Jump to content

Recommended Posts

Posted

As part of a manual remediation of an extremely nasty Win 10 malware I encountered a while back, my examination uncovered that a registry entry had been created for esihdrv.sys to run from %LocalAppData\Temp directory at boot time. Could not find any traces of this driver file on my boot HDD.

 

The only Eset products I have used are Smart Security ver. 8 - 10 and a few stand alone malware utilities downloaded from the Eset support web site. Don't believe any of the utilities have been run on Win 10 since I upgrade from Win 7.

  • Administrators
Posted

It should be a driver used by ESET SysInspector. You can check its digital signature to make sure.

Posted (edited)

That is what I though originally but I subsequently ran SysInspector from SS ver. 10 and the driver reg. entry was not recreated. However, I do believe I had previous to this downloaded a standalone version of SysInspector per forum instructions. Perhaps that is where it can from. In any case, as long as it was Eset related, I can "put this one to bed."

 

I do question the wisdom though of running  any driver from %LocalAppData\Temp directory. Suggest Eset adopt the technique used by Process Explorer.

 

Also does the HIPS monitor execution of drivers loaded from the%LocalAppData%\Temp directory?

Edited by itman
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...