Community
cancel
Showing results for 
Search instead for 
Did you mean: 
edmoncu
Novice
826 Views

agsrunner.bin in %programdata%\intel

Jump to solution

edmoncu_1-1626226029362.png

My security software Cynet has detected that this binary which is located at C:\ProgramData\Intel\AGS\Libs is a potentially malicious software.

 

Upon checking at virustotal, two other security softwares have detected it as well.

 

For now, i manually delete this binary file upon detection as a safety precaution. Unless you can explicitly advise if this software is legitimate and safe. Im worried about its existence because this binary is unsigned.

 

All my endpoints are running Windows 10 LTSC

 

There was an old thread discussing the same here.. but it is inconclusive and the topic was locked.

0 Kudos
1 Solution
DeividA_Intel
Moderator
276 Views

Hello edmoncu, 



Based on the research performed, I would like to let you know that the agsrunner.bin element is installed as part of Intel Graphics Command Center, specifically for the 'AutoGameSettings' component, thus Intel confirms this is a false positive and the file is indeed safe and provided by Intel. 


Intel is working on providing it with a digital signature to prevent this alert from occurring in the future (actually should be included in the next 1 or 2 driver releases), in the meantime you can safely add it to a white-list or exception list on the security software."





Regards,  

   

Deivid A. 

Intel Customer Support Technician 


View solution in original post

22 Replies
edmoncu
Novice
804 Views

additional details on this file

edmoncu_0-1626228603989.png

edmoncu_1-1626228994237.png

 

DeividA_Intel
Moderator
778 Views

Hello edmoncu,  

  


Thank you for posting on the Intel® communities.   

  


In order to better assist you, please provide the following:  


  


1. Run the Intel® System Support Utility (Intel® SSU) to gather more details about the system.  


· Download the Intel® SSU and save the application on your computer:   https://downloadcenter.intel.com/download/25293/Intel-System-Support-Utility-for-Windows-


· Open the application, check the "Everything" checkbox, and click "Scan" to see the system and device information. The Intel® SSU defaults to the "Summary View" on the output screen following the scan. Click the menu where it says "Summary" to change to "Detailed View".  


· To save your scan, click Next and click Save.  



2. What is the exact name of the security software? Get several matches with only "Cynet".


3. Did you get an alert when opening an app or on idle when you noticed the potentially malicious software? Or how did you notice it?


4. Have you updated your system (drivers, windows, BIOS)?






Regards,  

  

Deivid A. 

Intel Customer Support Technician 


edmoncu
Novice
757 Views

1.) as this is a company computer, is it okay i truncate all company-confidential information on the attachment?

2.) cynet is our EDR : https://www.cynet.com

3.) our EDR has a policy of doing a scan on a binary file that has at least 1-virustotal detection

4.) drivers, windows - yes ; bios  - no (does this matter for this detection) ?

DeividA_Intel
Moderator
713 Views

Hello edmoncu, 



Thanks for the information provided.



In order to avoid sharing sensitive information, I will ask you for the Intel® System Support Utility report by email. Please reply to that email only with the information requested.





Regards,     


Deivid A.  

Intel Customer Support Technician  


edmoncu
Novice
644 Views

Email sent. Sorry for the late revert.

DeividA_Intel
Moderator
694 Views

Hello edmoncu,  


  


Were you able to check the email sent and get the information requested? Please let me know if you need more assistance.   


  


Regards,  

  


Deivid A.  

Intel Customer Support Technician  


edmoncu
Novice
644 Views

Sent the attached log via email

DeividA_Intel
Moderator
678 Views

Hello edmoncu, 


  


We have not heard back from you, so we will close this inquiry. If you need further assistance or if you have additional questions, please create a new thread and we will gladly assist you.  

  


Regards,  


Deivid A.  

Intel Customer Support Technician  


edmoncu
Novice
643 Views

Please reopen this post.

DeividA_Intel
Moderator
607 Views

Hello JoeBloggs, 


  


Thank you for the information provided 


  


I will proceed to check the issue internally and post back soon with more details. 


  


Best regards, 


Deivid A.  

Intel Customer Support Technician 


DeividA_Intel
Moderator
578 Views

Hello edmoncu, 



In order to proceed further, can you provide/try the following:



1. Update the BIOS to the latest version.


2. Is this happening on any other computer from the organization?


3. Have you presented any issues since you noticed this file? 





Regards,  


Deivid A. 

Intel Customer Support Technician 


edmoncu
Novice
565 Views

Hi David A.

 

1. Sorry, but does that matter at all on such file to appear? I don't see any technical connection between the bios and this file?

2. Yes it started appearing across my endpoints

edmoncu_2-1628131404886.png

3. No it did not. But i am worried that this might indicate to a malware payload or something that can potentially be used for potential malware payload as the file is unsigned.

DeividA_Intel
Moderator
556 Views

Hello edmoncu, 


  


Thank you for the information provided 


  


I will proceed to check this situation further and as soon as I have any updates I will let you know.


  


Best regards, 


Deivid A.      

Intel Customer Support Technician 


DeividA_Intel
Moderator
526 Views

Hello edmoncu, 



After an investigation, we confirmed that the file is safe. You can add it as a white list or exception. As per the request to update the BIOS, it was because there could be a microcode that helps to protect the computer on its latest version.



If you have any concerns, just let me know.





Regards,  


Deivid A. 

Intel Customer Support Technician 


edmoncu
Novice
522 Views

Hi Deivid,

 

Would it be possible in the future that this binary be signed?

 

Thank you!

edmoncu
Novice
510 Views

Curious as to what is the purpose of that file and that it needs to be unsigned also?

DeividA_Intel
Moderator
492 Views

Hello edmoncu, 



In order to address your inquiries, I will check internally to make sure that I will provide you with accurate information.


Thanks for your comprehension.




Regards,  


Deivid A. 

Intel Customer Support Technician 


edmoncu
Novice
381 Views

Thank you Deivid,

 

For the time being, i have set my endpoint protection to delete any of such file detection (agsrunner.bin) for safety. I am just super cautious as it might/can be weaponized to inject payloads if neither of us has confirmation on its purpose.

 

Regards,

DeividA_Intel
Moderator
277 Views

Hello edmoncu, 



Based on the research performed, I would like to let you know that the agsrunner.bin element is installed as part of Intel Graphics Command Center, specifically for the 'AutoGameSettings' component, thus Intel confirms this is a false positive and the file is indeed safe and provided by Intel. 


Intel is working on providing it with a digital signature to prevent this alert from occurring in the future (actually should be included in the next 1 or 2 driver releases), in the meantime you can safely add it to a white-list or exception list on the security software."





Regards,  

   

Deivid A. 

Intel Customer Support Technician 


View solution in original post

DeividA_Intel
Moderator
195 Views

Hello edmoncu,  



Were you able to check the previous post? Please let me know if you need more assistance.   


  


Regards,  


Deivid A.  

Intel Customer Support Technician  


Reply