Immunet quarantining chrome installer/update 102

[asim]

I've some domain joined machines (test environment) and I noticed a couple days ago the chrome versions were updated for all vms through central endpoint management software (manage engine desktop central) but 1 VM in particular (Windows 2012 r2 - Active directory PDC) *Fully Patched* did not update chrome to 102 and threw an error upon updating manually.

An error occurred while checking for updates: The installer encountered error 124. (error code 7: 0x80040902: 124 - system level).
Learn mode
version 101.0.4951.67 (official build) (64-bit)

I checked DNS and it was able to get to internet fine and nothing was being blocked. I couldn't fix it in any way. I, then, downloaded chrome offline installer/update file from internet manually and tried installing the update. threw the same error 124 but in a different type of dialogue box. and then immunet showed this notification and it said it had qurantined the setup.exe (even though the file i was installing was still showing up in file explorer...may be that update.exe software package had setup.exe in it. IDK). I downloded the update file from google.com so nothing can go wrong there. Anyways. Afterwards, chrome stopped working and I could not install updated chrome in any way possible. Offline installer would say there's an error. Online installer/update.exe would throw this notification in Immunet.

Clam.win.dropper.sykipot-990505-0
102.0.5005.63_chrome_installer.exe

Now, I looked at other VMs and those VMs started throwing same Immunet error ... blocked chrome and I could not reinstall no matter what. So, here's what I've done hoping to recover/fix this issue.

1. Considering it's an malware and spread through all domain joined pcs. including that manage engine vm. I revered all vms to previous state i.e., 12 days ago, but as soon as those machines started talking to internet and got update. it started doing same thing.

2. One of the vms was 2016 and it was offline i.e., not connected to internet that worked fine coz probably Immunet was not updated to latest version (I think) and as soon as I brought that vm online (connected to internet) this whole thing happened again and I couldn't use/update chrome.

3. I thought it could be due to windows 2016 r2 so I installed a new 2016 vm and installed chrome and immunet it worked fine. connected to internet everything good. I also have a couple of machines that have same setting (domain not joined) Immunet version 7.5.0.20795 but they never showed this error . updated chrome and everything works like a charm. These two things

4. Also, one of the things I noticed that the vms worked fine as long as they stayed offline i.e., disconnected from internet. as soon as it's connected to internet this whole thing collapses and I can't use chrome anymore with 102 version.

I'm literally pulling my hair out coz all the vms are unusable.

 I cannot figure out where exactly is the issue. I know if I bring down Immunet everything will work fine and the way it's supposed to . but am I really infected or is it false positive ? if I'm infected ? then how can my 12 days old images be infected?

I'm also having 1 month old backups of vms so i'm hoping to revert to those backups in case nothing works but if that also throws same error IDK how can I get around this.

 

I'm attaching a screenshot where vm was restored to 12 days old state and chrome is 101 version and can't update due to that error. If I uninstall chrome and install 102 version it will not let me install 102 version.

 

TIA
ASIM

 

 

 

Edited May 29, 2022 by asim

[asim]

Now, I don't know if it's false positive or not but a quick google search shows sykipot is serious malware.

My other question: Why is it working in other machines with same setup (chrome 102 and immunet 7.5.xxx and not in those domain joined machines?

I can't determine on my own if it's false positive or not and what's the solution?

 

Thanks in advance.