ASG RD 2019 x64 doing ransomware attempts

[locojalapeno]

All builds of ASG RD 2019 have been detected during the installation process as having malware and doing processes that are unauthorized file encryption. This issue never existed with ASG RD 2018. 
The following file is attempting an unauthorized file encryption and is therefore being quarantined.
C:\Users\[username]\AppData\Local\Temp\~nsua.tmp\un_a.exe

Would the developers please explain why this un_a.exe process is attempting to do unauthorized file encryptions during the installation process of ASG RD 2019?

[DevOma]

Which software has detected malware? We are using also Anti-Malware and Anti-Virus-Software and nothing was detected… I also can't find this file that you are talking about - are you sure this file is from installation of ASGRD? There is an install log in the setup - do you see that file there? I can't...

[locojalapeno]

Without question, this file is from the installation process of ASG RD. I was able to reproduce the issue on two different systems with identical results. The ~nsua.tmp folder and its contents are generated during the installation process of the software. I have noticed this in at least the last two builds of ASG RD 2019 x64, so it's not a transient issue associated with a bug that was fixed.
The software that is detecting it is Trend Worry Free Business Security Services. We use that endpoint protection agent on over 5000 systems, and find that it does not generate false positives. So there is something that un_a.exe application is doing that appears to be doing "unauthorized file encryption". WFBiz then attempts to quarantine it, fails, and then renames it with a .000 extension in order to prevent it being accessed as an EXE.

In the same location as ~nsua.tmp folder, I see other folders that are also associated with the installation process of ASG RD 2019 x64. I am able to do manual cleanup after the install is finished. Manual cleanup means delete everything in C:\Users\[username]\AppData\Local\Temp. ASG RD works fine without those temp files. I expected that temp files would be removed by the final cleanup operations of the installer process, but the ~nsua.tmp folder and the other folders in the same location associated with the ASG RD installer are not deleted by the installation process.
I have been using ASG RD for about the last 10 years, and this is the first time the installer has behaved in this way.

[Michael Scholz]

First thanks you for your attention. We really take that seriously but we can't reproduce your findings by even using the latest scan engines to check the installer or installed files. But our assumption is that the file in the users appdate\temp directory will be used temporarily from the Nsis installer we use. You can find some articles in the internet that describe exactly the same behaviour about the un_a.exe, found by Trend Micro as doing "unauthorized file encryption" but it's indeed a false positive used as a uninstaller process by the installer. Depending on the heuristic methods used by the scanner false positives could occur easily and exactly your findings are declared as temp-files used by Nsis. It's possible that the file-creation of un_a.exe in "C:\Users\[username]\AppData\Local\Temp\~nsua.tmp\" may come from write protections through the Trend Micro AV Suite. But that's an assumption, after finding exactly the same situation in the support section of Nsis. They also say that TrendMicro's engine could give false positives on Nsis components ! If you want you can send me the exe file zipped and renamed as txt to my company adress for further research .

Best regards,
Michael Scholz