Tetranitrocubane

Much appreciated! I still don't understand how Sysinspector could crash when I wasn't running it, but this seems like an issue that will be resolved with the next version update. Thank you much.

ESET is urging me to update to version 7.3.3700.0. I came here to see the changelog, but notice that 7.3.2100.0 is still listed as the latest version. Is v 7.3.3700.0 legitimate?

Thanks tremendously, Marcos! I'll stand by, and in the meantime, proceed as normal. Very much appreciate your help!

Not to be rude, but is any further information required? I am trying to avoid using the impacted machine until there's word on these logs. Thanks much!

Great! Thank you for the reassurance, itman. I have uploaded the logs as requested. eav_logs_2.zip

I have no issue with the samples being submitted - I just would like ESET to alert me when it sees malware activity so I know a system is potentially compromised.

No, as a matter of fact, at the times when theses minidumps were uploaded, I was not trying to run Sysinspector at all. This smells fishy. I have generated the requested logs. Is it safe to upload them here? I am unsure if the logs contain sensitive system information that should not be public.

I was doing some various troubleshooting on my computer this afternoon, when something odd started happening. At a certain point, I ran Sysinspector to ensure that nothing untoward was happening on the system. Two and a half hours later, the ESET event log showed that ESET started to upload Sysinspector files to the ESET Virus lab, and continued doing so every few hours. I cannot locate these files that ESET is uploading. The ESET log shows that ESET never uploaded anything to the Virus Lab before today, so this has me very worried. If these files are suspicious, why didn't ESET alert me to them? Why didn't ESET even verify or notify me that it was uploading these files? Why is ESET suspicious of files generated by a part of its own software? Why does ESET continue to find more and more of the .mdmp files, even though I've only collect two Sysinspector snapshots? Where ARE these .mdmp files located on the system? I cannot find them anywhere, even with a powershell driven command line search. Overall, is this expected and normal behavior? Or an indication something is wrong? If something is wrong, why is ESET silently doing this without sending me notice? Thanks tremendously. I admit I'm out of my depth on this one.

As this file submission issue may be an unrelated event, I will open a new thread about it in the appropriate subforum

ESET is now sending multiple files to the ESET Virus Lab without explanation or notification. Again, ESET has never done this before. It seems to be sending it's own sysinpector logs for some reason? The timing makes zero sense. I was not accessing Sysinpector or these files at the time of submission. Could this be related to what's going on? Why is ESET flagging and sending things suddenly? These are files that have been around for some time.

I managed to get the legit copy by deleting the previous install and redownloading from Steam. The second time it downloaded, no detections. The game installs launches fine after the redownload. Not sure if the "UnityPlayer.dll" submission was from the redownload or not - there was not a path provided by ESET.

Two more interesting things I noticed in the ESET logs. First, when I scanned the un-quaratined EventEditor, it did register as malicious directly. It recognized it as ML/Augur trojan, again. So It seems that ESET does take exception to this file specifically - Not just what potentially was being injected to Steam.exe at the time, and was prevented. Second, I noticed in the Event logs that ESET uploaded a file from my computer "UnityPlayer.dll' to ESET. I did not submit this file, nor was I notified of a suspicious file on my system that ESET was automatically uploading. I've never seen this before and there are no other examples of it in the logs. "Time;Component;Event;User 5/24/2023 11:48:28 AM;ESET Kernel;File 'UnityPlayer.dll' was sent to ESET Virus Lab for analysis.;SYSTEM" This time would have coincided with the second download of BattleTech from Steam.

I'm torn. Itman, that sounds like a theory I hadn't considered, and is plausible. Though I will note: On a redownload of the game, I went into the download directory early on in the download process, and found EventEditor.exe in the path ESET had previously flagged. When I examined THIS file, it was ALL zeros. Steam proceeded to download the legitimate file, that matched previous SHA-1 hashes. ESET didn't make a peep this time around. Steam pre-allocates files before beginning downloads, so there's a chance that the reason the flagged file has all those zeros is that Steam downloaded a portion, then stopped, then ESET scanned it. However, I cannot verify that. What course of action would you recommend from here? I have done a full system scan. It has come back negative. But if your theory is correct, whatever is trying to do this injection is already invisible to ESET. Thank you for verifying, Marcos! Do you have any idea why this file would be flagged in the manner it was? If it's not too much trouble, could I ask for your risk assessment of this situation?

Interesting development in this story: I sent the flagged EXE to a friend of mine, who had a theory. Opening the legitimate EXE in a hex editor, and comparing to the flagged EXE opened in that same hex editor revealed something interesting - The files are identical to a point. Then the flagged file becomes nothing but zeros for the rest of the file. After hex code 001FFFF0, the flagged file becomes nothing but zeros for the rest of the file. The legit file has identical data for 001FFFF0 and prior: Is it possible Steam might've downloaded only a partial file, and that somehow got flagged?

I briefly unquarantined the file, and scanned via Virus Total: Here's the VirusTotal Report. Two detections, neither ESET. ESET flagged the file again on removing from quaratine.

Comparing SHA1 hashes to other people who legitimately and previously downloaded this game confirms the hash doesn't match. Legit hash: 27f111c3a6a7d9fb2ac9531f3d8118e072cca33e Suspicious hash: 0EF5E53D06EEB83310D694B243E2A1F2E9F135E3 I appreciate what you are saying, but trying to contact Steam is futile. They do not respond to these requests or inquiries.

A friend of mine who owns the game uploaded the file to Virustotal. It's A completely Different Hash. I have no idea what is going on at this point.

Those are incredibly disturbing articles, and highlight my own misplaced trust in Steam. I appreciate your sharing them. It feel as if this could be a legitimately malicious file that Steam was serving.

Further update: Apparently these game files haven't been changed for over two years. The game hasn't received a patch since late 2020 - Meaning this file should effectively be the same as it has been for a long while. The only thing I can think of is that either updated detections from ESET are overzealous on this, or else Steam is infected and is maliciously modifying downloaded files with nefarious intent. Steam seems to be fine according to a scan, though I suppose if a system is compromised, that doesn't mean much.

Wow, now that you mention it, you're right. Excellent point. That's SUPER strange. Maybe a consequence of Steam trying to migrate/copy the file from the download staging area to the game directory while ESET deleted the file? Or something more nefarious? I'm not sure. I'm just supremely anxious.

Further update to add to this: It seems like Steam downloads assets to the "Steam\steamapps\downloading\" folder, before moving those files to the game folder proper. Somehow, the EventEditor.exe file still wound up in the game files directory, despite ESET catching and deleting it in the downloads folder? The hash of this file seems markedly different, though. Here's a virustotal link to the GAME DIRECTORY file. ESET seems to have zero issues with it. The hash of this file also seems different from what ESET reports it deleted from "Steam\steamapps\downloading\" , which was 0EF5E53D06EEB83310D694B243E2A1F2E9F135E3.

Good advice. Do you know how to check for confirmation? Will that be sent via email? Or posted here?

No, I haven't. The Battletech game on the website you provide is the table top RPG. The only thing available for purchase there are source books. The game available via Steam is an electronic adaptation of the game. Additionally, sadly when a game is purchased via Steam, the license is only ever good through Steam, and not any alternative platform. Is there risk here?

This morning I was downloading BattleTech, a game made by Harebrained Schemes studio and published by Paradox Interactive. I was downloading the game via Steam directly, rather than any direct link download. While the game was installing, ESET popped up a detection warning on one of the files, as it was being downloaded by Steam. I wasn't able to screenshot it before the notice faded away, but It tagged a file EventEditor.Exe as a malicious trojan ML/Augur. When I check the detection log, I see the following: Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 5/24/2023 7:33:17 AM;Real-time file system protection;file;D:\Steam\steamapps\downloading\637090\BattleTech_Data\StreamingAssets\editors\EventEditor.exe;ML/Augur trojan;cleaned by deleting;[System and user name redacted];Event occurred on a file modified by the application: D:\Steam\steam.exe (C821F111DE338D589627899951E39620F22E4BA9).;0EF5E53D06EEB83310D694B243E2A1F2E9F135E3;5/24/2023 7:31:09 AM I have since submitted the file for analysis via the quarantine pane of ESET. I'm currently running a full system scan, but I find this highly concerning. Does this mean that Steam has become infected and is serving malicious files via downloaded games? The log language seems to indicate that Steam was trying to maliciously modify a file. Another thing that worries me is that I've downloaded this game before, months ago. ESET had no issues with it then. I since deleted the game, and just this morning tried re-downloading. Any help would be desperately appreciated. I'm running ESET 16.1.14.0 on Detection Engine 27289P, on Windows 10 22H2 Build 19045.2965

Reinstalling ESET seemed to solve the issue, though I'm not sure if that was overkill.