Windows Defender and SteamServiceTmp.exe

To begin with, I run Windows 7 Professional. I keep it patched up to date. I also run ESET NOD32 v4, and Windows Defender is on by default. Malwarebytes AntiMalware is run once a week on-demand.

Today I launched Steam, connected, and found there was a patch. I downloaded the patch and let it install. After it installed, I reconnected to steam, and suddenly Windows Defender popped up.

The popup balloon said it wanted to submit malware samples. It said it flagged SteamServiceTmp.exe, and that it wanted to submit the file to Microsoft. I don't know if this means there was a virus in the file or some other malware. I think that's unlikely, considering it came directly from Valve (That's the file that launches to patch the Steam Service), but I'm not sure what that means. I can't find any record of the file being detected in the Windows Defender History, at all. Does this mean I have a virus? What is this all about?

All I can find is this information from the Event Viewer:

Code:

Fault bucket 864089046, type 5
Event Name: AVSubmit
Response: Not available
Cab Id: 0

Problem signature:
P1: Windows Defender
P2: 1.1.5302.0
P3: unspecified
P4: 1.71.700.0
P5: 00175e0c-0000-0000-0000-000000000000,7B6FEFA17A704B6D4A03BFABB1DBC794703D4 80F
P6: 
P7: 
P8: 
P9: 
P10: 

Attached files:
\\?\C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{BF619DBF-AF9E-8823-3E83-12DE9B785E0B}-SteamServiceTmp.exe
C:\Users\{Omitted}\AppData\Local\Temp\MPSampleSubm it\client_manifest.txt

These files may be available here:
C:\Users\{Omitted}\AppData\Local\Microsoft\Windows \WER\ReportArchive\NonCritical_Windows Defender_aaba7e9e24b775a1b21d5c41a485d822c4ec703b_ 0ac496bf

Analysis symbol: 
Rechecking for solution: 0
Report Id: 78cda38e-e5ff-11de-862f-001fbc01945b
Report Status: 0

Upon review, here's the contents of the Report.wer file generated

Code:

Version=1
EventType=AVSubmit
EventTime=129049732283935547
Consent=2
UploadTime=129049732284013672
ReportIdentifier=78cda38e-e5ff-11de-862f-001fbc01945b
Response.BucketId=864089046
Response.BucketTable=5
Response.type=4
Sig[0].Name=Problem Signature 01
Sig[0].Value=Windows Defender
Sig[1].Name=Problem Signature 02
Sig[1].Value=1.1.5302.0
Sig[2].Name=Problem Signature 03
Sig[2].Value=unspecified
Sig[3].Name=Problem Signature 04
Sig[3].Value=1.71.700.0
Sig[4].Name=Problem Signature 05
Sig[4].Value=00175e0c-0000-0000-0000-000000000000,7B6FEFA17A704B6D4A03BFABB1DBC794703D4 80F
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.1.7600.2.0.0.256.48
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=AVSubmit
ConsentKey=AVSubmit
AppName=Windows Defender User Interface
AppPath=C:\Program Files\Windows Defender\MSASCui.exe

Both Virustotal and Jotti's Malware scan have returned SteamServiceTmp.exe as being mostly clean. Every one of the modules, except Panda, detect nothing. On the other hand, Panda detects W32/Xor-encoded.A in the file.

I would imagine that if this were actually a false positive, though, that MANY more people would be experiencing this issue. I think two is a small number given the vast crowds running Steam and MSE/Defender.

Does this look like a legit file wrongly tagged, or an actual infection to be worried over?

 

From my dealing with the steam program and its games, it should be clean as a whistle.

Other game program platforms I'd be worried of, but not steam (valve corporation). They hold over 20 million accounts. You can read about how their servers work http://en.wikipedia.org/wiki/Steam_(content_delivery).

In the link above, it states steam will automatically patch a game, otherwise the game will not be able to launch.

I wouldn't worry at all. I've noticed the steam service to change, be updated, apply patches, if the game I'm playing requires updated drivers and so on. I trust it, as the servers I regularly connect to are run by a very reputable ISP here, on behalf of steam.

See prevx analysis of the file: "safe"
http://spywarefiles.prevx.com/RRDEJF44125138/STEAMSERVICETMP.EXE.html


Also see steam board when member asks why AV gave warning on the gameoverlayUI.exe process:
http://forums.steampowered.com/forums/showthread.php?p=12428456

 

It sounds like Windows Defender found something it thought was suspicious in the SteamServiceTemp.exe and sent to file to be examined at Microsoft Malware Labs. It does not mean that the file is infected, Microsoft just wanted more data on the file.

 

Thanks, guys. That sets my mind at ease! Windows Defender just did the same thing to me again a few hours ago - Only this time it was with the latest version of Flash I downloaded from Adobe. Apparently Defender didn't like the uninstall_plugin.exe file, and wanted to submit it. This time I got a better look at the dialog before I panicked, though, and it looks like it's exactly as you explain it Ibrad. I assume they're just gathering data.

Thanks again for the helpful links and info!

 

I didn't mind using windows defender, but I found at the time, it kept identifying my wireless modem as 'changing' and needed the file to be submitted. I excluded the file from being scanned, but WD continued to notify me each time I connected/disconnected.

It may have improved since then, but if you're after a program to check for autoruns, I'd go for something like a-squared's hijackfree and check for what's running manually, or something simple like winpatrol which will check for changes in a similar way as windows defender does. You could download and use both instead (both are free - hijackfree is manually started, winpatrol runs in the background).

 

To explain this, it is not a file infection warning, it was a file suspicious warning.

MSE did something similar, except that it came with a popup "This file is suspicious please send it to Microsoft for inspection" and you just click send, that was it.

It means the file triggered off some heuristic points but not enough to classify it as a threat.

I believe this has already been fixed, probably from the millions of users that would have submitted the same file.