Boost_interprocess ja F-Secure SAFE

Tiedoton
Tiedoton Posts: 9 Observer

I write the question in English, since that might increase the chances of someone being able to tell the answer. You may also respond in Finnish if you want.

 

My problem in short is, that I noticed that on several of my computers with F-Secure SAFE installed, there is this folder called "boost_interprocess" in the hidden system folder "ProgramData". It had a lock icon attached to the folder icon in Windows 7, and when I look into the folders properties and protection tab there (ominaisuudet, suojaus-välilehti) in both Windows 7 and 10, they display a message that says, in Finnish something like "Tälle objektille ei ole määritetty oikeuksia [-] Tämä on mahdollinen suojausriski, koska objektin luoja voi määrittää sille oikeudet. Määritä oikeudet mahdollisimman pian." Translated it means "This object has no defined rights. This in a potential security threat as the creator of the object can give it rights. Assign rights to it as soon as possible."

 

I'm not sure what the "official" English version of the message would be, maybe someone here knows?

 

The folder boost_interprocess contains another folder with a long number for a name, which also shows the same message in properties > protection-tab. Both folders are otherwise empty.

 

Anyway, worried about this I googled the folder name and found a lot of information relating to a trojan named backdoor:Win32 kelihos.A (it has many variants). The name of the subfolder does not quite match the name of the description given in Microsofts Threat encyclopedia, but "boost_interprocess"-folder is mentioned. I also could not find the registry paths (if that is the correct term) mentioned in Microsofts Threat encyclopedia. F-Secure also has an article about kelihos in their own threat encyclopedia.

 

However, SAFE does not see anything wrong with these folders. In fact it refuses to actually scan them, as can be seen by looking into the "Tarkistusraportti" (scan report) after the virus scan. I have also sent the folder as a zip-file to F-Secures Submit a Sample page, but they seem happy to just say that since the folders are empty they cannot be checked. But is not the presence of an unknown folder, with the same name that is created by a known malware with unusual security settings that Windows categorizes as a potential threat in itself a sign that something is wrong?

 

Finally, I should add that even after a complete reinstallation of Windows 10 with only a few programs (Firefox, winrar, Foxit reader) installed, the boost_interprocess -folder reappeared. I noticed that in this case as well as all the others, the date and time at which the folder and subfolder were created/modified, it corresponded with the installation of F-Secure SAFE, the exact same minute. Official F-Secure support however says that this is a mere coincidence and that the folder has no relation to their product. So How can it install itself always at the same time as SAFE?

 

So I would like to ask, if anyone here knows anything about "boost_interprocess"-folder? Is it always a sign of kelihos-trojan? Why does it appear with the installation of SAFE?

 

Is it just me, or do you also have this folder with the same strange protection settings in your C:\ProgramData - note that the folder is a hidden system folder, so you must either copy the exact path to find it or alternatively you can enable hidden folders from Organize > Settings of search and folders > second tab and in the bottom of the list. Variants of kelihos can apparently also create folder by the same name in other locations such as AppData.

 

Any help would be much appepriciated, even if you just drop by to note that such a folder does not install for you with SAFE.

Comments

  • nanonyme
    nanonyme Posts: 145 Path Finder

    Hey,

    If the directories are actually empty, I'd also consider the possibility that some earlier scan removed files from there and left the directory in place.

  • Tiedoton
    Tiedoton Posts: 9 Observer

    Ukko, where do you find these F-Secures own folders with the same number for a name as the one inside boost_interprocess?

     

    nanonyme, I have done no scans on this latest system, so it cannot be the reason why the folders are empty. Also, there should have been a notification if some files were removed.

     

    As I mentioned in the original post, F-Secure official help denies that this folder has anything to do with them. So it's very frustrating that such folders would just appear. Is there anyone else besides Ukko with boost_interprocess?

  • Ukko
    Ukko Posts: 3,724 Superuser

    Hello,

     

    Ukko, where do you find these F-Secures own folders with the same number for a name as the one inside boost_interprocess?

    Sorry for potential confusion. I did not mean 'the same number' but the the same pattern (but likely that initially there was such folder too). For example, it is timestamp or any hashes with certain view.

     

    1530657320 -> folder under boost_interprocess.

    for example, current F-Secure installation folder for "hydra" (module with path something like F-Secure SAFE\Ultralight\hydra) with two folders and its name like "1533104522" and "1533285871".

    Each update will re-trigger numbers for another view.

    As I mentioned in the original post, F-Secure official help denies that this folder has anything to do with them.

    For except further replies from other users. Maybe it is possible to re-ask F-Secure Support.

     

    I think that there can be misunderstanding.

    For example, I also do able to think that "boost_interprocess" is not pinned to F-Secure itself.

    But with our(?) certain experience -> content of such folder (my experience is about ""1530657320""-folder with date of creation around F-Secure installation timestamp; first steps of installation probably) as another certain folder is pinned to F-Secure activity(?). While it may be completely another folder at all.

    What is your name of folder under boost_interprocess?

     

    Thanks!

  • Tiedoton
    Tiedoton Posts: 9 Observer

    My folders on different computers also have 10-digits starting with 15 and then 1, 2 or 3 and further 7 numbers. The third number corresponds to the date that the folder was created, in the way that the folder from SAFE installation from January this year had 1 for a third number, the one for two months ago had 2 for a third number, and the one from this week had number 3. So newest has the highest number.

     

    I was also able to find these F-Secure official folders at "C:\Program Files (x86)\F-Secure\SAFE\apps\Ultralight" and then looking into the individual folders there, which contain 10-digit numbered folders themselves. Although none of their numbers correspond exactly to the one inside boost_interprocess, it seems as you said that they follow the same logic.

     

    It's still somewhat frustrating that F-Secure would deny any knowledge of this folder, especially since it has the warning about rights by Windows. I suppose it is only used for installation purposes though, so it can be removed without interfering with SAFEs functionality (as suggested by F-Secure Customer support when I contacted them).

  • nanonyme
    nanonyme Posts: 145 Path Finder

    Hey,

    I did a bit of googling and this is a commin directory used by a common framework called Boost to allow processes to form client-server communications on your machine to talk to each other. The presence of the directory itself is not a sign of malware although malware could use the same framework. Permissions are most likely loose to allow any process to become a server

This discussion has been closed.
Feedback on New Design