Cubase Folder Access Blocked and Various Computer Problems in the Wake of that

Earlier today my computer got attacked by a Trojan. I’m fairly certain I’ve now cleansed the computer, but when I try to start Cubase I get the following message:

“Unauthorized changes blocked
Controlled folder access blocked Cubase12.exe from making changes.”

I checked Windows Firewall, and Cubase is allowed to communicate through the firewall, so I don’t know what my next step should be.

Thanks for any help you can provide.

IMHO if you’ve ever had a virus on it, it’s time to rebuild. Wipe the lot, reinstall the OS, and reinstall Cubase.

That’s the nuclear option, but I re-booted the computer and it appears to be working just fine.

Famous last words? I guess I’ll find out.

Thanks for your assistance.

PS: Also, I restored the computer to a time prior to the virus infection, and ran several scans. I’ll run a full scan overnight.

This is from Microsoft:

"This virus is probably caused by the use of some third-party cracking programs or problematic programs. And Trojan:Win32/Wacatac.H!ml is just among them.

Trojan: Win32/Wacatac.H!ml malware is incredibly difficult to erase by hand. It puts its files in multiple places throughout the disk, and can restore itself from one of the parts. Moreover, a lot of alterations in the registry, networking configurations and also Group Policies are quite hard to find and change to the initial.

It is better to use an anti-malware app .

If your PC has a restore point, you can also use the restore point feature to restore your PC to a correct point in time."

BTW I don’t use ANY cracked software…never have. I’m pretty sure my computer got infected when I clicked on an innocent looking music-related link that was supposed to lead to a YouTube video.

Did you run any Native Instruments installers or updaters by any chance?

It seems over the last few days some of them have been flagged by Windows defender as containing the Wacatac Trojan.

YES!!!

In fact I got the original alert from Windows Defender while I was running Native Access.

I wondered if that could be the cause, but I (perhaps naively) trust NI to be virus-free, so I didn’t give it any further thought. And I thought the virus warning was due to that “YouTube” link I clicked on.

I spent most of my dealing freaking out over this. There’s talk (on that link you provided) that it may be a false positive.

Thank you.

1 Like

So did you find evidence of that Trojan being on your computer after the installation of NI software?

Also I’m curious, which NI software title did you install? I’m asking because I also got the alert but only on 1 of the 3 installs that Native Access was performing. So I didn’t end up installing the update for Maschine 2. But the updates for Massive X and and Komplete Kontrol went without the interception by Microsoft’s Defender so they got installed on my system. – As you can imagine, now I’m somewhat nervous.

by the way - your original question appears to have a solution outlined here:

You could upload the installers to virustotal, that might give you an indication about whether it is a false positive or not.

Sounds like a contradiction … Looks like you hope that you got rid of the virus>

My advice: backup everything you need NOW (before it is too late) and go on YouTube to learn how to perform a clean Windows install.

I first got the warning while I was running NI updates via Native Access. I hadn’t updated NI products in a while, and there were at least 2 dozen that needed updating.

After getting the first alert and telling Windows Defender to “take action”…I think that’s the phrase it used…I saw several repeated warnings. This make me suspect that it was indeed a virus, because the particular virus WD warned me of copies itself, or parts of itself, in multiple places in the system. When one is neutralized, another one pops up.

I can’t recall the exact sequence of events, but the update process took quite a while, and most of the virus alerts occurred while the updates were in progress. The process seemed to stall on 2 or 3 NI products, and I’m pretty sure Maschine was one of them. But I recall at least one alert occurred after the updates had completed.

“You could upload the installers to virustotal, that might give you an indication about whether it is a false positive or not.”

I have no idea how I would do that when the whole process is handled by Native Access.

Thanks anyway.

"Sounds like a contradiction … Looks like you hope that you got rid of the virus>

My advice: backup everything you need NOW (before it is too late) and go on YouTube to learn how to perform a clean Windows install."

Perhaps a contradiction, but after a simple reboot the computer appears to be working as it should. And I’ve run several scans which have found nothing.

My files are backed up and I have a system image on an external USB drive, but I’ve now realized that I didn’t make a new recovery drive when I upgraded to W11, so I’m going to work on that.

From everything you’ve written, and if today’s post from the responsible NI product manager holds true, there’s a good chance that you never had that Torjan/Virus infection, because the whole thing was:

  • either a repeated false positive (as NI currently thinks)
  • or Defender caught them all before they got into your system
  • or both

However it’s conceivable that Defender locked down a plugin folder that Native Access was trying to install to repeatedly in a short time (since it had to process quite a few updates).

I honestly don’t know how Defender operates in detail, but if you find the error message of the locked folders not going away for Cubase, maybe try to unlock access for Cubase via the process outlined on the Microsoft website:

In retrospect I think ALL of the alerts i saw occurred during my attempts to upgrade via Native Access. But I was panicky and distracted, so my memory of events may be unreliable.

In order to use Cubase I have had to manually add it to the allowed list under Controlled Folder Access. No big deal, and no other problems have shown up.

Thanks again.

1 Like

Recently I tried to update my Native Instruments apps via Native Access. Unfortunately, at that time one or more of their updates got flagged by Windows as a virus. Many people experienced the same problem.

Eventually it got sorted out, and it was not a virus. However, in the process some setting or group of settings on my computer got changed, resulting in some on-going problems.

For example, I run 2 audio interfaces. Most people advise not to do this, but I’ve been able to right along. I often run Cubase and Synfire at the same time (each on a different audio interface)…not having them both play at the same time, but having them both up and running. But now if I’m running Cubase and then start Synfire, the Cubase performance meter immediately maxes out. If I then quit Synfire, the meter reverts to normal.

I had a similar problem when I first started using Cubase. The performance meter was maxed no matter what, even with no other program running. Someone on the old forum made a suggestion that fixed this problem, but I can’t recall what it was, and apparently the old forum is defunct.

A second problem is that my Controlled Folder Access settings have apparently changed. Formerly CFA assumed every app was benign, and let everything through unless it detected a problem. But now it assumes every app is a problem, and lets through only those apps that I specifically add to a list of allowed apps.
This is extremely inconvenient.

A third problem is that if I try to stream audio, the audio is distorted and often slowed down. Cubase audio is fine, as is Synfire’s and any downloaded audio. But streamed audio is not working properly.

Altogether it seems I am fighting various problems at every step. I would appreciate any pertinent suggestions. Thank you.

Can you specify your question, please?

One simple thing to do would be to format your hard drive and start fresh.

Nearly all posts from the previous forum have been copied here to the new one.

That was bad behavior on Windows side. It wasn’t a virus.

I’m aware of that, as evidenced by this, which I wrote in my original post:

"Eventually it got sorted out, and it was not a virus. "

@Steve:
As for your suggestion that I format my hard drive, this really seems like the most extreme measure. There must be other (less destructive, difficult, and time consuming) things to try first, especially since this was not due to a virus.

As for specifying my question, I think I did a good job of describing the problems I’m encountering. Is this the Jeopardy game show, where I’m penalized if I don’t state everything in the form of a question?

Thank you for clueing me in to the fact that posts from the old forum may still be available.

Some of the problems you’ve described seem quite unrelated to Steinberg software. Like the streaming problems and CFA settings.

And the original triggering issue, you’ve described was also entirely outside of the Steinberg ecosystem.

So there may be better places than here to look for answers for those specific issues?

1 Like

A valid point, but I think there’s a good chance others on this forum have experienced similar problems, since they also may have tried to update NI apps at the time that false virus alarm was a thing.

When I first posted about the “virus” problem (2 or 3 weeks ago), other members of this forum were quite helpful, and aware of the true cause of the problem.

But yes, maybe I should seek help elsewhere.

Thanks for your input.