Uninstall leads to Palo Alto Cortex alerts - Malicious file activity found

I installed, uninstalled, and reinstalled a fresh copy duplicacy.
Purely to see if I can move the install folder.

About an hour later I get a cortex alert. about the uninstaller and AU_.exe

Looks like AU_.exe just deleted the Administrators folders.

global-verdict-report.pdf (350.4 KB)

The program even has the duplicacy logo.


The uninstaller executable Duplicacy Web Edition Uninstall.exe is auto genreated by NSIS.

When the uninstaller runs, it spawns off a new process AU_.exe which does the actual work. It should only delete files created by the installer.

I don’t know anything about sample.exe in your report.

Are you actually reading what files were deleted?

Additionally this was ran as a user, not administrator.

It’s interesting that the argument to the uninstaller is path to the C:/Users/Admininstrator, and not to the installation location. If the uninstaller is designed to delete the contents of the folder it thinks it created — that would be the behavior you see.

So there are at least two issues:

  • why does uninstaller forgot/confused the install location
  • why is it deleting everything indiscriminately as opposed to the actual files that it created (maybe by design).

Is this behavior reproducible?

When the uninstaller runs, it will first show the installation directory that it is going to remove all files from. The text input for this is non-editable. Does it show the correct directory for you?