This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 30%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESF%3C/text%3E%3C/svg%3E)
I downloaded procexp64.zip version 16.43 from sysinternals web site (linked below) and tested on virustotal.
it showed one virus "trojan shelma win32 13165.
I downloaded from: https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
I also downloaded tools suite and got the same virus.
for some reason my window defender did not indicate these viruses
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 94%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEH%3C/text%3E%3C/svg%3E)
It is a defender anti-virus update. We just started getting alerts on this today and Procexe…. had been installed on 5 Vm’s a month ago with no issues till this afternoon when Procexe…. was ran. Our defender received an update this morning. Look in C:\ windows\ windows\temp\ , the stub file for MPSigStub.exe file. Bet your issues started close to the time stamp of the stub file.
AM_Delta.exe file is a software component of Microsoft Forefront Endpoint Protection by Microsoft Corporation.
An executable file named "AM_Delta.exe" containing changes to antimalware threat definitions, to keep Forefront Endpoint Protection or other Microsoft antimalware products current with constantly changing malware threats. The file name may also be "AM_Delta_Patch.exe" or "AM_Delta_Patch.1.exe", although "_Patch" files are usually 300MB-400MB in size while "AM_Delta.exe" files are about 10 times larger, depending upon the volume of threat definitions included. The execution of an "AM_Delta.exe" or "_Patch" file is started using "MPSigStub.exe" with the name of the signature update file as a parameter.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
I just checked and only one vendor (CRDF) detected it as malicious (in the VirusTotal) and most trusted Anti-Malware vendors mark it as safe.
I believe this is false-positive and you may report this issue to the Anti-Malware vendor.
wait a second. isn't this program from microsoft and shouldn't you be checking it out?
I just checked the file again. actually virus total lists 2 vendors but there is only one listed.
the viruses found are: trojan.shelma.ljx and trojan.shelma.win32 13165
the vendor listed is jiangmin and not CRDF
This is what I see in the VirusTotal:
The file is safe for sure and this is a false-positive or incorrect detection.
Would you mind share the link and/or screenshot from your scan?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello
Thank you for your question and reaching out. I can understand you are having issues related procexp64.zip detected as virus.
I would suggest you to do the Full Virus Scan on your Computer then download again procexp64.zip from Microsoft.
Also please Cleanup below Temp folders
C:\Windows\Temp
%USERPROFILE%\AppData\Local\Temp
--If the reply is helpful, please Upvote and Accept as answer--
