Sysinspector module showing up as risky while using sysinspector itself.

[Kou 2]

Alright so... the past few days I have been using the Eset SysInspector and one of the modules of Eset 1º Shows up as risky with a threat level of 9 2º has no file description nor company name

It's located in eset\modules\em000_64\1014_new\ and is called em000_64.dll Or well, the inspector says it's located in there.

 When I go to the destination it doesn't show up. I got a em000_64\1014 folder but not a 1014_new folder.

To be more specific it shows up running in the "Running processes" as part of sysinspector.exe.

Should I be worried? Is that normal? My machine is windows10 64bits and I am using eset smart security premium. I bet that could be something not to worry about but wanted to ask nevertheless.

Thanks.

Edited December 20, 2016 by Kou
To be more specific and clarified tittle.

[itman 1,659]

That 1014_new directory doesn't look legit to me. I would go to VirusTotal web site and scan the em000_64.dll located within.

I am running Win 10 x64 1607 and using Eset SS ver. 10. Below is a screen shot of my SysInspector log. Everything running under ekrn.exe shows green. Further, there is no eset\modules\em000_64\1014_new\ directory on my PC; only eset\modules\em000_64\1014\ directory exists.

Quote

When I go to the destination it doesn't show up. I got a em000_64\1014 folder but not a 1014_new folder.

In File Explore, select View. Then select show hidden and operating system files. Click OK. See if the directory then shows up. Reverse the above before exiting File Explorer.  

Edited December 20, 2016 by itman

[Kou 2]

Hello itman. Thank you for your answer. The folder eset\modules\em000_64\1014_new\ doesn't show up in any way. I always set it so hidden files are shown, and using give me power to open the explorer.exe and using gmer with elevated privileges also doesn't make a difference.
This process showing up as risky though only shows up in the running process of sysinspector.exe and not in ekrn.exe for example.
On the other hand I went to safe mode booting and sysinspector doesn't show it up anymore. However eset is not able to start in safe mode (sysinspector works fine) mumbling something about the kernel. Is that normal?
Thank you very much!

By the way, https://www.virustotal.com/en/file/a787547e3ac4c29f05253844815e1a67f8489669051105eab2c3d1e2f89fec42/analysis/ shows apparently clean.

Edited December 21, 2016 by Kou
Added link.

[itman 1,659]

I guess I am a bit lost with what you are doing.

When you run SysInspector from within SS ver. 10, it is hidden running as a background process on Win 10. As such, it is impossible to view what Eset modules SysInspector itself is using while it is executing.

Are you running the stand-alone ver. of SysInspector available via separate download? 

[Kou 2]

You can check it yourself here. No, is the version that comes bundled with eset smart security premium. It got installed by itself when installing eset, I did not download it separately (ESET\ESET Smart Security Premium and there got the three files for eset banking & payment protection. Now I realize you can use it too by going to Tools...).

[m4v3r1ck 113]

It looks like that (some of) your modules were installed into your desktop "c:\users\?username?\desktop\software\eset\modules\...." and not into the default folders for the ESET installation.

In Sysinspector I have no search results for the string "desktop\software" for the ESET installed modules, because I installed ESET using its default folders.



EDIT: I copied the sysinspector.exe to my desktop and launched it from there. The .exe now shows up in the running processes table, but not giving me a red (9) risk level. Running it from desktop gives a totally different outcome for the inspection, so ESET will see its own process as a thread/risk, when run from desktop. I hope @itman can confirm!

Edited December 21, 2016 by m4v3r1ck

[itman 1,659]

At least now things are starting to make a bit more sense.

Appears you have been running SysInspector from the desktop? Unless Smart Security Premium does things differently from the non-premium ver. of Smart Security, I would say that the ver. of SysInspector on your desktop is possibly bogus software.

We need confirmation from someone running ver. 10 Smart Security Premium as to if it installs a separate icon on the desktop as done for Online Payment and Protection for example. In any case, SysInspector should not be loading program modules from the C:\User directories if Smart Security Premium is installed.

On the other hand if the standalone ver. of SysInspector was downloaded sometime in the past to the desktop, it would be reasonable to assume that it would be loaded to the C:\User directories. -EDIT- However, supporting program modules and the like should not be loaded into C:\Users\xxx\Desktop directories but C:\Users\xxx\Temp\*  etc. directories

Edited December 21, 2016 by itman

[itman 1,659]

48 minutes ago, m4v3r1ck said:

EDIT: I copied the sysinspector.exe to my desktop and launched it from there. The .exe now shows up in the running processes table, but not giving me a red (9) risk level. Running it from desktop gives a totally different outcome for the inspection, so ESET will see its own process as a thread/risk, when run from desktop. I hope @itman can confirm!

Running a process from anywhere other than its normal installation directory is a no-no. Creating a desktop shortcut to the .exe is OK usually but not always; depends how the app is started. By default, most apps will look for associated .dlls and the like in the installation directory.

[m4v3r1ck 113]

Thanks for the confirmation @itman Sometimes a solution is just around the corner! 

[Kou 2]

Thank you for your answer. Both are right, eset has the option to install the modules folder in a different location than the default one, and so I did, that's why the path is different. I have not install eset in the default location but the ones you could check there.

itman, yes, I executed Sysinpector from the shortcut the installation of eset has created itself but as I said Sysinspector has not been downloaded as a standalone version, was installed with eset smart security premium. It's just that I was executing it through the shortcut instead of going to the gui of eset and then going to tools\moretools\ESET Sysinspector.

In any case I have do a new report with sysinspector, through both ways, directly from the antivirus and from the shortcut itself, and that process is not showing anymore (though a .tlb file belonging to the graphics card driver is showing as 5:Unkown status now. I have send the file though to eset so they examine it) in both cases.

I guess for now I have not more questions really, since the process is not showing up anymore, at least for now.

Thank you both guys!

[m4v3r1ck 113]

Glad it got your issue solved and glad to be of help!

But the shortcut installed by the ESET installer should be reviewed by the ESET team, when it gives you a risklevel 9 as that should clearly not be the issue. @ESET

[Kou 2]

17 minutes ago, m4v3r1ck said:

Glad it got your issue solved and glad to be of help!

But the shortcut installed by the ESET installer should be reviewed by the ESET team, when it gives you a risklevel 9 as that should clearly not be the issue. @ESET

I will do that m4v3r1ck. Thank you.