locked
ATP detecting MRT.exe from update Windows-KB890830-x64-V5.63-delta.exe as a malware that is try to hook lsass RRS feed

  • Question

  • Hi,

    This morning we had a few windows 10 PC's that received update Windows-KB890830-x64-V5.63-delta.exe  which created a new  MRT.exe, which then hooked lsass.

    Alert process tree:

    wininit.exe
    services.exe
    svchost.exe
    wuauclt.exe
    Windows-KB890830-x64-V5.63-delta.exe
    MRT.exe
    lsass.exe
    MRT.exe opened process handle of lsass.exe

    The issue is that MRT.exe according to Windows Defender Security Center does not have a valid signature.... I checked file on one of the PC's and the signature is valid, signed by Microsoft root authority (SHA1 thumb 8f43288ad272f3103b6fb1428485ea3014c0bcfe). The MD5 and SHA1 of mrt.exe is the same as reported by WDSC)....

    Does mrt.exe normally access lsass?

    Why is ATP detecting a invalid signature when it is valid?


     brgds

       Martin

    Thursday, August 16, 2018 1:51 PM