Hello, I’m fairly new in this forum but I have been using CIS for quite a few years.
I hope it’s alright if I ask this question in this section (I wasn’t sure if I should straight up submit this as a FP)
Lately whenever I run a full system scan on my laptop I get 2 unrecognized autorun entries detected as a threat relating to the OneDrive update file along with my secondary user account on this PC (OneDriveSetup.exe).
I was curious if I should be worried:
Unrecognized autorun entries
C:\WINDOWS\system32\cmd.exe /q /c del /q “C:\Users\InsertNameHere\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe”
C:\WINDOWS\system32\cmd.exe /q /c del /q “C:\Users\InsertNameHere\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe”
CIS will not offer me an option to remove those entries and will keep detecting them as a threat every time I run a scan.
I already attempted to uninstall OneDrive and delete any traces since I never really use it anyways along with removing that secondary user account but CIS is still detecting those autorun entries.
I never had this issue before so I would like to know if I should just ignore it.
I’m sorry if this is not the right section to ask this question, if it isn’t I can post under the false positive section of the forum.
If it is only detecting the autorun entries and not the binaries. Those autorun entries are empty. You can have CIS remove them.
An autorun entry from the registry that points to a binary that does not exist is always harmless.
When we look in detail to the autorun entries we see they are instructing the command processor to delete those binaries. Since CIS does not detect the binaries those registry keys have run their course.
In short. There is nothing to worry and you can have CIS remove them.
Thanks for the reply, I forgot to mention in my first post but that’s one of the problems.
I can’t remove them, for some strange reason CIS does not allow me to remove those entries it just detects them (that’s one of the reasons I attempted uninstalling and deleting OneDrive) which is pretty strange. I installed CCE and ran the autorun scan but it doesn’t show me those entries (only CIS).
By default CIS just detects the entries as a threat but it takes no action even if I set to terminate and disable unrecognized autorun entries under settings.
I could just ignore but it detects this every time I run a system scan now.
I’ll attach a screenshot, as you can see the apply selected actions box is greyed out.
You need to open the scan profile options and look for the setting ‘Apply this action to suspicious autorun processes’, however you can’t add detected auto runs to scan exclusions.