itman 1,799 Posted December 8, 2016 Posted December 8, 2016 As part of a manual remediation of an extremely nasty Win 10 malware I encountered a while back, my examination uncovered that a registry entry had been created for esihdrv.sys to run from %LocalAppData\Temp directory at boot time. Could not find any traces of this driver file on my boot HDD. The only Eset products I have used are Smart Security ver. 8 - 10 and a few stand alone malware utilities downloaded from the Eset support web site. Don't believe any of the utilities have been run on Win 10 since I upgrade from Win 7.
Administrators Marcos 5,443 Posted December 8, 2016 Administrators Posted December 8, 2016 It should be a driver used by ESET SysInspector. You can check its digital signature to make sure.
itman 1,799 Posted December 8, 2016 Author Posted December 8, 2016 (edited) That is what I though originally but I subsequently ran SysInspector from SS ver. 10 and the driver reg. entry was not recreated. However, I do believe I had previous to this downloaded a standalone version of SysInspector per forum instructions. Perhaps that is where it can from. In any case, as long as it was Eset related, I can "put this one to bed." I do question the wisdom though of running any driver from %LocalAppData\Temp directory. Suggest Eset adopt the technique used by Process Explorer. Also does the HIPS monitor execution of drivers loaded from the%LocalAppData%\Temp directory? Edited December 8, 2016 by itman
Recommended Posts