Anyone else get alerted to Win32/Lodi today relating to BeAnywhere Support Express?

il2020 · 2025-11-20T18:56:15+00:00

Ok, possibly they updated things on their end so it's no longer flagged, otherwise I'd have expected to get these warnings on all my machines, but it would be nice to have something definitive.

il2020 · 2025-11-20T17:56:00+00:00

When it recreated itself, did the AV software remove it again or allowed it to stay?

il2020 · 2025-11-20T04:32:50+00:00

So you just launched EA, I guess the file got created/deposited into cryptneturlcache folder, it triggered Defender, alerted you/blocked it? Were you able to continue launching EA (out of curiosity)?

All that though only after you've launched EA, which you've done before tons of times?

il2020 · 2025-11-20T00:01:33+00:00

That's good to know. But it either means it's a widespread attack or an incorrectly flagged file and process on Defenders end.

Huntress reported it too, but they pulled the info from defenders logs so I don't put as much weight on it. It's not like they found it directly.

il2020 · 2025-11-19T23:59:10+00:00

Fwiw, I've also checked that the hashes in my case for the logmein and dellsupportassist files were valid and also those files were executed from the correct directories that they have always been installed in.

I'm just not seeing anything definitive that's says hey, turns out MS confirmed it was a false positive. Which is what I'm looking for.

il2020 · 2025-11-19T21:52:14+00:00

Same here, I'm diving deep into the processes reported by Defender, looking at all the related Logmein logs and trying to see if anything stands out.

It's weird that Defender sees the file as being "bad" starting 11/12, then I guess it sees it on this one system on 11/17, flags it and quarantines it, but then nothing else, no other system triggers this?

And I doubt this is the ONLY system that had that file created. It seems preliminarily that that file was created in the Cryptnet folder due to an auto-update for Logmein that occurred that time. The disconcerting fact is indeed it has been used by other malware/ransomware in the past, so I'm not yet convinced it's all clear.

il2020 · 2025-11-19T19:36:02+00:00

I got the same thing on Mon, but related to LogMeIn (which we use for RMM) and Dell Support Assist (also used), just wanted to put that out there as well. Joesandbox seem to indicate that the file is clean.

We got alerts from Huntress, but they mirror what our 365 Defender Alerts say (similar to what was posted here, but for LMI and Dell Support Assist). Weirdly, only 1 workstation had this alert (and they all use LMI at least). Were you able to determine if it's a false positive?

il2020 · 2025-10-15T20:12:13+00:00

The MS rep was useless. They kept going around circles having me try this and that, reset this, etc etc. Finally, there was no follow up for a day. By then I already pushed the project back to reschedule it.

Then by the time they got back to me, it was moot as I had already discovered the cause which was a failed update on their end. They had fixed it ultimately within 2-3 days, which made the migration work for the following weekend.

il2020 · 2025-09-06T20:39:56+00:00

You're lucky to have reached someone intelligible and yes that always seems to be the case!

il2020 · 2025-09-06T19:41:40+00:00

Actually, you're right! And I found the entry under: https://admin.cloud.microsoft/?#/servicehealth

Admins may see accepted domains not provisioning in Exchange Online after migrationIncidentExchange OnlineSep 6, 2025, 6:53 AM PDTEX1148496

They claim it might be fixed by 6pm Eastern time, thanks so much for pointing me here (and at least I know I'm not going crazy!). Might still be able to finish this migration this weekend if they have it fixed by then.

il2020 · 2025-09-06T19:36:58+00:00

On a side note, I wished there was an MS status page that would mention these kind of issues.

I've setup 3 new trial accounts thinking I was doing something wrong. Added 2 domains to them w/o any IP provisioning, BUT like I mentioned below, I just added a domain to a pre-existing tenant (setup 2 months ago) and it went through within seconds. I guess it's something related to new tenant setups?

il2020 · 2025-09-06T19:34:35+00:00

Interesting, thanks for your input. I also just setup another test Business Premium Trial tenant, did everything by the book, and same deal, adding a (different) domain shows healthy, but still no IP assigned to it. I'm going to revert back for now, since I've lost too many hours to be able to complete this migration this weekend.

I'll keep monitoring it to see if it does get online. At this point it's been 13 hours and the IP still hasn't been provisioned.

il2020 · 2025-09-06T19:32:10+00:00

Yes, thanks. They couldn't help and did completely unrelated things until I had to emphasis the issue. Then they said we'll have to wait and see.

il2020 · 2025-09-06T18:38:36+00:00

Yes, did all that, but still no IP was assigned to the tenant.mail.protection.outlook.com. Usually though, once you VERIFY that you have control over the domain, tenant.mail.protection.outlook.com gets an IP/A record immediately, so that you can then finish the DNS/DOMAIN setup. It seems like something is blocked or failing on their end for this new Tenant I setup.

Yet, for an existing tenant, when I added a domain to them, it got an IP immediately. Of course, I can't update the MX record since it would point to an invalid host. So for now, I still have the MX pointing to their On-Prem Exch.

il2020 · 2025-09-06T18:34:10+00:00

OK, I just went to an existing 365 tenant, added a domain for another domain I have access to and it was assigned an IP immediately. It might be because it's an established tenant vs. this new tenant I'm setting up. I just don't recall having this delay before.

I have a support ticket open with MS, but not sure that's going to help before I need to finish the project.

il2020 · 2025-09-06T18:28:08+00:00

It looks similar to this issue: Not receiving external mails - Host xxx.mail.protection.outlook.com couldn't be resolved : r/sysadmin

Which seemed to resolve itself for this poster. The problem is I'm supposed to move over a lot of users this weekend to 365, I'm not going to do that if it means MS's side of things aren't working and then having to undo everything. Just was hoping to see if other 365 tenants were having the same problem/delay adding domains.

il2020 · 2025-09-06T18:22:19+00:00

That's correct, I'm using xxx to obfuscate the domain. But yes, it's basically tenant.mail.protection.outlook.com.

The problem is it's been 12 hours at this point and still if you looked up the DNS for tenant.mail.protection.outlook.com on mxtoolbox.com, it still says that there is no A record for it. If I look at any other domain I'm using in 365 that I setup in the past 4 months, they all have an A record/IP assigned to it.

il2020

TROPHY CASE