Jeffry

Thank you for the quick update and fix! There was quite a panic when a few thousand of our workstations and laptops reported this detection 🙂 Thank god it was a false positive.

Yes, detection engine was at 23635 (20210716) at the time of detection.

ESET Endpoint Antivirus 8.0.2028.0 with LiveGrid enabled ESET Enterprise Inspector Agent 1.6.1716 ESET Management Agent 8.1.1223.0 Module info: Detection Engine: 23636 (20210716) Rapid Response module: 18607 (20210716) Update module: 1023 (20200701) Antivirus and antispyware scanner module: 1576 (20210616) Advanced heuristics module: 1207.1 (20210421) Archive support module: 1320 (20210629) Cleaner module: 1220.1 (20210702) Anti-Stealth support module: 1174.1 (20210712) Firewall module: 1424.1 (20210630) ESET SysInspector module: 1281.1 (20210407) Translation support module: 1867 (20210625) HIPS support module: 1417.4 (20210624) Internet protection module: 1425 (20210416) Database module: 1113 (20210624) Configuration module (39): 1958.3 (20210525) LiveGrid communication module: 1111 (20210527) Specialized cleaner module: 1014 (20200129) Rootkit detection and cleaning module: 1031.1 (20210401) Network protection module: 1689.1 (20210517) Script scanner module: 1098 (20210601) Connected Home Network module: 1042 (20210608) Cryptographic protocol support module: 1061 (20210510) Deep behavioral inspection support module: 1115 (20210618) Advanced Machine Learning module: 1107 (20210601) Telemetry module: 1063 (20210602) Security Center integration module: 1031 (20210510)

Looks like it is related to 7zip: https://www.virustotal.com/gui/file/a7803233eedb6a4b59b3024ccf9292a6fffb94507dc998aa67c5b745d197a5dc/community

The hash that hits for us is D0DC016DF5F9F9BF1A57B57DB0E9E82F097B02B6

We are also seeing a lot of Win32/DealPly.VO detections all of a sudden for MSI's that are part of our managed application delivery system (Liquit Software) and seem to be false positives.

Thank you! I was so very very close 😄 I opted to post here so others could also learn from my inability to solve this 🙂

We are getting a lot of code injection detections because our mobile devices have PolicyPak (https://www.policypak.com/) installed. PolicyPak does code injection to be able to do it's "thing" and therefor we get loads of detections like this: Is there a way to make an exclusion for the injected process? So in our case we would like to make an exclusion if the injected process matches ppwatchersvc64.exe (or even better if the executable is signed by "PolicyPak, Inc.").