View original (French)

Threat found in C:\Recovery\Customizations\usmt.ppkg

jld272 Posted messages 25 Status Membre -  
MisteryBean Posted messages 8947 Registration date   Status Modérateur Last intervention   -

Hello, I just launched a full Windows Defender scan, and it found threats, from which I managed to delete the infected files. However, there is still one file left, and here’s the summary I was able to find in the detection.log file.

226947|containerfile|C:\Recovery\Customizations\usmt.ppkg
226947|file|C:\Recovery\Customizations\usmt.ppkg->\ICB\0\MachineSpecific\File\C$\Program Files (x86)\ASUS\GameFirst IV\Driver\tdi\i386\netfilter2.sys
226947|file|C:\Recovery\Customizations\usmt.ppkg->\ICB\0\MachineSpecific\File\C$\Windows\System32\drivers\netfilter2.sys

Apparently, it is located in the file C:\Recovery\Customizations\usmt.ppkg.

This file is protected; I can only see it by using CMD in administrator mode, and if I ask Windows Defender to intervene, it will either quarantine or delete the file (which amounts to the same thing), and my PC might stop functioning.

Do you have a solution for me to remove the threat without deleting the file?

I find that my PC is a bit slow and not using all the memory; could this be due to this file?

Thank you.

jld272

3 réponses

Réponse 1 / 3
MisteryBean Posted messages 8947 Registration date   Status Modérateur Last intervention   1 292
 

Hello,

This is a false positive, add the recovery folder to exceptions in Defender.

It will look in the recovery partition of your PC.

https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/recovery-strategy-for-common-customizations?view=windows-11
0
Réponse 2 / 3
jld272 Posted messages 25 Status Membre 1
 

Thank you for your response, but what is a false positive? Why do antivirus programs react to such threats? If there is no threat, antivirus programs should simply ignore them. I have had quite a few programs installed that forums also indicated as false positives and Windows Defender reacted.

So, silly question: how do you know, when you install new software, if it is a real threat or if it is safe to install?

Thank you.
0
Réponse 3 / 3
MisteryBean Posted messages 8947 Registration date   Status Modérateur Last intervention   1 292
 

What is the title of the detection?

This package is like a compressed folder and as it is protected and WD does not have access to it, the scan triggers an alert.

Moreover, each brand (Acer, etc...) uses their own systems to execute the ppkg and it misleads WD.

******

If you want, we can perform a scan of the PC.

Follow the procedure => HERE <= and post the reports
0