Temporary files created on Windows startup (detected as trojans by Antivirus)

[mamu0]

Hi everyone,

I’m using the Windows version of Turing Smart Screen (version 3.9.5, installed via the .exe installer) on Windows 11 Pro.
Each time I start my PC, the program creates a temporary file like this:

C:\Windows\SystemTemp\UDD7B8A.tmp

The filename changes every time (it always starts with UDD), but Windows Defender keeps flagging it as a potential trojan.

Since the file name changes on each reboot, I can’t exclude it from Defender without excluding the entire SystemTemp folder, which wouldn’t be safe.

I was wondering if this is expected behavior, and if you’re aware of why these files are being generated.
Is there any known way to prevent them or configure the program differently?

Aside from this, everything works fine, it’s just a bit concerning from a security perspective.

Thanks in advance for your help and for the great work on this project!

[c0ldJS]

"... if this is expected behavior, and if you’re aware of why these files are being generated."

The "UDD" in UDDxxxx.tmp stands for "Unmanaged Device Discovery". In short, they often come up when select libraries intend to provide insight upon system particulars near the spinal column.

Defender is particularly wary about WinRing0, a legit hardware access library used by a lot of tools used in performance monitoring. In the context of the turing_smart_screen project, LibreHardwareMonitor utilizes WinRing0.

The bad news is that WinRing0 contained a vulnerability that, because of its inherent ability to delve into low level access, earned it a CVE. The good news is that the issue can be mitigated and several implementations of it have been repaired. The bad news is that old, vulnerable versions (plus Trojanized versions) are still out in the wild so Defender makes a sweeping generalization.

There's also a whole other ball of wax about libraries that load in as admin, which tends to give heuristic detection the willies.

"Is there any known way to prevent them or configure the program differently?"

The quick and easy route is to configure turing_smart_screen to only ever use Python for its metrics pull. Depending upon your monitoring needs/desires and what you want out of a theme, that may or may not be an actual solution (Python doesn't have nearly as many, or the same, performance metrics that LHM can provide).

If you add LibreHardwareMonitorLib.dll as an exclusion, does Defender slow its roll?

[mamu0]

The quick and easy route is to configure turing_smart_screen to only ever use Python for its metrics pull. Depending upon your monitoring needs/desires and what you want out of a theme, that may or may not be an actual solution (Python doesn't have nearly as many, or the same, performance metrics that LHM can provide).

Thanks for the explanation! I tried doing what you said and modified config.yaml to use HW_SENSORS: PYTHON (it was initially set to AUTO, but considering that I'm using Windows, it was probably automatically using LHM).
Now it seems to have stopped generating those files, and the antivirus isn't finding anything 💯

If you add LibreHardwareMonitorLib.dll as an exclusion, does Defender slow its roll?

I tried excluding it, both the file and the entire process, but unfortunately it didn't work (I had already excluded the entire folder for main.sys, which is generated at every startup).