Skip to main content

Possible false positive ransomware warning on Lenovo Y520 UI license.txt installs

Thread needs solution
Beginner
Posts: 1
Comments: 1

I am getting ransomware warnings on 2 identical Lenovo Y520 laptops.  All 7 files seem to be UI ???.License.TXT files in the Lenovo\ImController\…\Licenses folder, and don't look like they could contain any malware. There is also one similar-named .XML file, which doesn't look bad, but could have something hidden in it.  Has anybody else run into this issue?  It seems unusual that two PCs could have this occur within 2 weeks of each other.  I would assume that if the license files aren't installed, at some point whatever relied on them would stop working.

Thanks,  

1 Users found this helpful
Beginner
Posts: 0
Comments: 1

I have the same problem, same date. I had an already earler warning about 4 weeks ago and finaly just ignored it.
Some clarification from the acronis personell how to cope with these warnings would be very helpful. I have some older versions of Acronis which I love, but changing to the current versions is painful, it is not self explaining and the documentation is very large, probably very complete, but .... you understand, :-).

Beginner
Posts: 0
Comments: 5

Detection also reported in the Lenovo forums:

https://forums.lenovo.com/t5/Security-Malware/notice-of-possible-ransomware-in-Lenovo-desktop/m-p/4416518#M3913

Is this is a false positive?

Beginner
Posts: 3
Comments: 16

thomasjk said in Acronis Forum:

https://forum.acronis.com/forum/acronis-true-image-2019-forum/notice-possible-ransomware#comment-496983

The Imcontroller is definitely not ransomware. Its something that Lenovo includes as part of the software preload on their machines. Its exact purpose is somewhat fuzzy to me. I searched the Lenovo forums and most of the references where about 3 years old. The major complaint about it seemed to be the excessive use of resources. I ran task manager on my Lenovo Ideapad and 5 instances running and none of them was using excessive resources. I did see the ransom ware flag from AAP and told it to ignore the process. THis thread explains how to disable it:

https://forums.lenovo.com/t5/Pre-Installed-Lenovo-Software/why-is-Lenovo-Modern-ImController-PluginHost-CompanionApp-exe/m-p/4196595#M33448.

 

Beginner
Posts: 0
Comments: 5

I ran all 7 files through Google's VirusTotal, and they came up clean. That supports them as false positives. Acronis Active Protection still flags them at every restart :-s.

Beginner
Posts: 1
Comments: 1

I would think that it must be something in the XML program triggering it, although the similar Lenovo warning a month or so ago, used the Lenovo installer, if I remember, and not an XML file.  Acronis needs to figure what in the files are triggering the warning and either tell us that it's a real problem, explain the false positive warning so we can ignore it, or fix their code to bypass it.  It's probably not a Lenovo problem unless the warning is valid and somebody infected their distribution files (which has apparently happened before), so I doubt that the answer is going to be found in the Lenovo forums.

Beginner
Posts: 1
Comments: 3

When is Acronis going to release a fix for the false positive problem on the 7 Lenovo files?

 

Beginner
Posts: 3
Comments: 16

I don't now, but I have informed Acronis support. Waiting for a solution by Acronis upport, you can make:

Acronis True Image -> Active Protection -> manage process -> add (exception)

 

Robert Ayers wrote:

When is Acronis going to release a fix for the false positive problem on the 7 Lenovo files?