What is this dll file?

[Tech Reprise]

I have a dll file marked as suspicious by HitmanPro but undetected by Kaspersky Premium. Can anyone tell me what file this is? Also why is this marked as suspicious?

[GuiltySpark_]

As far as I can tell that's a standard MS system file. 

 

https://learn.microsoft.com/en-us/windows/win32/devnotes/msdelta-createdeltab 

[Brando212]

2 minutes ago, GuiltySpark_ said:

As far as I can tell that's a standard MS system file. 

 

https://learn.microsoft.com/en-us/windows/win32/devnotes/msdelta-createdeltab 

not to say something hasn't potentially tampered with the file though.

[Murasaki]

I have this file aswell so its part of the OS. "Microsoft Patch Engine" is the DLL's description. From the Hitman Pro's update log it looks like it thinks its an infected system file. While im not sure if thats a false positive heres what mine is on Win10 22H2: FileVersion 5.0.1.1, Product Version 5.00, 435kb, is digitally signed by Microsoft.

[SpookyCitrus]

That's a common system file, you'll want to double check and make sure it's still the original, but not surprised Hitman Pro is kind of notorious for flagging system files or non-malicious files as bad. Personally I don't use Hitman Pro or Kaspersky, both are just bleh.

 

Malwarebytes and Windows Defender for the win. 

[John Reactor]

I would try uploading this file to VirusTotal to inspect it further.

[m9x3mos]

16 hours ago, John Reactor said:

I would try uploading this file to VirusTotal to inspect it further.

Exactly, I would try doing this. 

[Tech Reprise]

On 3/1/2024 at 1:25 AM, Murasaki said:

I have this file aswell so its part of the OS. "Microsoft Patch Engine" is the DLL's description. From the Hitman Pro's update log it looks like it thinks its an infected system file. While im not sure if thats a false positive heres what mine is on Win10 22H2: FileVersion 5.0.1.1, Product Version 5.00, 435kb, is digitally signed by Microsoft.

Yep, mine is same like yours. Looks like its a false detection. HitmanPro also detects punkbuster as suspicious.

 

[Tech Reprise]

On 3/1/2024 at 2:31 AM, SpookyCitrus said:

That's a common system file, you'll want to double check and make sure it's still the original, but not surprised Hitman Pro is kind of notorious for flagging system files or non-malicious files as bad. Personally I don't use Hitman Pro or Kaspersky, both are just bleh.

 

Malwarebytes and Windows Defender for the win. 

It's not infected as per virustotal or kaspersky or Windows Defender. 

[Tech Reprise]

This is the detail from Hitman Pro

 

Authenticode    Invalid
Entropy    6.6
Product    Microsoft® Windows® Operating System
Publisher    Microsoft Corporation
Description    Microsoft Patch Engine
Version    5.00
Copyright    © Microsoft Corporation. All rights reserved.
RSA Key Size    2048
LanguageID    1033
SHA-256    13413648AAC93F6EB10FB451DB553ACAF8CCF7E46669D5D1066D046853E6E35A

Scoring (23.0)
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
Time indicates that the file appeared recently on this computer.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
 

[Murasaki]

3 hours ago, Tech Reprise said:

This is the detail from Hitman Pro

 

Authenticode    Invalid
Entropy    6.6
Product    Microsoft® Windows® Operating System
Publisher    Microsoft Corporation
Description    Microsoft Patch Engine
Version    5.00
Copyright    © Microsoft Corporation. All rights reserved.
RSA Key Size    2048
LanguageID    1033
SHA-256    13413648AAC93F6EB10FB451DB553ACAF8CCF7E46669D5D1066D046853E6E35A

Scoring (23.0)
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
Time indicates that the file appeared recently on this computer.
The file is protected by Windows File Protection (WFP). This is typical for critical Windows system files.
 

SHA256 is different from what I have, mind uploading msdelta.dll for me to take a peak to compare?

[Tech Reprise]

On 3/3/2024 at 4:42 AM, Murasaki said:

SHA256 is different from what I have, mind uploading msdelta.dll for me to take a peak to compare?

Sure. 

The digital signature is there but somehow it seems corrupted. 
 

msdelta.dll

[Murasaki]

1 hour ago, Tech Reprise said:

Sure. 

The digital signature is there but somehow it seems corrupted. 
 

msdelta.dll 435.88 kB · 0 downloads

Yeah file itself looks okay and it seems its due to the digital certificate either expiring or something went wrong. Have you not updated Windows in a while? If its updated then you can try running DISM or SFC to repair problems with system files. But for sure we know it isn't anything dodgy, just windows being windows.

[Tech Reprise]

56 minutes ago, Murasaki said:

Yeah file itself looks okay and it seems its due to the digital certificate either expiring or something went wrong. Have you not updated Windows in a while? If its updated then you can try running DISM or SFC to repair problems with system files. But for sure we know it isn't anything dodgy, just windows being windows.

This is a clean install (Feb 2024) from a bootable usb drive made in December. SFC finds corrupt files but can't repair them, didn't try the DISM command yet.