VirusTotal not accepting SysInternals Process Explorer requests as of 16Dec2020

Topic

New Reply

I have used the wonderful SysInternals tools for years, and I love the Process Explorer tool and its built-in VirusTotal lookup (where it generates a hash of all programs actively running in memory and submits them to VirusTotal, who submits them to 70+ anti-virus vendors for their opinion: infected or not). Unfortunately, today before Noon Eastern Time, ProcessExplorer started returning the following results in the VirusTotal column: “A device attached to the system is not functioning” or “the operation timed out”. Multiple Wintel servers and workstations, multiple versions of Windows (Win10-1909 back through Server 2008 R2), multiple internet paths, multiple sites. I was worried about possible malware interference until I saw the same problem at a different site (home vs. work), with completely separate networks. I didn’t see any other info about this problem on the internet until tonight, when I found one thread on a Malwarebytes support page from someone with the same problem (although he wasn’t running Malwarebytes, actually). Has anyone else seen this? Any thoughts on why? My guess is that VirusTotal is not accepting the requests from Process Explorer, but any confirmation or insight would be much appreciated!

1 user thanked author for this post.

lmacri

Reply | Quote

Replies

Seeing the same.  When PE is first started, all the entries in the “Virus Total” column say “Hash submitted”.  A few seconds later, they all change to “The operation timed out”.  I have PE version 16.32, since May of this year (2020).

Windows 10 Pro 64 bit 20H2

Reply | Quote

My attempt to run procexp today. No issues

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

The problem with VirusTotal maybe connected to Google’s services problems in the last week.

Reply | Quote

Getting a different message from 32 bit and 64 bit versions but the result is no go either way.

Autoruns is also not getting results. I had no issues with Autoruns last week.

Reply | Quote

Sysinternals are wonderfull tools, but I have the experience, that OSes and Antiviruses understand these tools as “hacking tools” very often. I Use ProcessExplorer, I use Autologon and others.

I apologize I quite do not understand what your isuue is. You cannot run tools from sysinternals?

Suspend AV to see, if it blocks those apps. Fingers crossed, let us know more information.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

@doriel

Sysinternals has an integration with Virus total. It allows to automatically upload hashes/PE files to be uploaded to the scanners at virus toal and display the result.

The problem is that, while process explorer is working (as you have shown in your screenshot), the virus total integration (upload and check of hashes/files of running processes) does not.

I also have the same problem on my up to date windows 10 2004 and the only difference is that on the 16th. of december a .NET update was installed although im not sure if that really is the cause of the problem.

I checked both old and current procexp version but it failes in both cases to get vt results.

1 user thanked author for this post.

doriel

Reply | Quote

My last update is from 9th Dec, so I think Windows Update is not to blame.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

[Tom]

The issue is not running Process Explorer – that works fine, but when you click on Options – VirusTotal.com – Check VirusTotal.com, it adds another column where it shows you that it is sending info to VirusTotal, then is supposed to report the results, usually in the form of xx/yy,  where xx of yy anti-virus vendors show each hash as suspicious/malicious.  Right now, all I get is “A device attached to the system is not functioning (see attached).  We do run have Symantec anti-virus and Barracuda web filtering in place, but A) it has worked before through both of those, and B) other PC/sites without those filters give similar errors.

 

• This reply was modified 4 years, 5 months ago by Tom.
• This reply was modified 4 years, 5 months ago by Tom.

Reply | Quote

Oh, I see. Thank you for clarification. I have the same error.
First it says “Hash submitted”
but then the error appears, I think that its error on the virus total servers. Some processes are evaluated for me, some not. Cant tell exactly why
Maybe VirusTotal DB is being rebuilt so it may take some time, I would wat 24 hours or so to see, if it will work again.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

Here is a replacement image with details of the original symptom.

Reply | Quote

Today I get the status “Unknown” after hashes are submitted to Virus Total from both Sysinternals programs Process Explorer and Autoruns.

Can successfully submit a single file hash via HashMyFiles by Nir Sofer, or directly to the Virus Total website, so the site is not down.

I’ve got a firewall that automatically submits hashes to Virus Total whenever a program connects to the net for the first time.

Suspect that there must be an API that stopped working in the Sysinternals tools, or VT has chosen to block it.

 

Windows 10 Pro 22H2

Reply | Quote

a manual request works but slowly.

Considering the Solarwinds exploit perhaps hey have purged their database and are VERY busy with requests, a big group like PE presents may be a low priority.

Or maybe Google is killing it off as it does to working app for time to time..

Just because you don't know where you are going doesn't mean any road will get you there.

1 user thanked author for this post.

doriel

Reply | Quote

wavy wrote:

a manual request works but slowly.

Good catch!

I didn’t think of trying that! Works here, too!

Which tells me that Google is probably employing traffic management for their servers, and whenever they see a blast of VT requests from a single IP address they get denied…

Windows 10 Pro 22H2

Reply | Quote

Tried again today, still getting Virus Total “unknown” results in Sysinternals…

Windows 10 Pro 22H2

Reply | Quote

I emailed Virus Total but no response yet.

Reply | Quote

I see this post which uses a tool Fiddler. Post if you can add context about Fiddler:
https://isc.sans.edu/forums/diary/Headsup+VirusTotal+Functionality+in+Sysinternals+Tools+Not+Working/26906/

Video from the post:
https://www.youtube.com/watch?v=JRxt4X9n6dQ

Reply | Quote

Interesting – as of today (31Dec2020), without changing anything that would/should have fixed it, ProcessExplorer is now submitting hashes to VirusTotal again, and the results today are even cleaner than before.  Meaning, I’m getting fewer false positive reports, and a very consistent number of anti-virus provider responses (almost all responses are out of 76, when in the past, not all AV providers provided responses for all hashes).

Thanks to those of you who confirmed my results, and provided suggestions.  Maybe the contacts to VirusTotal got things fixed!

2 users thanked author for this post.

doriel, lmacri

Reply | Quote

I can confirm that today it works automtically, no manual control needed, its just like in the past
have a nice day.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote