An update related .exe constantly tries connecting network (in a changing Windows path)

#1

Windows 10 has this Malware Protection related file called “MpSigStub.exe”. There’s a Kasperky’s whitelisting page about that file, URLs are not allowed here but it can be found with the MD5 hash: ff2abb47b00130b31d128e191bff7c08

So it is a whitelisted clean file. Now that I have GlassWire set at Ask To Connect, this problem occurs: this file is created in a random folder such as C:\Windows\Temp\randomLettersAndNumbers\MpSigStub.exe

So I get the pop up Allow/Deny. It doesn’t matter which I choose because by the time I press either, the file’s folder is already deleted. The update installer has already given up. But then, after ~5 minutes, it runs again, in a new folder. So the previous Allow doesn’t help.

How to get past this problem? My suggestion would be this: a small arrow or something next to the Allow button. This arrow would open an advanced menu which would include something like “Allow this or identical file in any folder” (same hash would be adequate). That way, next time the updater runs, it is allowed regardless of the folder.

1 Like

#2

@jhoy

Our team all uses Windows and none of us seem to have this file on our firewall. If this file was part of the Windows OS and changing the Windows path we’d probably get more reports about this.

Is it possible maybe it’s a bug of some sort with Windows or another third party application with an installer? I found this thread on Microsoft Answers about it https://answers.microsoft.com/en-us/windows/forum/windows8_1-security/how-to-get-rid-of-mpsigstub/c7077c9c-cb89-4a6a-90b4-0b5dc2cdda3e and at the end someone recommends deleting the file, and the user does that.

0 Likes

#3

I can get rid of the persisting installation folder, but even so, I’m wondering about the following:

I now noticed that the contents of the created temp folder is exactly the same as the contents of “C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1903.4-0” (with one language file difference). So there is certainly some bug/problem with that installer. But in a general sense, is this so rare as an anomaly that no changes are required? (Even the same thing can happen with other updater programs too.)

The problem is you get dozens of popups asking Allow/Deny each time the installer creates a new instance, for the identical .exe file. That results in dozens of mpsigstub.exe entries in the GlassWire Firewall (perhaps that is not optimal), even the files are identical (just different folders). On the other hand, generally it is good that I can have different instances of the same .exe in different folders, with different firewall settings.

If this kind of installer is very rare, I guess the solution is to simply deactivate Ask To Connect until the installation is successfully finished (although it’s difficult to know when it’s finished as it’s a quiet installation).

0 Likes