Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cms8000
New Contributor

Forticlient finds Malicious_Behavior.SB when Lenovo Vantage is running

 

Hi,

 

we have many Lenovo Notebooks with Intel and AMD CPUs. Since last week Friday we get more and more "Virus found" messages from our Forticlient. Here are the details:

 

Environment:

We are using EMS 7.0.4
We are using Forticlient 7.0.3 and 7.0.5 (identical results)
All Clients Windows 10 22H2, Lenovo Vantage installed
What happens:

The Virus is found in the directory %PROGRAMDATA%\Lenovo\Vantage\...\
On Intel, the malicious file found is named dp687checkversion_10.exe, on AMD it is dp687checkversion_amd.exe 
The file cannot be quarantined and is running as a subprocess to conhost.exe in Windows\System32
Once Vantage is uninstalled, the virus is gone
It might not be a virus, just a false positive from Forticlient, but

a) I cannot just ignore it

b) End Users get a red window with this message on their desktops

c) It MIGHT BE a virus (maybe even spread by lenovo?)

When you google the amd file, you will find the virus definition by Joe Sandbox (https://www.joesandbox.com/analysis/1292937/0/html)


What do to? Thankful for any ideas...

Christian

 

Christian
Christian
1 Solution
srajeswaran
Staff
Staff

This is a false positive and the signature database is being updated to fix this issue. Please validate the behavior once your databases are updated to next version.

Please make a note of current version and check once its updated.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

3 REPLIES 3
Stephen_G
Moderator
Moderator

Hello cms8000,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Stephen - Fortinet Community Team
Stephen_G
Moderator
Moderator

Hello Christian,

 

We are still looking to get you an answer. Thank you for your understanding.

 

Kind regards,

Stephen - Fortinet Community Team
srajeswaran
Staff
Staff

This is a false positive and the signature database is being updated to fix this issue. Please validate the behavior once your databases are updated to next version.

Please make a note of current version and check once its updated.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors