sketchucation logo sketchucation
    • Login
    πŸ€‘ SketchPlus 1.3 | 44 Tools for $15 until June 20th Buy Now

    Upgrading Fredo6 Library caused Sketchup to be Quarantined by Sentinel One

    Scheduled Pinned Locked Moved Extensions & Applications Discussions
    5 Posts 3 Posters 30 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      stephennutt Newcomers
      last edited by

      I am a long-time fan and user of all of Fredo's tools. Unfortunately, I was upgrading LibFredo to latest version on Thursday and it caused Sentinel One on my work computer to quarantine Sketchup rendering it useless until our I.T. department could reinstall. However, they would not allow reinstall of LibFredo or FredoSketch which were the 2 things I was updating at the time. Without LibFredo, the other Fredo Tools that I have, including ones with paid license, are useless with out LibFredo. Our I.T. vendor told our liaison that "Based on extended looks at those, they more than likely have malicious code in them that we are not willing to risk introducing onto your computer and/or the ****** network".

      Has anyone else ever had any issues similar to this? Obviously, Fredo Tools are a great addition to Sketchup that I can survive without but would rather not.

      1 Reply Last reply Reply Quote 0
      • Rich O BrienR Offline
        Rich O Brien Moderator
        last edited by

        Sounds like an overly strict policy. I'd ask the IT person to relax their policy.

        Download the free D'oh Book for SketchUp πŸ“–

        1 Reply Last reply Reply Quote 1
        • S Offline
          stephennutt Newcomers
          last edited by stephennutt

          According to Sentinel One, there was actually malicious code in it that tried to do damage. This is from the follow-up email I.T. sent me that includes Sentinel One logs:

          "Now that we have the logs from Sentinel we know that the library program used Fredo to deposit a payload through SketchUp onto your computer. That part is not abnormal - that is exactly how most programs are able to install themselves. Once the library passed the file through to your computer, the program ran itself and we now know that the file was a multifacited attack that was a combination of ransomware, credential scraping, and an trigger mechanism that was designed to evade detection. Part of the log file is below showing what Sentinel One was seeing.

          MITRE : Execution
          MITRE : Impact [DATA DESTRUCTION][DATA ENCRYPTED FOR IMPACT]
          File operations indicate ransomware
          MITRE : Impact [DATA DESTRUCTION][DATA ENCRYPTED FOR IMPACT]
          File operations indicate ransomware
          MITRE : Impact [DATA DESTRUCTION][DATA ENCRYPTED FOR IMPACT]
          Infostealer

          Microsoft Edge's private memory was accessed
          MITRE : Credential Access [CREDENTIALS FROM WEB BROWSERS]
          Malware

          Detected suspicious redirection of data to a pipe from an interpreter with a hidden window detected
          MITRE : Defense Evasion [HIDDEN WINDOW]
          General

          Detects the registration of a vectored exception handler
          Process started from shortcut file
          MITRE : Execution [USER EXECUTION]
          Evasion

          Process executed with non-standard resource type
          MITRE : Command and Control [DATA ENCODING]
          MITRE : Defense Evasion [OBFUSCATED FILES OR INFORMATION][ENVIRONMENTAL KEYING]

          EDIT: I was trying to upgrade both LibFredo6 and FredoSketch at the time so not sure which one I was updating for sure. I believe 85%/15% that it was LibFredo6.

          1 Reply Last reply Reply Quote 0
          • fredo6F Offline
            fredo6
            last edited by

            If you had LibFredo6 already installed, then it must be an upgrade of Sentinel. Nothing has changed recently in LibFredo6 that could trigger the warning.

            LibFredo6 contains a binary file (.so), but as many other plugins and Sketchup itself.

            If you have more information from your IT team....

            1 Reply Last reply Reply Quote 0
            • S Offline
              stephennutt Newcomers
              last edited by

              I don't know. That's all i could get from them. I can't risk trying to install again to see if it would happen again. VERY STRANGE!!!!!

              1 Reply Last reply Reply Quote 0
              • 1 / 1
              • First post
                Last post
              Buy SketchPlus
              Buy SUbD
              Buy WrapR
              Buy eBook
              Buy Modelur
              Buy Vertex Tools
              Buy SketchCuisine
              Buy FormFonts

              Advertisement