LabVIEW

cancel
Showing results for 
Search instead for 
Did you mean: 

ph_elsec.else shows as malicious

Solved!
Go to solution

Hello,

 

I recently loaded N.I. CDAQ 9.7.5 on a Lenovo W541, 64 bit, Win 7 Enterprise Laptop.  Our IT dept. has pushed down FireAmp to scan our drives and below in red is what came back.

 

    • Detection:573FD49A5B-100.SBX.VIOC
    • File:exe
    • File path: \\?\C:\Program Files (x86)\National Instruments\RT Images\Base\6.1.1\7115\ph_exec.exe
    • Detection SHA-256: 573fd49a5b20463b342b22a184ef60423482943d190840b1c27e9b938680c81b
    • By Application:exe
    • Application SHA-256: 82ef3b124362b701ac146fffe8c6d2f5a932417bd7011a887665df6f09797a60

Our IT wants to know if this is free from malware and is the .exe needed?  Anything you can tell me about the .exe and its operation would be helpful.

 

Also noted by our IT: that application is being flagged by some of the AV vendors as malicious (see Virus Total report below).  Our Threat Analysis says it is suspicious but the risk score is fairly low (see below).  If it is critical to keep around we would want to get some assurance from the vendor that it does not include malicious code.

 

See the attached file. 

 

Thank you.

 

Regards,

Hugh

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

0 Kudos
Message 1 of 3
(3,097 Views)
Solution
Accepted by topic author HC1981

This file is part of the pharlap kernel used for Pharlap ETS based RT targets from NI. While Pharlap is technically using the windows PE file format for executable files (exe and dll), it is not a real Win32 execution environment and the file structure while resembling a valid Win32 executable file is not strictly the same. So simple Virus scanning tools which only check for the PE header characteristics with unusual variations in it and a single SHA256 hash can conclude that something is fishy. This file is not meant to be run on your computer but on the RT target when you install LabVIEW RT onto it.

 

When trying to start it on a normal computer it should immediately terminate, since it can't access the hardware it is expecting to be present.

Rolf Kalbermatter
My Blog
Message 2 of 3
(3,067 Views)

Hello,

 

This is exactly what my IT needed.  Thank you for your quick response!

 

Hugh

0 Kudos
Message 3 of 3
(3,016 Views)