Jump to content

FileSecurity for Windows reports potential unsafe app with suspect path


Recommended Posts

We´re running Eset FileSecurity for Windows Server 6.5.12010.0 on a SBS 2011 (technically Server2008R2).

Our customer is using a software called Remote Administrator 3 to gain remoteaccess to the server. This software is reported as potential unsafe application by eset products, which we were aware of and set up the necessary exclusions. The executable "rserver3.exe" ist installed under "C:\Windows\Syswow64\rserver30\" and the path and the executable are excluded. This exclusions were working without problems for long time, but suddenly we got messages about rserver3.exe as potentially unsafe application again, FS 6.5 shows a strange path for the rserver3.exe like "\D:\AdoMed\Util\n7\..\..\..\..\..\..\Windows\SysWOW64\rserver30\rserver3.exe". The count of "\..\" varies from 5 to 6 and each entry is logged twice. The messages are logged at the startupfile scan.

The folder "D:\AdoMed\Util\n7\" exists on the server, but it does not contain any subfolders, symlinks or the rserver3.exe.

 

Does anyone know why Eset FileSecurity mixes up folders in the Servers filesystem and reports not existing files?

Link to comment
Share on other sites

  • ESET Moderators

Hello,

I would suggest to run a Processmonitor tool with advanced logging enabled to capture the ESET's startup scan and open a ticket with your local ESET support to check.

Also please attach output from ESET log collector to the request.

Regards, P.R.

Link to comment
Share on other sites

@ Peter

Thanks for your reply.

I ran Procmon while doing a startupscan and it seems ekrn.exe tries to access all entries of the systems path variable wit some "\..\" added and then the "C:\Windows\syswow64\reserver30\" added. - Screenshot attached.

No clue why ekrn.exe does this, where it gets the path from and why it seems to find a file under this strange path.

As you suggested i opened a ticket at the local Eset support and provided the logs.

Regards, Thomas

 

 

 

ProcMon.JPG

Edited by tomha
Link to comment
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...