What is UserInitMprLogonScript Registry Key Used For Persistence

[marjetika]

Immunet just gave me this popup. (Actually, it's 2, but they are identical)

It says "Behavioral protection detected malicious activity [UserInitMprLogonScript Registry Key Used For Persistence].
No remediation actions were taken."

What is it and what can I do?

 

There's one thing in my "Quarantined files" section:

I immediately did a flash scan, which came out clean. Now I'm running a full scan.

Interestingly, if I go to "scan history", it appears as if there were no scans before today, and my scheduled scans are gone. Just a minor inconvenience, but I thought I'd mention, in case it could possibly be relevant.

I was running Outlook app, Google Chrome, and Slack on my PC when that happened. I bought a bigger hard drive a couple months ago and removed the old one. So, I started with a fresh installation of Windows 10 very recently, and the first thing I installed was Immunet.

[ritchie58]

Hello again marjetika,

There is a new 7.4.2.20335 build being pushed to compatible users through the UI so perhaps some of the history.db files were deleted during that process if you received the update. I've noticed that my Summery data has been cleared after the update as well. Something else I noticed, after updating if you were using the Immunet Desktop icon it will no longer be functional since (apparently) the file path has been changed.

You can simply mouse over the word 'About' in the lower right hand corner of the UI to find out what build you're currently running.

Mmm. I would consider that rather odd behavior.

Do you know if this .tmp file is associated with some sort of password manager you may be using or did these detections happen while attempting to log onto Slack? You can click on the file and see if there's any additional data in the 'Details' dialog box.

Also, if you're already fairly certain this is a False Positive our FP reporting site seems to be up & running again at this link. http://www.immunet.com/false_positive
If you do submit a FP report and have any difficulties uploading the data please let me know.

Regards, Ritchie...

[marjetika]

Hello Ritchie,

Thanks for replying so fast.

Yes, I have 7.4.2.20335 build. It says it was updated earlier today.

I logged into Slack a few days ago, and it was running in the background. I check the messages a few times a day.

I have no idea what that .tmp file was. It's not there any more. It's this cryptic Clam.Html.Exploit.CVE_2016_3271-2 that keeps popping up every now and then. And the date on it is 3/20, so, 5 days ago.

The "Behavioral protection detected malicious activity [UserInitMprLogonScript Registry Key Used For Persistence].
No remediation actions were taken." that started this thread happened today, between 1-2 hours before I posted. (I tried googling first and didn't find anything useful)

 

[ritchie58]

Thanks for the additional info marjetika! That is helpful.

It looks like the ClamAV module detected what it thought was possible malicious activity with your browser using an HTML exploit. After some investigation this logonscript/registrykey code string can sometimes actually be used for malicious proposes. It depends on the web site if it's legit or not. 

Since this is a ClamAV detection I would suggest you submit a FP report directly to that team instead, if you do absolutely trust that site that is. https://www.clamav.net/reports/fp