An update related .exe constantly tries connecting network (in a changing Windows path)

Windows 10 has this Malware Protection related file called “MpSigStub.exe”. There’s a Kasperky’s whitelisting page about that file, URLs are not allowed here but it can be found with the MD5 hash: ff2abb47b00130b31d128e191bff7c08

So it is a whitelisted clean file. Now that I have GlassWire set at Ask To Connect, this problem occurs: this file is created in a random folder such as C:\Windows\Temp\randomLettersAndNumbers\MpSigStub.exe

So I get the pop up Allow/Deny. It doesn’t matter which I choose because by the time I press either, the file’s folder is already deleted. The update installer has already given up. But then, after ~5 minutes, it runs again, in a new folder. So the previous Allow doesn’t help.

How to get past this problem? My suggestion would be this: a small arrow or something next to the Allow button. This arrow would open an advanced menu which would include something like “Allow this or identical file in any folder” (same hash would be adequate). That way, next time the updater runs, it is allowed regardless of the folder.

1 Like

@jhoy

Our team all uses Windows and none of us seem to have this file on our firewall. If this file was part of the Windows OS and changing the Windows path we’d probably get more reports about this.

Is it possible maybe it’s a bug of some sort with Windows or another third party application with an installer? I found this thread on Microsoft Answers about it https://answers.microsoft.com/en-us/windows/forum/windows8_1-security/how-to-get-rid-of-mpsigstub/c7077c9c-cb89-4a6a-90b4-0b5dc2cdda3e and at the end someone recommends deleting the file, and the user does that.

I can get rid of the persisting installation folder, but even so, I’m wondering about the following:

I now noticed that the contents of the created temp folder is exactly the same as the contents of “C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1903.4-0” (with one language file difference). So there is certainly some bug/problem with that installer. But in a general sense, is this so rare as an anomaly that no changes are required? (Even the same thing can happen with other updater programs too.)

The problem is you get dozens of popups asking Allow/Deny each time the installer creates a new instance, for the identical .exe file. That results in dozens of mpsigstub.exe entries in the GlassWire Firewall (perhaps that is not optimal), even the files are identical (just different folders). On the other hand, generally it is good that I can have different instances of the same .exe in different folders, with different firewall settings.

If this kind of installer is very rare, I guess the solution is to simply deactivate Ask To Connect until the installation is successfully finished (although it’s difficult to know when it’s finished as it’s a quiet installation).

I found two other “annoying” Microsoft’s executables trying to connect to network. Here are examples of the paths:

C:\Program Files\WindowsApps\Microsoft.YourPhone_1.19041.481.0_x64__8wekyb3d8bbwe\YourPhone.exe

C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19031.17720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe

What happens is those are often updated to new versions. I don’t know what they do but I deny their access to network and they are useless files at least for me. As the versions update, the folder also changes. This causes the .exe to appear in GlassWire Firewall multiple times.

I like to deny apps that I don’t want to use. There is for example Adobe Crash Reporter Service. I have that 10 times in Firewall, because they are actually slightly different executables, in different folders.

I was wondering if this would be nice for many users:

If you do Deny for an executable that has a same name as an executable already denied before, it would group them together. If the file size is approx the same, in metadata Copyright and product name is the same, then they would automatically collapse in a group. There would be [+] to expand the group but by default they would be collapsed. Also, you could choose to “Automatically deny similar executables from now on” as a third option to Allow / Deny, when similar object is detected.

About “ascending” order of rows in Firewall: when you click Apps a few times, you get a view where all blocked rows are first. But the blocked items are not in any seemingly logical order. Could they be in alphabetical order? I think that’d be nice.

These are just suggestions, what do you think? Thanks!

1 Like

@jhoy

Cool ideas! Thanks for your feedback and I agree that YourPhone.exe and Microsoft.Photos.exe are very annoying for me too. :frowning: