Vsshelper is marked as malicious by other AV/EDR vendors

Problem

Vsshelper.exe which is a component of Anti-Ransomware by Endpoint Central is marked as malicious by security applications.

Cause

Vsshelper reserve's the shadow storage space and creates regular backups, security vendors may falsely label the binary as malicious despite the fact that it is signed by ManageEngine's parent organization Zoho Corporation.

Why does vsshelper create regular backups?

A ransomware intrusion - as we already know, targets files in the system, infecting them and thereby encrypting them. To combat, vsshelper creates regular backups periodically, that are used to recover the infected files, to the latest backed-up state.

Functionalities of vsshelper :

1. Creating backups.
2. Setting up maximum shadow storage space
3. Downloading the Program database

Resolution

Allowlist vsshelper.exe/ Mark vsshelper.exe as false positive.

Signature details of vsshelper.exe :

• Verified: Signed Signers: ZOHO Corporation Private Limited
• Cert Status: Valid
• Valid Usage: Code Signing
• Cert Issuer: Sectigo RSA Code Signing
• CA Serial Number: 00 D1 9D B1 A5 42 FF D3 D9 9B 83 20 8F E9 E8 0F E3
• Thumbprint: 0CFE8E393E639170AEB1AC4CB8928258z45FF36C
• Algorithm:sha256RSA
• Company:Zoho Corporation Pvt. Ltd
• Description:MEEDRVssHelper.exe
• Product:EDR Prod version: 1.0.0.1
• File version:1.0.0.1
• MachineType: 64-bit

Learn more on Endpoint Central's Anti-Ransomware