Schneider Electric PowerChute Serial Shutdown uses unsigned Windows installer & matches YARA (1) & Sigma (4) rules
APC UPS COMMs Frustrations
Extracting APC Back-UPS BX750MI shutdown command from "sniffed" USB traffic
Keep APC powerchute serial shutdown from turning off my computer.
Videos
To be clear, I'm not saying the software is malware or is infected.
I had an extended power outage at home today during which nearly all my UPSes ran dry. After powering everything back on, I kept getting emails from 2 of my PowerChute instances that they had insufficient run times. Worried that their batteries might be toast, I logged into the web UIs, only to find PowerChute needed an update.
I downloaded the update and double-clicked the installer. I was surprised to see the UAC prompt that popped up indicate the binary is unsigned. As I do for all such installers, I uploaded it to VirusTotal. There were no detections, but there are no less than 5 YARA and Sigma rule matches.
This led me to search for CVEs, which produced this list of 11 issues, 4 of which are in the past 2 years.
I really like APC UPSes and PowerChute itself, so I'd rather keep them. I also think it would be great if we could get some attention on this so they can improve the security of their software.
I'm unable to vote or comment. So I'll post it as a separate answer.
Seems PowerChute business edition has a bug, if you configure it to use SMTP with TLS no emails are being sent out, I confirmed this using Wireshark (I observed no SMTP traffic being generated at all). The solution is to turn off TLS in the SMTP settings. Please note, some services won't accept non TLS SMTP.
I turned off TLS and it worked. Which is a surprise as TLS works from my Synology and my APC AP9630s.
PowerChute Business Edition Agent Version 10.0.5.301