Thank you for your patience.

 

 

 

Based on our review, this can be considered a false positive on the Anti-Virus or protection software. Our suggestion can be to include igfxEM.exe, IgfxCUIService.exe, igfxHK.exe in the application's white-list, or otherwise report it to the app developer so it gets white-listed by them.

 

 

 

Regards,

 

Amy C.

Missed the point. It's not the executables. It's the batch file that launches them. Whitelisting solutions will normally block a random batch file in a user-writable directory, which is how Intel is launching these executables. Instead of a batch file, Intel should use any of a number of other available means for launching programs at startup, at logon, etc. But not a batch file in a user-writable directory.

This is about whitelisting, too, not about anti-virus software.

Let's try again...

Great! They are. The batch files aren't as they kee coming back. I want them to stop. It's the batch files that are not white listed. It's not antivirus program it's whitelisting. Antivirus is blacklisting. Please help with this. Intel is large enough that batch files shouldn't be the method of running things.

So based on your review you came back with the EXACT SAME RESPONSE that I was given when I opened this case? The exact same response that I rejected and then explained why this answer is incorrect?! That is the answer I am getting after 2 long weeks of waiting?

Did you even bother to read the issue?

TELL ME HOW TO DISABLE THE BATCHFILE. THAT IS THE ANSWER I REQUIRE. We can not and will not white-list a batchfile in a user-writable directory that deletes itself when it is finished. That kind of action screams malware and security will not sign off on something like that which can be easily compromised.

Please elevate this case to someone else that is capable of reading and understanding the issue.

We will continue to review this matter, and as soon as possible update the thread with more information.

 

 

 

Regards,

 

Amy C.

Amy, I'd be happy to get on a phone call with your engineers to discuss the issue and various ways to resolve it. I work for Microsoft and specialize in the Windows platform -- I can definitely help get the issue taken care of. You or they can reach me by email: aaronmar at microsoft.com.

Thanks.

Another week and still no response to very simple question : How do I disable the batch file? Use your time to resolve your issues, but in the interim just tell me where in the registry you have hidden this batchfile so I can disable it until you sort out your issues.

Another week and still no response. Please elevate the priority of this case.

Not sure if this is helpful, but I'm IT in a 2000 person company in the same boat as the poster. The .bat file self destructs after running, can't be searched and we can't find a way to turn it off short of rolling back the drivers. We will not whitelist this in Bit9 (nor should any other security conscience company).

Very simple:

How do you prevent the file located here C:\Intel\GfxCPLBatchFiles\ named {a6d608f0-0bde-491a-97ae-5c4b05d86e01}.bat from running. No other answer or details needed. Simply "Go here, do this". PLEASE.

@linkdead62 - It has been 33 days since I asked for this "how to disable information" which you would think would be an easy answer to provide. Yet they have been unable to address the issue in any meaningful way so don't get too hopeful for a quick solution. In fact, considering I have not been asked any further investigative questions for the last few weeks leads me to believe that no one is looking at this anymore and that the issue is no longer being discussed at all.

Digging deeper on my own. I captured a boot log with Sysinternals Process Monitor. Findings:

• The batch file is created by igfxCUIService.exe
• igfxCUIService.exe is an automatic-start service running as NT AUTHORITY\SYSTEM
• It hosts the service with the display name, "Intel(R) HD Graphics Control Panel Service." Key name igfxCUIService2.0.0.0, and description "Service for Intel(R) HD Graphics Control Panel."
• The executable is located on my system here:

   

  C:\Windows\System32\DriverStore\FileRepository\ki120510.inf_amd64_0f15706cfddd3491\igfxCUIService.exe
• This service starts the batch file in the interactive user's session, non-elevated, and running as the interactive user.

It looks like the service waits for interactive user logon, then creates the batch file and runs it as the newly-logged-on user.

For some reason, although the batch file is supposed to delete itself, it's not getting deleted on my system. These are the contents:

@echo off

TIMEOUT 1 /NOBREAK

if exist "C:\WINDOWS\System32\DriverStore\FileRepository\ki120510.inf_amd64_0f15706cfddd3491\igfxEM.exe" start "" "C:\WINDOWS\System32\DriverStore\FileRepository\ki120510.inf_amd64_0f15706cfddd3491\igfxEM.exe"

del /Q "C:\Intel\GfxCPLBatchFiles\{EC94D02F-D200-4428-9531-05AF7F9799CB}.bat"

So it's supposed to wait one second and then start igfxEM.exe in the same security context; igfxEM.exe is in the same directory with the service executable.

However, according to my boot trace, igfxEM.exe starts immediately after the batch file starts. I suspect that the TIMEOUT command does not work in the context in which it's started.

It looks to me that if the service started igfxEM.exe directly rather than going through the batch file, Intel's desired outcome would be the same, without running afoul of whitelisting rules.

INTEL, CAN WE PLEASE TALK ABOUT A BETTER WAY TO DO WHAT YOU'RE TRYING TO DO SO WE CAN ALL AVOID ISSUES WITH WHITELISTING SOLUTIONS? Please contact me: aaronmar, at microsoft dot com.

Thanks.

One correction to my analysis: the batch file that's on my system was written back in October and was never deleted for some reason. In the boot trace I observed the service created a new file with a different file name (an entirely different GUID), and the new batch file was deleted. Everything else in my earlier analysis still holds, as far as I know.

Intel?

Bump...

We too, are impacted by this ill-behaved routine. To Carbon Black Enterprise Protection (Bit9) and, I assume, Windows AppLocker, the behavior here looks exactly like that of fileless malware.

This was an horrible design decision. Please fix it.

Don't expect a reply jrn77074

I have been beating this drum for over 4 months now and still they ignore the issue.

Ronald_Intel - any updates for us about a fix for this continuing issue? Hah, just kidding, you guys don't give a tiny crap.

We are not without recourse. Let's see if we can interest some of the security bloggers with this issue. I would imagine that display driver software behaving like fileless malware might get some attention there.

Hi, I run into this problem on Windows 8.1 platform. Where do I find the updated driver for Windows 8.1 ? This an urgent issue for us as well.

 

Regards,

Emmanuelle F.

Hello everyone,

I do apologize for replying until now. This was filed for our internal developers to investigate and work on [internal bug ID 1406677163] however, while this is a very important issue to us, we have been working on other critical issues (e.g. BSOD, crashes). I have asked to raise the internal priority for this now.

I cannot promise any particular outcome from said investigation, but I'll be posting here once I have any news or update.

Thank you for your patience.

Best Regards,

Ronald M.