself must be the location for shaders created by processes that are neither the system Administrator, nor a simple user" (Posts #7 & #23 below show the details).

    10th of December, 2015 - Update #003: We have established that it is 99.9% not Malware (only because we cannot be 100% certain about anything, but it's pretty much 100%). It is just an issue that AMD needs to fix sooner or later. And if you're hearing this AMD, we hope you use the black-listing method rather than the white-listing method.

    Again I NOTE, to test if you can duplicate the issue, after enabling Shader Cache globally you need to obviously play some DX10-DX11 games so that Shader Cache files write to System32 before you go checking for the directory.

    I will write further updates here if necessary.
     
    Last edited: Dec 9, 2015
  2. theoneofgod

    theoneofgod Ancient Guru

    Messages:
    4,677
    Likes Received:
    287
    GPU:
    RX 580 8GB
    I wasn't aware of the shaders being in System32 as well as appdata. Are they a copy of what's in appdata?
     
  3. JonasBeckman

    JonasBeckman Ancient Guru

    Messages:
    17,564
    Likes Received:
    2,961
    GPU:
    XFX 7900XTX M'310
    They aren't, no idea what's going on in that above image, almost like "appdata" somehow ended up in the Windows folder?
    (There's no "P" folder in system32 by default either, something's strange with that too.)
     
  4. Undying

    Undying Ancient Guru

    Messages:
    25,206
    Likes Received:
    12,611
    GPU:
    XFX RX6800XT 16GB
    C:\Windows\System32\P

    I dont have that folder.
     

  5. PrMinisterGR

    PrMinisterGR Ancient Guru

    Messages:
    8,125
    Likes Received:
    969
    GPU:
    Inno3D RTX 3090
    I do have that folder and the contents are not the same as the AppData folder either.
    [​IMG]

    I run a scan with a fully updated Malwarebytes and I got the same results for the bin file.
    [​IMG]

    I don't have any weird startup items, and I don't have anything weird or out of place starting from Task Scheduler. I have the Shader Cache universally enabled through RadeonMod, that's it.
     
  6. Blackfyre

    Blackfyre Maha Guru

    Messages:
    1,384
    Likes Received:
    387
    GPU:
    RTX 3090
    Yeah me too man, my computer is scanned fully once a week. In fact the only program/app that was installed was the official AMD Crimson Driver from AMD's website. If everyone remembers I didn't even install the BETA drivers that were posted by Guru3D just "in-case" they weren't official.

    I keep my PC secure too.

    I was skeptical when the first few people commented saying they did not have it, thinking it was my fault somehow. And I still am skeptical. This could very well be something that AMD did intentionally. But I would like to know (an official response hopefully) if any DATA is actually being transferred back to AMD from those folders?

    By the way, the original directory of Shader Cache in AppData is there, the System32 one is an extra hidden folder which I only found out about after running a full scan by Malwarebytes Anti-Malware.

    If we can get Wagnard to have a look at that folder too, and maybe someone who can check whether anything from that folder is actually being uploaded to AMD via the drivers (Wagnard should add the directory for it to be removed by DDU if we confirm this comes with official AMD drivers). Because Malwarebytes usually doesn't pickup "RED Marked" malware if they're not uploading to a server (or have within them the capability to do so).
     
    Last edited: Nov 28, 2015
  7. PrMinisterGR

    PrMinisterGR Ancient Guru

    Messages:
    8,125
    Likes Received:
    969
    GPU:
    Inno3D RTX 3090
    I'm running a full scan on everything on my system, to see what the source of this might be.

    I copy pasted the file from System32 (if it is in System32, I can't even read it or set myself as the owner apparently...).

    I opened it with Notepad++ just to check the header, this is what I get:

    [​IMG]

    EDIT: Below it's the same file opened in a Hex editor. This is where my personal knowledge about it stops. You see here all the parts that are not zeroes. The account that owns the file is unknown, and I am apparently unable to change it. Haven't tried restarting though. I can only open the file if I copy it from inside the original folder.

    [​IMG]

    Seems like a binary dump of some kind, and that's AMD's name in the header. That could mean nothing though. It would be nice if Wagnard could take a look. I also wonder what happens if I delete it, I'm not even sure I can. If this is some kind of data sending mechanism that is not transparent, I won't be able to believe the stupidity of the person deciding it.

    On the other hand, we have no concrete data except a detection that might as well be a false positive.

    Since this forum (supposedly) has official AMD representation, someone please speak up.

    EDIT: Virus Total gives it a clean pass, if I send them the file I copy on the desktop. When Malwarebytes scans the file in System32 it detects a trojan. The weirdest part is that I can't seem to be able to own the file as a user. When I attempt it it seems to be working inside the advanced security popup, once that closes I don't even have read permissions.
    I noticed something else. The one file I have and the one you have, they both have the same name.
    Code:
    397932d0add511f4d66e1ad805d18765c0bf23ad7238ee13..bin
    After restarting the file gets recreated with the exact same name, in the same spot and it still gets detected as malware. When copied on the desktop and scanned again, the file doesn't get detected as malware.

    The problem is that I can't even get effective access permissions to the file in the original location, no matter what I do.

    [​IMG]
     
    Last edited: Nov 28, 2015
  8. MerolaC

    MerolaC Ancient Guru

    Messages:
    4,359
    Likes Received:
    1,073
    GPU:
    AsRock RX 6700XT
    I'm on Windows 7
    I don't have a "P" folder in System32.

    I've downloaded the drivers directly from AMD.com
    Will download the Guru3D ones and do a checksum check.
     
  9. JonasBeckman

    JonasBeckman Ancient Guru

    Messages:
    17,564
    Likes Received:
    2,961
    GPU:
    XFX 7900XTX M'310
    Shame the files don't contain the exe name, would help narrowing down which program that shader cache file correspond to and maybe help figuring out why it's placed in the system32 folder.
    (I guess trying to match the prefetch folder times to the modified date of the shader file might possibly work to see which program is behind it unless it's something triggered by e.g rundll32 or some such.)
     
  10. PrMinisterGR

    PrMinisterGR Ancient Guru

    Messages:
    8,125
    Likes Received:
    969
    GPU:
    Inno3D RTX 3090
    I'm on Windows 10 TH2 cleanly installed from a Microsoft ISO downloaded with the Microsoft Media Creation tool. Nothing else gets detected. The drivers were downladed directly from AMD. Those file permission errors along with the file only being detected when it's sitting in System32 makes it so so weird.
     

  11. mystik

    mystik Active Member

    Messages:
    50
    Likes Received:
    13
    GPU:
    Sapphire 6900xt N+
    Chiming in and saying that I'm on Windows 7 and don't have this dir in my windows.

    So it's possibly a Windows 10 thing and MWB is most likely detecting it as a trojan because
    it can't actually get permission to even scan the file, so it's flagging it.
     
  12. The Mac

    The Mac Guest

    Messages:
    4,404
    Likes Received:
    0
    GPU:
    Sapphire R9-290 Vapor-X
    Win10 here, no amd or p directory in system32.

    only installed the whqls
     
  13. PrMinisterGR

    PrMinisterGR Ancient Guru

    Messages:
    8,125
    Likes Received:
    969
    GPU:
    Inno3D RTX 3090
    To everyone who doesn't get that directory: Do you have global ShaderCache enabled?
     
  14. The Mac

    The Mac Guest

    Messages:
    4,404
    Likes Received:
    0
    GPU:
    Sapphire R9-290 Vapor-X
    yes, amd optimized

    and forced on in individual profiles.
     
  15. Undying

    Undying Ancient Guru

    Messages:
    25,206
    Likes Received:
    12,611
    GPU:
    XFX RX6800XT 16GB
    You mean via RadeonMod? No but maybe that have something to do with it.

    If you think via Crimson driver than yes, global amd optimized.
     

  16. mystik

    mystik Active Member

    Messages:
    50
    Likes Received:
    13
    GPU:
    Sapphire 6900xt N+
    I have ShaderCache enabled (forced "always on" via RadeonMod).
     
  17. MerolaC

    MerolaC Ancient Guru

    Messages:
    4,359
    Likes Received:
    1,073
    GPU:
    AsRock RX 6700XT
    Global, no, I can't set it withing Radeon Settings and and don't want to use RadeonMod for that.
    Per game, yes. Some. (3 or 4)
     
  18. Blackfyre

    Blackfyre Maha Guru

    Messages:
    1,384
    Likes Received:
    387
    GPU:
    RTX 3090
    First of all thanks a lot for this detailed look at the files. Which confirms they are indeed AMD files at least... Secondly;

    I have Shader Cache force enabled via RadeonMod too (aka globally).

    I am going to sleep. Hopefully someone finds the cause of this... maybe this is why AMD hasn't allowed us to enable Shader Cache globally officially?

    :3eyes: :3eyes: :3eyes: :3eyes:

    PS: Windows 10 Pro X64 - Build 10586 - Up to date.

    Clean installed via Burnt ISO through Media Creation Tool prior to Microsoft removing it.
     
  19. theoneofgod

    theoneofgod Ancient Guru

    Messages:
    4,677
    Likes Received:
    287
    GPU:
    RX 580 8GB
    I have the Shader Cache on globally but no P directory in System32. It could be specific application(s) needing it to be in the System32 for some reason. I don't allow AMD network access so that could be another reason. What else is in P/AMD?

    Team Viewer has shaders cached (or something connected to it). I think Skype does too when set on globally.
     
  20. JonasBeckman

    JonasBeckman Ancient Guru

    Messages:
    17,564
    Likes Received:
    2,961
    GPU:
    XFX 7900XTX M'310
    No "p" folder in system32, used RegEdit to enable shader cache globally.
    (Sure that means it caches stuff like Steam/Uplay/Origin/Battle.net but it's just shaders so what harm could there be.)
     

Share This Page