itman 1,659 Posted December 8, 2016 Share Posted December 8, 2016 As part of a manual remediation of an extremely nasty Win 10 malware I encountered a while back, my examination uncovered that a registry entry had been created for esihdrv.sys to run from %LocalAppData\Temp directory at boot time. Could not find any traces of this driver file on my boot HDD. The only Eset products I have used are Smart Security ver. 8 - 10 and a few stand alone malware utilities downloaded from the Eset support web site. Don't believe any of the utilities have been run on Win 10 since I upgrade from Win 7. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted December 8, 2016 Administrators Share Posted December 8, 2016 It should be a driver used by ESET SysInspector. You can check its digital signature to make sure. Link to comment Share on other sites More sharing options...
itman 1,659 Posted December 8, 2016 Author Share Posted December 8, 2016 (edited) That is what I though originally but I subsequently ran SysInspector from SS ver. 10 and the driver reg. entry was not recreated. However, I do believe I had previous to this downloaded a standalone version of SysInspector per forum instructions. Perhaps that is where it can from. In any case, as long as it was Eset related, I can "put this one to bed." I do question the wisdom though of running any driver from %LocalAppData\Temp directory. Suggest Eset adopt the technique used by Process Explorer. Also does the HIPS monitor execution of drivers loaded from the%LocalAppData%\Temp directory? Edited December 8, 2016 by itman Link to comment Share on other sites More sharing options...
Recommended Posts