Is microsoft.photo.exe ransomware?

  • 1
  • Problem
  • Updated 7 months ago
  • Acknowledged
Microsoft.photo.exe is a blocked program by trend micro folder shield. Folder shield has flagged the exe. No clear answer after internet search. If you like, please contact me.
Photo of aspenninger

aspenninger

  • 200 Points 100 badge 2x thumb

Posted 11 months ago

  • 1
Photo of Max Slo

Max Slo, Champion

  • 8,104 Points 5k badge 2x thumb
Check at the file path.
Several AV identifies it as exploit, in this case the exe is not store in WindowsApp folder.

The 'original' file is a legitim file from Windows Phot&viewer suites prorams, and in this case the .exe is saved in WindowsApp folder. 

Another point is to check if it is using a large CPU %.
Anyway, if Trend has blocked it, the better is to check the sample before to unlock it via AV exceptions. So, at the moment leave it blocked and wait for Trend representative suggestions. 
(Edited)
Photo of aspenninger

aspenninger

  • 200 Points 100 badge 2x thumb
Thanks Max! In every case trendmicro is pointing to the WindowsApp folder regarding Microsoft.photos.exe. It would be great if trendmicro would program the legit location for Microsoft.photos.exe into the folder shield software to prevent false positives. Or maybe there is a reason the WindowsApp folder has not been added as a legit location? The darn malware people are more and more creative. I had a look at ms.photo.exe is not using the CPU at the moment. I would like to leave it blocked until Trend representatives have given their suggestion. I will wait.
Photo of Max Slo

Max Slo, Champion

  • 8,104 Points 5k badge 2x thumb
I suggest you to leave it blocked (just for security) and wait for Trend experts. 

I think it is a false positive, but better is to wait them! :)
Photo of TM_Kiko

TM_Kiko, Employee

  • 10,442 Points 10k badge 2x thumb
Hello there aspenninger ! Welcome to the community!

We understand that you have a specific process or file that has been detected by Folder Shield as a threat.

The way that the Folder Shield detects or classifies files as a threat is that if attempts to modify a file (in a way, this is how file encryption of ransomware threats infect). Some programs or files that might be related to this process are being modified (and other confidential criteria) that is why it has been detected with the same behavior of a ransomware.  

Furthermore, just to be sure, we can try to communicate with Microsoft Support and ask for advise if the Microsoft.photo.exe is a legitimate executable file from them. That is the only time that we can conclude that this is a false positive detection and that we need to have this reclassified.

I hope this helps.

Trend Micro Home Users Community 
Photo of bradparkinson

bradparkinson

  • 100 Points 100 badge 2x thumb
What is the resolution behind this?  Did anyone at TM contact MS for the answer.  If so, why 2 months later is TM still blocking?
Photo of TM_Victor

TM_Victor, Employee

  • 4,880 Points 4k badge 2x thumb
Hi bradparkinson,

We have not received any reply or updates from aspenninger regarding this case.

May we know if you are experiencing the same problem?

Just as TM_Kiko explained and upon research about the program microsoft.photo.exe, it is possible that the app is being blocked by the feature as the folder or directory that it is configured to protect is being accessed at the same time. This is similar to the behavior of ransomware type of malwares to access multiple files and encrypt them at once.

We hope to hear from you soon.

Trend Micro Home Users Community 
Photo of aspenninger

aspenninger

  • 200 Points 100 badge 2x thumb
Hello TM_Kiko, thanks for your kind suggestion that TM "will try to communicate with Microsoft Support and ask for advice if the Microsoft.photo.exe is a legitimate executable file from them. That is the only time that we can conclude that this is a false positive detection and that we need to have this reclassified".   It seems other TM users are convinced that Microsoft.photo.exe is from MS. I have no detailed knowledge regarding this specific question. Maybe you can take the advice of the other (not me) TM users and save time by simply updating TM to allow access. See posts below. As always, your call on what to do!
Photo of TM_Kiko

TM_Kiko, Employee

  • 10,442 Points 10k badge 2x thumb
Hello aspenninger,

Thanks for your suggestion. We appreciate your concern with our program's detection capability. We will continue to monitor this problem and see if we can get other related cases or problems identical to this one. 

Thank you for your attention.

All the Best,

Trend Micro Home Users Community
Photo of Tom Emmelot

Tom Emmelot, Champion

  • 21,030 Points 20k badge 2x thumb
Hi aspenninger and kiko,

It is a MS program what is running at startup and it loads photo's from all kind of locations so when you start to look for photo's they are already there.
So no falls positive, the only reason that TM and a lot of other AV programs blocking it is because the folder shield don't like that "loading and searching for photo's" 
So put it in the trust list and problem solved!

Kind regards,
Tom
Photo of Tom Emmelot

Tom Emmelot, Champion

  • 21,314 Points 20k badge 2x thumb

Hi aspenninger,

If it is in this map, it is la app from microsoft.

c:\program files\windowsapps\microsoft.photos_15.1026.13580.0_x64_8wekyb3d8bbwe\microsoft.photos.exe

Kind regards,
Tom
Photo of TM_Jabi

TM_Jabi, Employee

  • 7,242 Points 5k badge 2x thumb
Hi Everyone, 

Just adding this, there are lots of threats around the cloud that is created to infect most of the MS files or System files on the machine. 

It will be harder to clean or remove a threat if it infected those types of files.

Hoping for a better result for this case. 

Trend Micro Home Users Community
Photo of mark

mark

  • 80 Points 75 badge 2x thumb
Is TrendMicro reporting that is it safe  for users to unblock c:\program files\windowsapps\microsoft.photos_15.1026.13580.0_x64_8wekyb3d8bbwe\microsoft.photos.exe?  I am unclear as to how to proceed.
Photo of aspenninger

aspenninger

  • 200 Points 100 badge 2x thumb
Hi Mark, I should have put my note in the comment section of your message. I'm not a regular in these forums : )   Please open the thread and my opinion from today Feb 22 is below for you to read.
Photo of aspenninger

aspenninger

  • 200 Points 100 badge 2x thumb
Please read the post from earlier in this thread. Probably you have already. In my opinion the trendmicro (TM) employees are not able to give a clear answer. I see that a volunteer super-user with many  "TMpoints" (a volunteer super-user active in this TM forum) is brave enough to give an opinion on how to proceed. I have accepted that volunteer super-user's opinion, but I am doing it at my own risk. Problem "seems" to be solved (if and until ransomware sneaks in somehow or another). Based on the volunteer super-user, a ransomware takeover based on the specific conditions in this thread is not likely. I'm just a regular guy without special, technical knowledge so do NOT!! take my statement as a guarantee! Thanks to the super-user for their volunteer leadership. My computer was eating up it's own memory and CPU time fighting with the folder shield blocking the MS program over and over and over! I get the impression that Microsoft is letting the users take the risk because Microsoft is not able to give TrendMicro an answer. However, I don't fully understand why the TM employees are not clearly pointing the finger at MS. My opinion is that possibly because these two groups (TM and MS) have to work together they approach each other very carefully in an attempt to support a smooth working relationship. My opinion is that if this is the case the working relationship could be dysfunctional because folder-shield questions might not be solved directly by a TM employee. As you can tell, I have to speculate (big-time) to imagine that there is a communication problem between TM and MS.

This conversation is no longer open for comments or replies.