text/plain

Attack Techniques: RMM Abuse

After you sign up on the Social Security Administration’s website, they’ll send you a yearly email inviting you to check out your benefits. Flipping through my Junk Mail folder this afternoon, I found the following email:

It looks reasonably plausible, except for the return address (cuonlineedu.in, a university in India). I’m always game to look at an attack, so I naturally clicked the “View my statement” link the bad guy hopes I’d click. This navigation results in redirecting through a page on the University’s website to go to a Spanish TLD:

			
GET http://delivery.cuonlineedu.in/UDFEKT?id=28719=c0oCVAtaBQlfGAQDA1YCAl4BAwZSBQVYUFwFAloGVgNRUFRTDFcHDAUAA1YMVgcFDA5LBj1cVhYRXFpXXXZcCkRbUw1VTFFXCxgBUQNVU1IBDQBXUgQCV1sKA0hQQkAVChkdAFwOW04DFklIVxYMDVRRWQYHVEJPClcbYXxwcS5kCVsARRQB&fl=WEJGFEpYHRcEAUMSXQcGCllLVREXXlhPAFZZGl1FGw==
302 Redirect to https://bestideiasbruno.com.es/
GET https://bestideiasbruno.com.es/download.php?url=aHR0cHM6Ly9hcm9taXNiZC5jb20vd3AtY29udGVudC9nZW4ubXNp&name=eStatement455378357_pdf.msi
200 (application/octet-stream)
GET https://www.ssa.gov/myaccount/statement.html
200 (text/html)

		

When that page loads, it claims that your “statement is being prepared” and a file download appears. The file download, named (eStatement####_pdf.msi) is an Windows Installer package named to make it look like a PDF file.

For contrast, the legitimate download would’ve looked like this:

After kicking off the MSI file download, the attack site navigates to a legitimate page on the Social Security site.

Okay, so the fake site dropped a file hoping we’d open it, and we can be pretty sure that a file delivered this way is going to be some form of malware. But it’s very concerning that neither SmartScreen or Microsoft Defender Antivirus complained about the file. Let’s take a closer look.

The first thing to note is that the file is Authenticode-signed:

The MSI file is signed by a legitimate company and after uploading it, we see that it’s “Clean” on VirusTotal.

Hrm. Maybe the company got hacked and someone stole their certificate to sign malware? Looking more closely at the file information, we see that it was signed on April 13th and the file information looks legitimate “This installer database contains the logic and data required to install AteraAgent.” rather than what an attacker might pick (e.g. “You’re Social Security Info. Open me hurry hurry hurry.”)

At this point, I had a strong hint that I knew what was going on, but in this AI-hyped world, I wondered whether Copilot would give me good advice.

Microsoft Copilot correctly recognizes that it’s a scam, but it gets the details wrong:

Let’s ask Google’s Gemini:

Gemini gets it right — the file is legitimate, but it’s being used. The Altera Agent is a piece of software that is categorized as a Remote Monitoring and Management (RMM) tool, which might be referred to by another name: a backdoor.

If you run the file (in a sandbox, obviously), you just get a simple install screen:

After the install has proceeded for a while, the following dialog box is shown:

If you hit the big blue Continue button, the service is started:

…and your device immediately sets up connections to the infrastructure that will allow the attacker to take control of your device:

Tools and Weapons

(Note: Microsoft President Brad Smith wrote a book of this title).

This attack demonstrates one of the most challenging parts of cybersecurity: many tools can be turned into weapons simply by using them maliciously. The dominant use of the AteraAgent is legitimate, but in the hands of an attacker, the impact on the victim is the same as if they had installed malware on their device.

Now, what can Atera do about the abuse of their tool? They’ve done at least the bare minimum thing (added a notification screen during the install), but they probably could do more. For example, the screen doesn’t clearly explain the threat, and there’s no button to “Report Abuse to Atera” for example. An unanswered two year old thread on Reddit suggests these Atera-powered attacks have been going on for quite some time, and there have been high-profile attacks in the past. Hopefully they are keeping a close eye on their “Trial” customers as those are the ones most likely to be attackers.

What can a normal computer user do to protect against this attack? Not a ton. Certainly, they should take care when interacting with their PC (e.g. don’t be me and go trolling around in the Junk Mail folders to click on links, take care with file downloads, keep an eye out when asked to make decisions, be paranoid).

A security-conscious Enterprise might block an attack like this by using Application Control software to block all (or unexpected) RMM tools on their devices. Beyond protecting against campaigns like this one, it can also help inhibit Tech Scams.

-Eric

PS: Note that Windows itself ships with an RMM tool called “QuickAssist”, and sadly it has nothing to say about scams in its UI:

Understanding Defender AV Scans

Microsoft Defender Antivirus Defender is intended to operate silently in the background, without requiring any active attention from the user. Because Defender is included for free as a component of Windows, it doesn’t need to nag or otherwise bother the user for attention in an attempt to “prove its value”, unlike some antivirus products that require subscription fees.

The default mode for Defender is called “Real-time Protection” (RTP) and in that mode, Defender will automatically scan files for malicious content as they are opened and closed. This means that, even if you did have a malicious file on your PC, the instant it tries to load, the threat is blocked.

If you use the Windows Security App’s toggle to turn RTP off, it will turn itself back on whenever you reboot, or after a variable interval (controlled by various factors including management policies and signature updates).

Given the default real-time scanning behavior, you may wonder why the File Explorer’s legacy context menu offers a “Scan with Microsoft Defender…” menu item. Note that this is the Legacy Context menu, shown when Shift+RightClicking on a file. The Default context menu shown by a regular right-click does not offer the Scan command.

Confusion around this command is especially common because, in most cases, the item doesn’t seem to do anything: the Windows Security app just opens to the “Virus & threat protection” page:

The scan you’ve asked for typically executes so quickly, that you have to look closely to realize that your requested scan actually completed– see the text “1 file scanned” at the bottom.

🤔 So, in a world of Real-time Protection, why does this command exist at all? Is there ever a need to use it?

The one scenario where the “Scan” menu item does more than nothing is the case of archive files (Zip, 7z, CAB, etc). Defender doesn’t scan these files on open/close for a few reasons (performance: decompressing data can take a long time, functionality: a password may be needed to decompress).

However, if a user actually tries to use a file from within an archive, that file is extracted and scanned at that time:

If you wanted to scan the contents of an unencrypted archive without actually extracting it, the Scan with Microsoft Defender… menu item will do just that and recognize the threat inside the archive:

Therefore, the only meaningful use of the “Scan” option in Defender is to scan an archive file that you plan to give someone else to open on a different computer, although it’s extremely likely that their device would also be running Defender and would also scan any files extracted from the archive.

Unfortunately, there’s lots of bad/outdated advice out there about the need for manual AV scanning, but I’m happy to see that both Microsoft Copilot and Google Gemini understand the very limited usefulness of this command. I was also happy to see Gemini offered the following:

Pro Tip: If you ever suspect a file is malicious but Defender insists that it’s clean, try uploading it to VirusTotal (an awesome service I’ve blogged about before). VirusTotal will scan the file using over 70 different antivirus engines simultaneously to give you a second (and 3rd,4th,5th,6th,7th…) opinion.

Other Scans

You may’ve noticed other options on the Scan options page, including “Quick scan”, “Full scan”, “Custom scan”, and “offline scan”.

Quick Scan scans a small set of locations where malware commonly tries to hide, including startup locations.
Full scan is self-explanatory: it scans all of your files on your disks.
Custom scan is self-explanatory: it scans the location you choose. The menu item discussed above kicks off a custom-scan for a single file or folder.

All of these scans are basically redundant in a world of RTP: files are scanned on access, so manual scans are not required for protection. The final option, Microsoft Defender Antivirus (offline scan) is different than the others. This scan is a special one that reboots your system and begins a scan before Windows boots. This scan type can find certain types of malware that might otherwise try to hide from Defender. Note that you may be prompted for your BitLocker recovery key:

tl;dr: Don’t worry, we’ve got your back.

-Eric

Windows: Choose Where To Get Apps

Modern versions of Windows offer a setting named “Choose where to get apps” which can reduce attack surface by limiting the locations from which applications can be installed. Internally, we’ve called this feature “Smart Install”.

By default, this option is set to “Anywhere“, which means that Windows will allow an executable downloaded from the Internet to run.

Beyond the default, there are three other options.

Option: Let me know or Warn

The verbosely-named options:

Anywhere, but let me know if there’s a comparable app in the Microsoft Store
Anywhere, but warn me before installing an app that’s not from the Microsoft Store

…mean the SmartScreen Application Reputation call is sent specifying either appControl/level=preferStore (Warn) or appControl/level=recommendations (LMK) values:

After the AppRep call, a followup query is sent to a webservice (at sfdataservice.microsoft.com/smartinstall) to determine whether there’s a Store app available that might satisfy the user’s needs.

If the Warn option is selected, the user is shown a prompt regardless of whether a Store-hosted equivalent of the app is available:

If the Let me know option is selected, a notice is shown only if a Store app is available. Note: I don’t know how well this option works. The Microsoft Store is lacks the majority of apps. The only app I know that’s available via the Store and a traditional EXE download (Paint.NET) does not result in Windows showing the Store suggestion.

Option: The Microsoft Store only

The simplest option is the “The Microsoft Store only” option. It means that after attempting to launch a downloaded app from Explorer, following the web service calls, Windows will show the following prompt:

Attempting to run such a file by calling ShellExecute with SEE_MASK_FLAG_NO_UI results in a silent failure (no prompt); the function will return an error code of ACCESS_DENIED.

Surprise #1 – Plumbed into extra surfaces!

One truly wild aspect of this is that it means it behaves differently than most features powered by the Mark of the Web.

When any option other than Anywhere is enabled, the SmartScreen Application Reputation service can¹ be consulted even when running a binary from the Command Prompt:

…and if the execution is disallowed by the setting, execution can be blocked:

When run from PowerShell, no UI is shown but the execution is blocked:

Surprise #2 – Blocking Dangerous File types!

Another interesting surprise is the behavior in Windows when the filetype is a “Dangerous” one but not an “App.” Those dangerous file types may be specified in the registry by an application’s developer, or manually using the HighRiskFileTypes registry key:

Normally, attempting to use Explorer to open a downloaded file of a dangerous extension would result in a legacy Attachment Execution Services prompt like this:

However, if Windows is configured to Get Apps from Store Only, the opening of an Internet Zone MotW-bearing file is blocked silently, providing a kludgy version of one of the most exciting aspects of the Smart App Control feature.

Troubleshooting Smart Install UI

In some cases, users complain that this feature isn’t working as described above.

This can happen if the Microsoft.StorePurchaseApp is not installed, because that package contains the warning prompts.

Normally, running Get-AppxPackage *purchase* from PowerShell should show this:

…but when the package isn’t installed, the command will return no packages.

When the UI application is not installed, Windows falls back to showing the legacy (XP-era) Attachment Execution Services security prompts.

Relationship to Smart App Control

As of April 2026, in Windows 11 25H2, if you enable Smart App Control, the “Choose where to get apps” setting behaves as if it’s set to “Anywhere”.

-Eric

PS: On subtle behavior is that the Microsoft offers “Portable Store Installer” executables to allow apps to “download” from websites (e.g. this one for ClipChamp). Such PSI installers have an Original filename of StoreInstaller.exe and they are signed with a specific Microsoft certificate chain. The “Choose Where to Get Apps” feature recognizes these installers and allow-lists them as if they came from the store (because, logically, they do).

¹ The decision of whether the SmartInstall restrictions are enforced in the command prompt is an subtle one. If you download a simple executable and run it from the Command Prompt (cmd.exe) there’s no block or prompt. But if you rename that executable to setup.exe, then the prompt and block appear. Windows has a variety of code that attempts to recognize installers, and I’m guessing that code is responsible for the difference.

Winter 2026 Runs

I did a reasonably good job running on my treadmill throughout the fall of 2025, in preparation for my second summit of Mount Kilimanjaro over New Years (blog post to come).

Run for the Water 10 Miler

On November 9th, 2025, I ran the ten mile Run for the Water.

The night before, I ate spaghetti and meat sauce with the kids for dinner. Went to bed early (around 10) but slept poorly, waking up every few hours. Woke at 445 but managed to doze for another dream before my alarm went off at 5am. Had a banana and a gassy but not very useful trip to the bathroom. Put on a “Run the mile you’re in” temporary tattoo and posted the pic to Facebook where two members of my family thought it might be real. 😂

The weather was 57F and breezy, but super-sunny. I left the house at 6:10, got to my usual parking space at 6:30, and had time for a quick stop at the pre-race porta potty. My marshmallow-y supershoes (carbon plate) were comfy for the whole race.

I did okay. I wanted to beat my best time (1:28:57), which I decided would be really hard. So I was kinda just aiming to beat 1:30. I got 1:30:33, just a minute and a half slower than my record, and a blazing 34 minutes faster than my glacial 2024 attempt.

Had I known I was that close, I know I coulda beat 1:30 pretty easily, and almost certainly PR’d to boot.

But I feel mostly fine about the race– I worked hard and nothing in particular hurt or felt bad. My watch failed to hold a connection to the cross-body left headphone so I put it in my pocket. What I didn’t realize was that the body of the headphone was a button that, when tapped, lowered the volume, so I ended up running for a frustrating mile or two with no music yet again.

This time, the “giant” hill at mile 5.5 did not seem giant at all; I’m not sure it was even the biggest hill of the course.

Austin International Half Marathon

On January 18th, I had my fourth run of the Austin International Half, finally meeting my sub-two-hour goal with a finish in 1:56:31. There were about 4200 runners this year.

The night before, I ate spaghetti, meat sauce, and garlic bread with the kids somewhat early, and got to sleep around 10:30. I woke at 4am before dozing again until just before my 5:15 alarm. I ended up pulling out of my driveway by 6:35 and made good time to my usual parking spot in the Stonelake garage. A quick trip to the porta potty went well (no line that early) and I then spent fifteen minutes keeping warm in the car.

I was in my tights, jacket, and disposable cloth gloves (which i kept after I took off around mile 7). The wind was mild, so the low temp (30F) wasn’t too awful.

I had a great start, running with the 1:50 pacers for 5.5 miles. I fell behind and lagged a bit between the 10K and the halfway point, but the fear of the 1:55 pacer passing me from behind kept me running. Around mile 9, the 1:55 pacer caught up and I only managed to stay with them for half a mile or so before falling behind again. But the smell of the finish line was in my imagination and I only walked for half of the two hills downtown. I finished in 1:56:31, just over four minutes faster than my 2023 PR and 22 minutes faster than last year.

I waited in line for a solid ten minutes to hit the PR gong for the first time ever. I felt good throughout the race, with only a minute or so worth of worry about the rumble in my belly.

I’m very happy with this outcome.

Galveston Half Marathon

The Galveston Half was moved another week earlier this year, with a predicted start temperature of 37F, well below 2025’s 64F. There were 625 half marathon runners this year.

While I knew I wouldn’t replicate my recent Austin Half results, I definitely hoped to get my fastest time for this course, and ideally, breaking 2 hours again would be amazing.

Fortunately, the somewhat stronger wind didn’t make things feel too cold, and the clear skies warmed things up fast enough that I dropped my hoodie just before mile 4 and my gloves went in my pocket at mile 8 or so.

I remembered the course well having run it four times before (twice for last year’s half), and there were no surprises in how I felt. I started with the 1:50 pacer but only kept up for around 3 miles before falling behind the 1:55 pacer and 2:00 pacer shortly after. But I still managed to stay on the move, with limited bits of walking around the aid stations and a 30 second pause to pee behind the single occupied porta-potty found at mile 6.

My 2:07 finish was a solid 7 minutes faster than my first two attempts, and almost 32 minutes faster than the first half of last year’s full. It wasn’t quite the result I’d hoped for, but I’m counting the PR for this course as a big enough win.

In April, I run the Capitol 10K again and hope to PR (it’s gonna be hard), and on the first Sunday in May I’ll revisit the Sunshine Run (where I had better beat my unimpressive record for that course).

-Eric

Security Software False Positives

Software developers and end-users are often interested in understanding how to resolve incorrect detections from their antivirus/security software, including Microsoft Defender.

Such False Positives (FPs) can disrupt your use of your device by incorrectly blocking innocuous files or processes. However, you should take extreme care before concluding that a given detection is a false positive — attackers work hard to make their malicious files seem legitimate, and your security software is built by experts who work hard to flag only malicious files.

How Do False Positives Occur?

Every security product must perform the difficult task of maximizing true positives (protecting the user/device) while minimizing false negatives (protecting productivity/data). The resulting ratio is called security efficacy.

False-positives can occur for numerous reasons, but most are a result of security software observing what it deems to be suspicious content or behavior on the part of a file or process. Virtually all modern security software consists of a set of signatures and heuristics that attempt to detect indications of malice based on threat intelligence data collected and refined by threat researchers (both humans and automated agents). In some cases, the threat intelligence is scoped too broadly and incorrectly implicates harmless files along with harmful ones.

To correct this, the threat intelligence from your security vendor must be adjusted to narrow the detection so that it applies only to truly malicious files.

Sidenote: Is it really a block?

In some cases a security feature might block a file not as malicious but merely as uncommon; for example, SmartScreen Application Reputation can interrupt download or starting of an app if the app isn’t recognized:

In such cases, users may choose to ignore the risk and continue if they have good reason to believe that the file is safe. Over time, files should build reputation (especially when signed, see below) and these warnings should subside for legitimate files.

False Positives for End-Users

Before submitting feedback, it’s probably worthwhile to first confirm what security product is triggering a block. In some cases, blocks that look like they may be coming from your security software might actually reflect intentional blocks from your network security administrator. For example, users of Microsoft Defender for Endpoint should review this handy step-by-step guide.

To get a broader security ecosystem view of whether a given file is malicious, you can check it at VirusTotal, a free service which will scan files against most of the world’s antivirus engines and which allows end-users to vote on the safety of a given file.

When a security vendor realizes a false positive has occurred, they will typically issue a signature update; while this typically happens entirely automatically, you might want to try updating your signatures just to ensure they’re current.

False positives (and false negatives) for Microsoft Defender Antivirus can be submitted to the Defender Security Intelligence Portal; these submissions will be evaluated by Microsoft Threat researchers and detections will be created or removed as appropriate. Other vendors typically offer similar feedback websites.

In most cases, users may override incorrect detections (if they are very sure they are false positives) using the Windows Security App to “Allow” the file or create an exclusion for its location.

Avoiding False Positives for Software Vendors

If you build software, your best bet for avoiding incorrect detections is to ensure that your code’s good reputation is readily identifiable for each of your products’ files.

To that end, make sure that you follow Best Practices for code-signing, ensuring that every signable file has a valid signature from a certificate trusted by the Microsoft Trusted Root Program (e.g. Digicert, Azure Trusted Signing).

If your files are incorrectly blocked by Microsoft Defender, you can submit a report to the Defender Security Intelligence Portal.

-Eric