Closed milos12345 closed 2 years ago
I'll assume that the software in this machines was working correctly, including Theraot.Core until unexpectedly it didn't. And I'll consider that the machines could be compromised.
However, if this is is happening upon deploy, it could be a bad deploy where an installer software was supposed to deploy a copy Theraot.Core but didn't. Similarly, it is also possible that an uninstaller software removed it because it was unaware that there is other software that needs it on the machine. In either case, you fix the deploy and that is that.
Since you suspect security software, I decided to upload the 3.2.9 Nuget and also the individual dlls to VirusTotal to see if any product was yielding a false positives, and it appears that is not a problem. It is possible that the file was corrupted, you should consider the possibility that it was removed accidentally or intentionally. You should be able to get a clean copy from https://www.nuget.org/packages/Theraot.Core if you click on "Versions" you can find the specific version you need and then download it from the panel on the right.
If there is some software that removes it automatically (i.e you got a clean copy, deployed it, and it got removed again), you should investigate which software it is. If it is indeed some security software, figure out why it is doing it (I don't know your security software, but… Is it possible that some user added the signature of the files to the malware database? could be a collision? could it be a typo?).
I will not make a blanket statement of making an exception for Theraot.Core, because that might be creating an opening for some malware (nor should you blindly trust such advice). In fact, consider that there are couple other possibilities: that there is a malware that infects Theraot.Core, triggering the security software to delete it. Or that there is a malware that deletes Theraot.Core without any security software being involve.
As per preventing the file from being removed, if can manipulate the permissions on the file, you should be able to revoke the right to remove it. That could be enough to deter or stop a malicious user, but presumably won't stop an hypothetical malware that has compromised the machine and has some unforeseen way around the permissions.
By the way, you can also look at the versions of Microsoft.ApplicationInsights at https://www.nuget.org/packages/Microsoft.ApplicationInsights/ - as far as I can tell Theraot.Core was never a dependency. Because of which I believe Theraot.Core wasn't deployed with Microsoft.ApplicationInsights.
Thanks for this information. I have found that another package depends on Theraot https://www.nuget.org/packages/Vanara.Windows.Shell/3.3.15 but the stack trace points always to the line that calls method from ApplicationInsights after hours of program running properly so I assumed that was the cause. I'll add additional checks and log a hash of that dll to exclude possibility of modification.
I think this library was automatically installed when I installed
Microsoft.ApplicationInsights
NuGet package and I get hundreds of reports such asI suspect a security software of users' machines is deleting this file. Do you have a suggestion how I could prevent this from happening?