From Friday, April 19th (11:00 PM CDT) through Saturday, April 20th (2:00 PM CDT), 2024, ni.com will undergo system upgrades that may result in temporary service interruption.

We appreciate your patience as we improve our online experience.

Home Community Discussion Forums Most Active Software Boards LabVIEW Topic

LabVIEW

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ph_elsec.else shows as malicious

Solved!
Go to solution

ph_elsec.else shows as malicious

‎03-29-2016 10:21 PM

Hello,

 

I recently loaded N.I. CDAQ 9.7.5 on a Lenovo W541, 64 bit, Win 7 Enterprise Laptop.  Our IT dept. has pushed down FireAmp to scan our drives and below in red is what came back.

 

    • Detection:573FD49A5B-100.SBX.VIOC
    • File:exe
    • File path: \\?\C:\Program Files (x86)\National Instruments\RT Images\Base\6.1.1\7115\ph_exec.exe
    • Detection SHA-256: 573fd49a5b20463b342b22a184ef60423482943d190840b1c27e9b938680c81b
    • By Application:exe
    • Application SHA-256: 82ef3b124362b701ac146fffe8c6d2f5a932417bd7011a887665df6f09797a60

Our IT wants to know if this is free from malware and is the .exe needed?  Anything you can tell me about the .exe and its operation would be helpful.

 

Also noted by our IT: that application is being flagged by some of the AV vendors as malicious (see Virus Total report below).  Our Threat Analysis says it is suspicious but the risk score is fairly low (see below).  If it is critical to keep around we would want to get some assurance from the vendor that it does not include malicious code.

 

See the attached file. 

 

Thank you.

 

Regards,

Hugh

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

0 Kudos
Message 1 of 3
(2,930 Views)
Reply
Solution
Accepted by topic author HC1981

Re: ph_elsec.else shows as malicious

‎03-30-2016 01:37 AM - edited ‎03-30-2016 01:41 AM

This file is part of the pharlap kernel used for Pharlap ETS based RT targets from NI. While Pharlap is technically using the windows PE file format for executable files (exe and dll), it is not a real Win32 execution environment and the file structure while resembling a valid Win32 executable file is not strictly the same. So simple Virus scanning tools which only check for the PE header characteristics with unusual variations in it and a single SHA256 hash can conclude that something is fishy. This file is not meant to be run on your computer but on the RT target when you install LabVIEW RT onto it.

 

When trying to start it on a normal computer it should immediately terminate, since it can't access the hardware it is expecting to be present.

Rolf Kalbermatter
My Blog
Message 2 of 3
(2,900 Views)
Reply

Re: ph_elsec.else shows as malicious

‎04-01-2016 07:55 AM

Hello,

 

This is exactly what my IT needed.  Thank you for your quick response!

 

Hugh

0 Kudos
Message 3 of 3
(2,849 Views)
Reply