Skip to main content
Published Jun 21, 2021 | Updated Jun 21, 2021

TrojanDownloader:Win32/Retliften.C

Detected by Microsoft Defender Antivirus

Aliases: No associated aliases

Summary

Microsoft Defender Antivirus detects and removes this threat.

This threat is a malicious driver which can intercept network traffic, add new root certificates, set a new proxy server, and modify internet settings without the your consent.

Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat..

To help reduce the impact of this threat, you can:   

1. Validate the alert, collect artifacts, and determine scope

  • Inspect the file or driver for suspicious characteristics
    • Which process created and installed the driver?
    • Is it expected on this device or in the organization?
    • Is the driver in its common location?

If it is not a valid tool used by a network administrator or other expected user, remove the tool and isolate the device from the network.

  • Review the device timeline for suspicious activities that might have occurred before and after the time of the alert.
  • Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.
  • Submit relevant files for deep analysis and review resulting detailed behavioral information.
  • If alert characteristics and device behavioral evidence constitute a true positive, consider some of the initial mitigation actions below. Then, contact your incident response team for potential forensic analysis and remediation. If you don't have one, contact Microsoft support.

2. Initiate containment & mitigation

  • Record all relevant artifacts to be used in mitigation rules and as new threat intelligence.
  • Contact the user to check if the observed behavior was intended.
  • Update AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.
  • Ensure that the device has the latest security updates. In particular, ensure that you have installed the latest version of the driver and accompanying software.
Follow us