Riskware/ConexantKeyLogger

Analysis

Riskware/ConexantKeyLogger is the detection for a Conexant audio driver that poses a security risk since it logs all key strokes when the driver is operating.
Keystrokes are logged using SetWindowsHookExW  for low-level keyboard input events. The keycode of the key that was pressed is written to the debugger using OutputDebugStringW. This allows debuggers and programs like DebugView to view all keystrokes if they were to monitor this driver.
It also logs the keystrokes into the file C:\Users\Public\MicTray.log.
There are reports of Riskware/ConexantKeyLogger being detected in the Windows' driver store repository (C:\Windows\System32\DriverStore\) inside a cabinet file named MicTray.cab. It cannot be quarantined by FortiClient because the driver store is a protected area. However, this cabinet file can be removed manually with elevated privileges. Since it is a protected area, you can use elevated privileges to remove this driver package from the driver store if you wish to remove it. Removing a device driver package from the store does not uninstall any operational devices that use its driver.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.