locked
verify a dll file claimed to be developed by Microsoft RRS feed

  • Question

  • I need to find out if a dll is an actual valid Microsoft file or not. I currently have Forefront on 2000 workstations roughly and this file is not recognized as being a risk. I even ran the file through virus total which also came back as clean. My problem is the file name is very similar to another windows file name but one of them I cannot find anywhere online that this file actually exists other than in a malware form. The file name that is in question is  msaudit.dll and if you research it you can see msaudite.dll is very common and is recognized on several different operating systems. msaudit.dll however is not and I have attached some info about the file in hopes of getting someone who knows where I can submit this to someone to verify it's legitimacy and possibly an answer as to why some of the machines have one and some have the other yet the two files seem to be different. Now the msaudit.dll file I have ran across was found to using AppInit_DLLs and the dll would attach to every process that is running which caused performance problems. Some backgroup info:  

    OS these files were found : WEPOS  and POSReady 2009


    Here are some specifics on the file in question msaudit.dll not to be confused with msaudite.dll.

    If anyone knows of a way to get Microsoft to verify this file or if someone else can provide me some information as to what this file is for or from?

    SHA256: 320afab532ab47fc77c1b063d412f9f46f58a651dae53f3d3420ba6782b44175
    File name: msaudit.dll
    Detection ratio: 0 / 46
    Analysis date: 2013-01-24 14:31:06 UTC ( 22 minutes ago ) 
    00
    More details
    Analysis
    Comments
    Votes
    Additional information
    ssdeep

    1536:wKONzAHLIrGRgDKj1hyXENOVbdjigEsEuUWCt78hEBcCENf+:wKO1AHffhhy5bcJFWjhEBcCENf+
    TrID

    Win32 Executable MS Visual C++ (generic) (65.2%)
    Win32 Executable Generic (14.7%)
    Win32 Dynamic Link Library (generic) (13.1%)
    Generic Win/DOS Executable (3.4%)
    DOS Executable Generic (3.4%)
    ExifTool

    SubsystemVersion.........: 5.1
    InitializedDataSize......: 29696
    ImageVersion.............: 0.0
    ProductName..............: Microsoft   Windows   Operating System
    FileVersionNumber........: 5.1.2600.0
    UninitializedDataSize....: 0
    LanguageCode.............: English (U.S.)
    FileFlagsMask............: 0x0000
    CharacterSet.............: Unicode
    LinkerVersion............: 10.0
    FileOS...................: Windows NT 32-bit
    MIMEType.................: application/octet-stream
    Subsystem................: Windows GUI
    FileVersion..............: 5.1.2600.0 (xpclient.010817-1148)
    TimeStamp................: 2012:10:18 01:29:48+01:00
    FileType.................: Win32 DLL
    PEType...................: PE32
    InternalName.............: msaudit.dll
    ProductVersion...........: 5.1.2600.0
    FileDescription..........: Security Audit DLL
    OSVersion................: 5.1
    OriginalFilename.........: msaudit.dll
    LegalCopyright...........: Microsoft Corporation. All rights reserved.
    MachineType..............: Intel 386 or later, and compatibles
    CompanyName..............: Microsoft Corporation
    CodeSize.................: 67072
    FileSubtype..............: 0
    ProductVersionNumber.....: 5.1.2600.0
    EntryPoint...............: 0x5a97
    ObjectFileType...........: Dynamic link library
    Portable Executable structural information

    Compilation timedatestamp.....: 2012-10-18 00:29:48
    Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
    Entry point address...........: 0x00005A97

    PE Sections...................:

    Name        Virtual Address  Virtual Size  Raw Size  Entropy  MD5
    .text                  4096         66805     67072     6.64  88df061289ec89a1c9ef4ca43724cf9e
    .rdata                73728         14400     14848     4.86  0c8f9a2ab3ef8b335adf3ce87eb5b578
    .data                 90112         18240      6144     3.67  1fdd402348e7880c179422f7120f4aa7
    .rsrc                110592          1400      1536     4.42  a8fbdfee70a065adb3befad50ae1de58
    .reloc               114688          7130      7168     4.53  48094b81d25eb504621abd665e60e38e

    PE Imports....................:

    [[ADVAPI32.dll]]
    CryptDestroyKey, CryptReleaseContext, CryptAcquireContextW, CryptEncrypt, CryptGetProvParam, CryptImportKey

    [[KERNEL32.dll]]
    GetStdHandle, ReleaseMutex, WaitForSingleObject, HeapDestroy, EncodePointer, DeleteCriticalSection, GetCurrentProcess, GetConsoleMode, FreeEnvironmentStringsW, GetThreadContext, SetStdHandle, GetTempPathA, WideCharToMultiByte, WriteFile, GetSystemTimeAsFileTime, Thread32First, HeapReAlloc, GetStringTypeW, GetOEMCP, ResumeThread, InitializeCriticalSection, TlsGetValue, SetLastError, OpenThread, GetModuleFileNameW, IsDebuggerPresent, ExitProcess, GetModuleFileNameA, UnhandledExceptionFilter, InterlockedDecrement, MultiByteToWideChar, CreateMutexA, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, DecodePointer, SetEnvironmentVariableA, SetThreadContext, TerminateProcess, VirtualQuery, VirtualQueryEx, SetEndOfFile, GetCurrentThreadId, InterlockedIncrement, WriteConsoleW, CreateToolhelp32Snapshot, InitializeCriticalSectionAndSpinCount, HeapFree, EnterCriticalSection, SetHandleCount, LoadLibraryW, FreeLibrary, QueryPerformanceCounter, GetTickCount, TlsAlloc, VirtualProtect, FlushFileBuffers, LoadLibraryA, RtlUnwind, GetStartupInfoW, GetProcAddress, GetProcessHeap, CompareStringW, Thread32Next, GetTimeZoneInformation, CreateFileW, GetFileType, TlsSetValue, CreateFileA, HeapAlloc, LeaveCriticalSection, GetLastError, LCMapStringW, GetSystemInfo, GetConsoleCP, GetEnvironmentStringsW, GetCurrentProcessId, GetCPInfo, HeapSize, GetCommandLineA, SuspendThread, RaiseException, TlsFree, SetFilePointer, ReadFile, CloseHandle, GetACP, GetModuleHandleW, IsValidCodePage, HeapCreate, Sleep, VirtualAlloc

    PE Resources..................:

    Resource type            Number of resources
    RT_MANIFEST              1
    RT_VERSION               1

    Resource language        Number of resources
    ENGLISH US               2
    Symantec Reputation

    Suspicious.Insight
    First seen by VirusTotal

    2012-12-11 21:26:45 UTC ( 1 month, 1 week ago )
    Last seen by VirusTotal

    2013-01-24 14:31:06 UTC ( 22 minutes ago )
    File names (max. 25)

    msaudit.dll

    Jeremy Clark

    Thursday, January 24, 2013 3:00 PM

Answers