Unsolved
10 Elder
•
45.2K Posts
0
36
January 22nd, 2025 20:12
Strange Windows Defender Notification
Got Notification from Windows Defender (Win 10) saying it found a "potentially unwanted app" called OfficeCore. But the notification is totally confusing:
What does "unwanted app removed or restored" mean?? Did Defender remove or restore the app? I searched this PC and didn't find anything called OfficeCore. Malwarebytes didn't find anything either.
Started a System Restore that was automatically created last week, and looked at the list of apps that would be affected by restoring to that earlier date. It only listed a few Windows Updates, but not OfficeCore. (I cancelled the Restore.)
Even more curious, the notification says the affected software is a Macrium Reflect update. So did OfficeCore sneak in here along with that Macrium download? I can't find that update's .exe anywhere on my PC. The version of Macrium Reflect that's installed/running is 8.0.7175, which doesn't match the version number in the notification. So it doesn't look like the updater ever ran.
Anybody have any clues what's going on here?
ky331
3 Apprentice
•
15.5K Posts
0
January 22nd, 2025 21:58
"Win32/OfferCore" (or simply "OfferCore") is a generic detection name used by many security vendors to track bundled setups."
That is to say, they didn't find a program (nor anything else) on your system named "OfferCore", rather, the "type" of the problem allegedly found is classified as being "OfferCore".
It was the Macrium Reflect Installer that it found and objected to. It likely means that this installer came bundled with another program(s) which is "objectionable" (as "potentially unwanted").
See the following article for more INFORMATION... however, I do NOT advocate following any directions included therein to remove anything!
Win32/OfferCore Malware - Uninstall instructions, and PC cleanup (updated)
I agree with you that the phrase "unwanted app removed or restored" is rather ambiguous. It could indicate that the installer, which is listed as a TEMP file, was removed (and therefore, not allowed to run). It could mean that the BUNDLED programs were analyzed, and that they were able to restore the "primary" files less any that were deemed potentially problematic. But then again, it may mean something else.
Since it appears that Windows Defender "did its job", protecting you from the problem ---and since the severity of the problem was rated "low" --- then as long as your Macrium Reflect is running normally, I would tend to believe you have nothing to worry about. But if you want to be extra careful, you might wish to pursue this elsewhere.
(edited)
RoHe
10 Elder
•
45.2K Posts
0
January 23rd, 2025 01:49
Thanks for the response!
The Macrium update is not a TEMP file. D:\TEMP2\Software is the name of a folder and its subfolder I created on my desktop to give me quick access to files I only need temporarily.
It's sorta like the Windows Download folder, but I save more than just app downloads in D:\TEMP2\ such as screenshots, quick notes to self, etc. When I no longer need a file, I just delete it from that folder so my D: drive doesn't get filled up with garbage.
I don't keep the installer download for an app in that folder, once it's run/installed. And it appears the file named in that notification doesn't exist on my PC. Don't know if Windows Defender deleted it, but clearly I never ran it or I would have deleted it immediately afterwards. Don't even remember it having been downloaded and the Macrium that's running is earlier than the one in the notification.
I had already seen the instructions you linked, but the only version of Macrium reported in Apps & App Features is the currently active version, not the one in the notification.
And if Macrium comes bundled with CoreOffice, why did Windows Defender suddenly spot it in the "new" Macrium update yesterday, but not previously, and not even when the existing version was installed ~2 years ago...? I didn't manually run a Defender scan yesterday, so it would have been an automatic scan.
So still puzzled why it got flagged now, or why Macrium would distribute CoreOffice with their installer downloads, whether it's used to install Macrium or not, unless they just get paid to bundle it.
FWIW, I also scanned the registry for CoreOffice, and it wasn't found there, but don't know if Windows Defender would have deleted associated registry keys, if any. And ccleaner didn't report that any registry keys were broken.
Will keep a close watch on things...
(edited)
ky331
3 Apprentice
•
15.5K Posts
0
January 23rd, 2025 02:48
Thanks for clarifying that the TEMP designation was of your own arrangement.
As for why something would "suddenly" be detected now, when it wasn't detected in the same (or similar) program years ago:
Keep in mind that Defender's rules are updated several times each day. So that if a decision was recently made to classify [or RE-classify] a program as a PUP, it could show up now despite not showing up in the past. Which means that a program you have safely used for years may now be considered "undesirable". I encountered that with Auslogics Disk Defragmenter. I had been using an old version, which I hadn't updated in years. I believe that at some point, newer versions DID start bundling unnecessary programs, so scanners were updated to detect it... resulting in my older program, "tainted by reputation", being detected. I made a personal decision to keep it, despite their "warning".
CCleaner is another example... there are security people who say the original program "morphed" over the years, both in ownership and what it tries to do, and so no longer recommend its usage.
RoHe
10 Elder
•
45.2K Posts
0
January 23rd, 2025 21:28
Sounds reasonable.
I didn't realize Windows Defender would be scanning my D: (DATA) drive. Has it always done that, or could that be what's suddenly changed..?
Also didn't know there was a newer Macrium Update, beyond the free edition that I use, since they've switched to having only paid versions (with a 30-day free trial).