Proclaim disabled by Microsoft Defender

Page 1 of 2 (27 items) 1 2 Next >
This post has 26 Replies | 4 Followers

Posts 15
Paul Hughes | Forum Activity | Posted: Thu, Sep 24 2015 7:53 AM

I've just updated to the latest version of Proclaim and discovered that I couldn't launch the (Windows 10) app.  Tried to download again and was told my version was up to date.

Forced a reinstall (from the C:\Users\Admin\AppData\Local\Proclaim\Install\Installers folder) and immediately received a severe threat from Windows Defender.  Logs confirm that Proclaim is disabled because of the presence of "Trojan:Win32/Bulta!rfn" - "This program is dangerous and executes commands from an attacker... Remove this software immediately."

I take it that's not supposed to happen...

My PC is a clean install of Windows 10 which has barely been used for anything else so I'm not sure how else the PC could have been "infected".

Craig

Posts 3501
LogosEmployee
Scott Alexander | Forum Activity | Replied: Thu, Sep 24 2015 8:53 AM

Is your Windows 10 installation completely up to date? Including the Windows Defender virus definition? I see some false positive reports for this trojan in various forum posts which were resolved by Windows Update. 

If you're all up to date and still experiencing the issue I recommend completely uninstalling Proclaim via Add/Remove Programs, then downloading the latest version from http://proclaimonline.com/download

Posts 15
Paul Hughes | Forum Activity | Replied: Thu, Sep 24 2015 9:06 AM

Did a system restore to just prior to the update.  Checked virus definitions were fully up to date. Then opened Proclaim, was offered the update, downloaded and same result - disabled by Windows Defender.

Uninstalled Proclaim through the Control Panel.  Downloaded fresh installation from the web site. Installed again, but exactly the same result - Trojan warning, disabled program.

Posts 3501
LogosEmployee
Scott Alexander | Forum Activity | Replied: Thu, Sep 24 2015 9:30 AM

I would expect Proclaim 1.30 to be marked as malicious for all Win 10 installs yet we cannot reproduce this in house. For the next troubleshooting step let's see if the previous version is also marked as malicious by Windows Defender on your machine. Please uninstall the current version via add/remove programs, then install the previous version from here https://downloads.logoscdn.com/Proclaim/Installer/1.29.0.0426/ProclaimSetup.exe 

You'll need to be sure to skip the update prompt when starting the previous version. 

Posts 66
Rodney Prickett | Forum Activity | Replied: Thu, Sep 24 2015 10:39 AM

I am experiencing exactly the same problem.. Uninstalled Proclaim and then install the previous version as instructed above.  This version tries to load but reports an error and will not load either.

Posts 3501
LogosEmployee
Scott Alexander | Forum Activity | Replied: Thu, Sep 24 2015 10:54 AM

Rodney Prickett:

I am experiencing exactly the same problem.. Uninstalled Proclaim and then install the previous version as instructed above.  This version tries to load but reports an error and will not load either.

Hello Rodney, could you please post the log file that is generated after trying to run the 1.29 version? http://support.proclaimonline.com/hc/en-us/articles/203763785-How-do-I-submit-log-files-

Posts 716
LogosEmployee
Peter June | Forum Activity | Replied: Thu, Sep 24 2015 11:57 AM

I'm unable to reproduce this issue currently, so we cannot be certain about exactly why Proclaim is being flagged as malware. For the time being, as long as the above files are both related to Proclaim.exe, selecting "Restore" should bypass this menu and allow Proclaim to run.

Posts 15
Paul Hughes | Forum Activity | Replied: Thu, Sep 24 2015 1:49 PM

Just for information, I managed to install 1.29.0.0426 without a problem.

Posts 2
Dave Ham | Forum Activity | Replied: Thu, Sep 24 2015 2:03 PM

I am also experiencing this problem. I am running Windows 7. Downloaded the update to version 1.3 and Windows defender kills it. Tried this a few times and even trying to get Windows Defender to ignore Proclaim but to no avail. I followed the advice to completely remove Proclaim and reinstall version 1.29 but that fails to run.

Posts 15
Paul Hughes | Forum Activity | Replied: Thu, Sep 24 2015 2:30 PM

In order to get 1.29 to install after removing 1.30 I rebooted and manually had to delete everything in the AppData folder (which will be something like C:\Users\YourAccountName\AppData\Local\Proclaim. 

Only after that could I get reinstall successfully.

Posts 3501
LogosEmployee
Scott Alexander | Forum Activity | Replied: Thu, Sep 24 2015 2:39 PM

Craig Holmes:

In order to get 1.29 to install after removing 1.30 I rebooted and manually had to delete everything in the AppData folder (which will be something like C:\Users\YourAccountName\AppData\Local\Proclaim. 

Only after that could I get reinstall successfully.



Depending on how far you get with version 1.30 you may need to remove the upgraded databases. Sounds like this is where you ended up Craig. A slightly less heavy handed approach is to paste the following path into Windows File Explorer

%LOCALAPPDATA%\Proclaim\Users

Then delete the file named UserManager.db

This will cause your data folder to be recreated but preserves the old copy, in case you find you're missing something (not synced) it's recoverable.

We're actively looking into the Windows Defender issue. As Peter mentioned we aren't able to reproduce internally and I can see touch points from hundreds of users running 1.30 on Windows 10. It may be related to some combination of the new Proclaim version and another application on the system. 

Posts 140
LogosEmployee
Nick Ericson (Proclaim) | Forum Activity | Replied: Fri, Sep 25 2015 9:04 AM

We have submitted a report to the Microsoft Defender team. Since we cannot reproduce this in house if you see this again would you paste the following information into this thread:

  1. In your Microsoft security software, click on the History tab.
  2. Click on All detected items.
  3. Copy the name of the detection into this thread.

Along with:

  1. In your Microsoft security software, click the arrow next to the Help button and then click About.
  2. Select the definition information and press Ctrl+C.
  3. Paste the information into this thread.
Posts 1
Hank Kuo | Forum Activity | Replied: Sat, Sep 26 2015 8:10 PM

I am running into the same issue, in Windows Vista(!) SP2 32-bit and using Microsoft Security Essentials

Here's a screenshot of the MSE quarantine window

and here's my MSE info per Nick's request:

Antimalware Client Version: 4.8.204.0
Engine Version: 1.1.12101.0
Antivirus definition: 1.207.1168.0
Antispyware definition: 1.207.1168.0

Thanks,

Hank

Posts 3501
LogosEmployee
Scott Alexander | Forum Activity | Replied: Sat, Sep 26 2015 8:33 PM

My recommendation is to remove Proclaim.exe from the quarantined list.

If you don't want to do that you can uninstall the current version and install the previous version from https://downloads.logoscdn.com/Proclaim/Installer/1.29.0.0426/ProclaimSetup.exe You'll have to delete the UserManager.db file and sign back in in order to run the older version. This file can be found here %localappdata%\Proclaim\Users

I'm on my phone so I hope I got those paths correct. Please post back and let us know how it goes. I'll be monitoring the forums.

Posts 140
LogosEmployee
Nick Ericson (Proclaim) | Forum Activity | Replied: Sat, Sep 26 2015 8:37 PM

If, after removing Proclaim from the quarantined list, it still does not run also see the information in this thread.

https://community.logos.com/forums/t/116823.aspx

You may be able to run the latest version directly from the install directory.

Posts 15
Paul Hughes | Forum Activity | Replied: Sun, Sep 27 2015 4:18 AM

Just updated again (after church, obviously) - same problem.

Windows 10 PC. Windows Defender identifies the risk as:

Trojan:Win32/Bulta!rfn

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Items:
file:C:\Users\Admin\AppData\Local\Proclaim\System\Proclaim.exe
file:C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{C4E50890-2319-4410-999E-134B1C40CCFC}\Proclaim.exe.icon

Antimalware Client Version: 4.8.10240.16384
Engine Version: 1.1.12101.0
Antivirus definition: 1.207.1186.0
Antispyware definition: 1.207.1186.0
Network Inspection System Engine Version: 2.1.11804.0
Network Inspection System Definition Version: 115.22.0.0

Restoring Proclaim.exe within Defender does allow the program to run, although it doesn't have any shortcuts so needs to be run manually from the %localappdata%/proclaim/system folder.

Hope this helps find a solution.

Posts 3501
LogosEmployee
Scott Alexander | Forum Activity | Replied: Mon, Sep 28 2015 9:13 AM

Rodney Prickett:

Hello Rodney, this crash is happening because the new 1.30 version was able to run for long enough on your machine to upgrade the local databases. When you try to run the old version Proclaim does not know how to read the upgraded data. To work around this please delete the following file and restart Proclaim

C:\Users\Debra\AppData\Local\Proclaim\Users\UserManager.db

We're actively trying to sort out the Windows Defender issue as we'd really like people to run the latest version. 

Posts 3
Richie Stockholm | Forum Activity | Replied: Thu, Oct 1 2015 11:35 AM

Has this been resolved yet. My office staff are still reporting a problem. I had her opening the application using the exe file in the System1 folder since that wasn't being caught by Windows Defender, but I believe that has stopped working for her now too.

Posts 716
LogosEmployee
Peter June | Forum Activity | Replied: Thu, Oct 1 2015 2:09 PM

Richie, I've left a phone call with your office to set up an appointment to resolve this issue.

Page 1 of 2 (27 items) 1 2 Next > | RSS