Upgrading Fredo6 Library caused Sketchup to be Quarantined by Sentinel One
-
I am a long-time fan and user of all of Fredo's tools. Unfortunately, I was upgrading LibFredo to latest version on Thursday and it caused Sentinel One on my work computer to quarantine Sketchup rendering it useless until our I.T. department could reinstall. However, they would not allow reinstall of LibFredo or FredoSketch which were the 2 things I was updating at the time. Without LibFredo, the other Fredo Tools that I have, including ones with paid license, are useless with out LibFredo. Our I.T. vendor told our liaison that "Based on extended looks at those, they more than likely have malicious code in them that we are not willing to risk introducing onto your computer and/or the ****** network".
Has anyone else ever had any issues similar to this? Obviously, Fredo Tools are a great addition to Sketchup that I can survive without but would rather not.
-
Sounds like an overly strict policy. I'd ask the IT person to relax their policy.
-
According to Sentinel One, there was actually malicious code in it that tried to do damage. This is from the follow-up email I.T. sent me that includes Sentinel One logs:
"Now that we have the logs from Sentinel we know that the library program used Fredo to deposit a payload through SketchUp onto your computer. That part is not abnormal - that is exactly how most programs are able to install themselves. Once the library passed the file through to your computer, the program ran itself and we now know that the file was a multifacited attack that was a combination of ransomware, credential scraping, and an trigger mechanism that was designed to evade detection. Part of the log file is below showing what Sentinel One was seeing.
MITRE : Execution
MITRE : Impact [DATA DESTRUCTION][DATA ENCRYPTED FOR IMPACT]
File operations indicate ransomware
MITRE : Impact [DATA DESTRUCTION][DATA ENCRYPTED FOR IMPACT]
File operations indicate ransomware
MITRE : Impact [DATA DESTRUCTION][DATA ENCRYPTED FOR IMPACT]
InfostealerMicrosoft Edge's private memory was accessed
MITRE : Credential Access [CREDENTIALS FROM WEB BROWSERS]
MalwareDetected suspicious redirection of data to a pipe from an interpreter with a hidden window detected
MITRE : Defense Evasion [HIDDEN WINDOW]
GeneralDetects the registration of a vectored exception handler
Process started from shortcut file
MITRE : Execution [USER EXECUTION]
EvasionProcess executed with non-standard resource type
MITRE : Command and Control [DATA ENCODING]
MITRE : Defense Evasion [OBFUSCATED FILES OR INFORMATION][ENVIRONMENTAL KEYING]EDIT: I was trying to upgrade both LibFredo6 and FredoSketch at the time so not sure which one I was updating for sure. I believe 85%/15% that it was LibFredo6.
-
If you had LibFredo6 already installed, then it must be an upgrade of Sentinel. Nothing has changed recently in LibFredo6 that could trigger the warning.
LibFredo6 contains a binary file (.so), but as many other plugins and Sketchup itself.
If you have more information from your IT team....
Advertisement