ESET Insiders mandiato 19 Posted March 27, 2017 ESET Insiders Share Posted March 27, 2017 (edited) Today ESET starts to delete file from Dragon Age Inquisition - to remove any doubts - legit and original - ESET detects probably threat on one file and delete it, repairing installed Dragon Age Inquisitioon results in failed, because ESET blocks downloading missing file, without that file game cannot be run. Below attached line from log about cleaning file: --> begin <-- Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here 27.03.2017 19:43:31;Real-time file system protection;file;D:\Electronic Arts\Dragon Age Inquisition\dbdata.dll_DiP_STAGED;a variant of Win32/Packed.VMProtect.ACL trojan;cleaned by deleting;MONSTERXXL\Mandi;Event occurred on a new file created by the application: D:\Origin\Origin.exe (7507E483479218E3E922860497A0E11A2C427882).;DB314C5A3B1AF978955D92768E3102C83787843A;22.09.2015 02:49:32 --> end <-- [edit] Or maybe this is right and DA:I is infected by design? Who knows... :-) Edited March 27, 2017 by mandiato Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted March 27, 2017 Administrators Share Posted March 27, 2017 Most likely a blacklisted VMProtect license was used to pack the file. Are you positive it's the original file created by the vendor and not a file installed by a crack for instance? Link to comment Share on other sites More sharing options...
ESET Insiders mandiato 19 Posted March 28, 2017 Author ESET Insiders Share Posted March 28, 2017 (edited) Yes, I'm sure that this one is legit. Even trying "Repair" function in Origin, which detects modified file results in failing when downloading that missing file, and ESET blocks it. --> from log <-- Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here 27.03.2017 19:35:48;Real-time file system protection;file;D:\electronic arts\dragon age inquisition\dbdata.dll;a variant of Win32/Packed.VMProtect.ACL trojan;cleaned by deleting;ZARZĄDZANIE NT\SYSTEM;Event occurred during an attempt to access the file by the application: C:\Windows\System32\CompatTelRunner.exe (39E7D1F98AB5509F9B1BBAD4F7873E3DEF554DEE).;DB314C5A3B1AF978955D92768E3102C83787843A;22.09.2015 02:49:32 27.03.2017 19:43:31;Real-time file system protection;file;D:\Electronic Arts\Dragon Age Inquisition\dbdata.dll_DiP_STAGED;a variant of Win32/Packed.VMProtect.ACL trojan;cleaned by deleting;MONSTERXXL\Mandi;Event occurred on a new file created by the application: D:\Origin\Origin.exe (7507E483479218E3E922860497A0E11A2C427882).;DB314C5A3B1AF978955D92768E3102C83787843A;22.09.2015 02:49:32 27.03.2017 19:53:24;Real-time file system protection;file;D:\Electronic Arts\Dragon Age Inquisition\dbdata.dll_DiP_STAGED;a variant of Win32/Packed.VMProtect.ACL trojan;cleaned by deleting;MONSTERXXL\Mandi;Event occurred on a new file created by the application: D:\Origin\Origin.exe (7507E483479218E3E922860497A0E11A2C427882).;DB314C5A3B1AF978955D92768E3102C83787843A;22.09.2015 02:49:32 --> end <-- And sshot when it occurs. Origin client tries to download missing file, and ESET deletes it because found threat in it, and this is reproduceable every time. [edit] And log collector log files also attached. essp_logs.zip Edited March 28, 2017 by mandiato adding LogCollector output Link to comment Share on other sites More sharing options...
ESET Insiders mandiato 19 Posted March 28, 2017 Author ESET Insiders Share Posted March 28, 2017 It's looks like after latest update no longer DA Inquisition files are recognised as malware, gamest now starts perfectly without any warning and no longer detections about malicious in DA:I files... Link to comment Share on other sites More sharing options...
Recommended Posts