A-VT

Hello there! I'm wondering if ESET Online Scanner uses only signatures/patterns or applies other methods of detection like heuristics, sandbox, sends file's data to cloud, etc. Unfortunately brief surfing internet for answers were not fruitful.

Fantastic explanation, thank you!

Thanks for such succinct response. Can you maybe share any insights on how this driver is used? Does this error mean that none of rootkit are detected by ESET Online Scanner&

Thanks! Does it make sense to copy file ehdrv.sys to C:\Windows\System32\Drivers and keep it there? Will this work?

Yes indeed! Mind if I start with their XML representation? They should contain all the details. <Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> <EventID Qualifiers="16384">7045</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2020-05-26T16:56:46.965534500Z" /> <EventRecordID>2049</EventRecordID> <Correlation /> <Execution ProcessID="724" ThreadID="4424" /> <Channel>System</Channel> <Computer>T-DESK</Computer> <Security UserID="S-1-5-21-1604541895-5678912345-4567891234-1001" /> </System> <EventData> <Data Name="ServiceName">eapihdrv</Data> <Data Name="ImagePath">C:\Users\t-user\AppData\Local\Temp\ehdrv.sys</Data> <Data Name="ServiceType">kernel mode driver</Data> <Data Name="StartType">demand start</Data> <Data Name="AccountName"> </Data> </EventData> </Event> <Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Popup" Guid="{47bfa2b7-bd54-4fac-b70b-29021084ca8f}" EventSourceName="Application Popup" /> <EventID Qualifiers="16384">26</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2020-05-26T16:56:46.965534500Z" /> <EventRecordID>2050</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="6812" /> <Channel>System</Channel> <Computer>T-DESK</Computer> <Security /> </System> <EventData> <Data /> <Data>\??\C:\Users\t-user\AppData\Local\Temp\ehdrv.sys failed to load</Data> <Binary>0000000002003000000000001A000040300100C06C0200C000000000000000000000000000000000</Binary> </EventData> </Event> <Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Popup" Guid="{47bfa2b7-bd54-4fac-b70b-29021084ca8f}" EventSourceName="Application Popup" /> <EventID Qualifiers="49152">1060</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2020-05-26T16:56:46.965534500Z" /> <EventRecordID>2051</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="6812" /> <Channel>System</Channel> <Computer>T-DESK</Computer> <Security /> </System> <EventData> <Data /> <Data>\??\C:\Users\t-user\AppData\Local\Temp\ehdrv.sys</Data> <Binary>000000000200300000000000240400C0000000006B0300C000000000000000000000000000000000</Binary> </EventData> </Event> <Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> <EventID Qualifiers="16384">7045</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2020-05-26T16:56:46.981173700Z" /> <EventRecordID>2053</EventRecordID> <Correlation /> <Execution ProcessID="724" ThreadID="4424" /> <Channel>System</Channel> <Computer>T-DESK</Computer> <Security UserID="S-1-5-21-1604541895-5678912345-4567891234-1001" /> </System> <EventData> <Data Name="ServiceName">eapihdrv</Data> <Data Name="ImagePath">C:\Users\t-user\AppData\Local\Temp\ehdrv.sys</Data> <Data Name="ServiceType">kernel mode driver</Data> <Data Name="StartType">demand start</Data> <Data Name="AccountName" /> </EventData> </Event> <Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Popup" Guid="{47bfa2b7-bd54-4fac-b70b-29021084ca8f}" EventSourceName="Application Popup" /> <EventID Qualifiers="16384">26</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2020-05-26T16:56:46.996807000Z" /> <EventRecordID>2054</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="6460" /> <Channel>System</Channel> <Computer>T-DESK</Computer> <Security /> </System> <EventData> <Data /> <Data>\??\C:\Users\t-user\AppData\Local\Temp\ehdrv.sys failed to load</Data> <Binary>0000000002003000000000001A000040300100C06C0200C000000000000000000000000000000000</Binary> </EventData> </Event>

More details. I have disabled everything in Windows Defender: Real-time protection Tamper Protection Memory integrity And still the same errors are reported to Windows Event System Log. The file ehdrv.sys exists indeed in the mentioned folder and is readable as normal user. SHA1: 8C244899A2082C28B24E7B0DA41904B8663B5A8B Logs in AppData\Local\Temp\log.txt don't show problems either.

Hello! I've seen several topics regarding this error in Windows Event System Log but none of them provided definite solution what has to be done to eliminate these errors. So I thought about starting new one. This message about ehdrv.sys appears in the logs every time I run ESET Online Scanner. Similarily, if I don't run ESET Online Scanner, I never observe these records in the System log. Seems like this error doesn't directly affect ability to scan local disk and the tool even finds some undesired software. Still the fact that it's been reported for quite a while and I'm not the only person who noticed that raises additional uncertainty. In my case it is observed on fresh recently installed Windows 10 Pro 1909 18363.836 with all the lastest updates and available patches. Other antivirus is not installed except for native Windows Defender. But I have to mention that logs of Windows Defender do not contain any records related to ehdrv.sys or ESET in general. The file ehdrv.sys itself is present in that location and looks valid. It can be read with ordinary user account. So I have a couple of questions. 1. Is this a critical issue that this file cannot be loaded? Does it affect quality or speed of scanning? 2. Is there a well-known way to eliminated this error for ESET Online Scanner? 3. How can I help collecting information needed to address this issue?