Etcher taking malware-like actions

balenaEtcher
1

I just tried running Etcher for the first time, and it caused my security software to light up. It isn’t unusual for the software to flag something, so that wasn’t an immediate problem. However, I see no reason why Etcher should be taking any of these actions.

For starters why is Etcher trying to get Tcb privileges? This lets it act as part of the operating system and is complete overkill for anything legitimate it needs to do. There’s also no reason it would need to modify the certificate stores.

I killed it after that, so I don’t know what else it was going to modify…

Date & Time Alert Type Description Advice Answered Answer Option Treat as
2020-10-28 08:44:52 HIPS alert C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is trying to modify a protected registry key C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 could not be recognized and it is about to modify the protected registry key HKLM\Software\Microsoft\SystemCertificates\CA. You must make sure C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is a safe application before allowing this request. 2020-10-28 08:44:52 Deny, Terminate and Reverse Remember
2020-10-28 08:44:48 HIPS alert C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is trying to modify a protected registry key C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 could not be recognized and it is about to modify the protected registry key HKLM\Software\Microsoft\SystemCertificates\CA. You must make sure C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is a safe application before allowing this request. Invalid DateTime Show
2020-10-28 08:44:41 HIPS alert C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is trying to modify a protected registry key C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 could not be recognized and it is about to modify the protected registry key HKUS\S-1-5-21-1881121578-3391224131-2480528822-1001\SOFTWARE\Policies\Microsoft. You must make sure C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is a safe application before allowing this request. 2020-10-28 08:44:41 Deny Remember
2020-10-28 08:44:24 HIPS alert C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is trying to modify a protected registry key C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 could not be recognized and it is about to modify the protected registry key HKUS\S-1-5-21-1881121578-3391224131-2480528822-1001\SOFTWARE\Policies\Microsoft. You must make sure C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is a safe application before allowing this request. Invalid DateTime Show
2020-10-28 08:44:18 HIPS alert C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is trying to modify a protected registry key C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 could not be recognized and it is about to modify the protected registry key HKUS\S-1-5-21-1881121578-3391224131-2480528822-1001\Software\Policies\Microsoft\SystemCertificates\CA. You must make sure C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is a safe application before allowing this request. 2020-10-28 08:44:18 Deny Remember
2020-10-28 08:44:11 HIPS alert C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is trying to modify a protected registry key C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 could not be recognized and it is about to modify the protected registry key HKUS\S-1-5-21-1881121578-3391224131-2480528822-1001\Software\Policies\Microsoft\SystemCertificates\CA. You must make sure C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is a safe application before allowing this request. Invalid DateTime Show
2020-10-28 08:44:05 HIPS alert C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is trying to modify a protected registry key C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 could not be recognized and it is about to modify the protected registry key HKUS\S-1-5-21-1881121578-3391224131-2480528822-1001\Software\Microsoft\SystemCertificates\CA. You must make sure C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is a safe application before allowing this request. 2020-10-28 08:44:05 Deny Remember
2020-10-28 08:43:43 HIPS alert C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is trying to modify a protected registry key C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 could not be recognized and it is about to modify the protected registry key HKUS\S-1-5-21-1881121578-3391224131-2480528822-1001\Software\Microsoft\SystemCertificates\CA. You must make sure C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is a safe application before allowing this request. Invalid DateTime Show
2020-10-28 08:43:37 HIPS alert C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is trying to obtain an elevated privilege C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 could not be recognized and it is about to obtain Tcb privilege. If C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is one of your everyday applications, you can allow this request. 2020-10-28 08:43:37 Deny Remember
2020-10-28 08:43:35 HIPS alert C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is trying to obtain an elevated privilege C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 could not be recognized and it is about to obtain Tcb privilege. If C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 is one of your everyday applications, you can allow this request. Invalid DateTime Show
2020-10-28 08:43:25 HIPS alert cmd.exe is trying to execute C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 cmd.exe is a safe application signed by Microsoft Windows. However, the executable C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 could not be recognized. Please submit it to COMODO for analysis. 2020-10-28 08:43:25 Allow Remember
2020-10-28 08:43:01 HIPS alert cmd.exe is trying to execute C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 cmd.exe is a safe application signed by Microsoft Windows. However, the executable C_powershell.exe_A14C41F955205F2AB48520E9335E0213DD30EA82.ps1 could not be recognized. Please submit it to COMODO for analysis. Invalid DateTime Show
5

Hello @Tiberius
What security software is this ?
What were you doing when it lighted up ?
Was it when you pressed “Flash” or before ?

I would say that the is trying to obtain an elevated privilege messages are normal when you press flash as you need these to flash a drive.
I’m not sure about these though is trying to modify a protected registry key.
Etcher runs diskpart before flashing, maybe it comes from it.

Anyway, you can still check the code https://github.com/balena-io/etcher .

7

The security software is called Comodo.
The messages occurred after pressing Flash.

Trying to obtain an elevated privilege makes sense; however, that’s a very high privilege to request. From what I have found so far it’s much higher than necessary. There should be alternative privileges that allow the drive to be flashed but not open up the system like this.

While I appreciate that the software is open source, I definitely do not have time to dig through the code myself in order to figure out what level of security risk it presents. I’ll probably set up a Linux VM and do my flashing that way.

10

Trying to obtain an elevated privilege makes sense; however, that’s a very high privilege to request. From what I have found so far it’s much higher than necessary. There should be alternative privileges that allow the drive to be flashed but not open up the system like this.

What have you found ? What are the alternative privileges ?

To flash a device, you need to access it on a block level. This means that you can write anything to it. You could erase the drive completely, you could corrupt the filesystem, you could “mount” the filesystem in userspace and write any file to it bypassing any security software you have installed.

I’ll probably set up a Linux VM and do my flashing that way

This just moves the problem, you’ll need to allow the software running the VM to access your drives on a block level at some point.