TomFace 539 Posted January 30, 2018 Share Posted January 30, 2018 (edited) I ran an in-depth EIS scan on my machine today which came back clean. I just did a scan with EEK (Emsisoft Emergency Kit) as I occasional do, and it found this: C:\Users\(Computer name)|Downloads\ESETIRCBotANRCleaner.exe detected: DeepScan:Generic.Malware.P!g.58CC067A (B) [krnl.xmd] As I am not an expert in researching malware, can anyone please give me more information about this vermin (like it's purpose)? I do not visit risky websites and run a "clean" machine (or at least I try). It was quarantined and cleaned by EEK. Any information would be appreciated (and thanks in advance). Edited January 30, 2018 by TomFace Link to comment Share on other sites More sharing options...
itman 1,749 Posted January 30, 2018 Share Posted January 30, 2018 (edited) I didn't do an extensive search, but appears to show up on a lot on Eset distributor web sites https://support.eset.de/kb2903/ https://www.eset.com/kh/download/utilities/detail/family/47/ https://www.eset.ie/ie/download/utilities/detail/family/47/ Edited January 30, 2018 by itman Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 195 Posted January 30, 2018 Most Valued Members Share Posted January 30, 2018 Smells like a false positive by EEK. Upload it to virustotal and see what it's detection rate is Even Emsisoft state that anything with "Gen or Generic" in the wording, detected by their software has a possibility of being a FP. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted January 31, 2018 Most Valued Members Share Posted January 31, 2018 2 hours ago, TomFace said: I ran an in-depth EIS scan on my machine today which came back clean. I just did a scan with EEK (Emsisoft Emergency Kit) as I occasional do, and it found this: C:\Users\(Computer name)|Downloads\ESETIRCBotANRCleaner.exe detected: DeepScan:Generic.Malware.P!g.58CC067A (B) [krnl.xmd] As I am not an expert in researching malware, can anyone please give me more information about this vermin (like it's purpose)? I do not visit risky websites and run a "clean" machine (or at least I try). It was quarantined and cleaned by EEK. Any information would be appreciated (and thanks in advance). The fact eset is in the filename makes me also wonder if it is a false positive Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,169 Posted January 31, 2018 ESET Moderators Share Posted January 31, 2018 Hello, @TomFace check the digital signature of the file, the tools released by us should have a valid one,. If the signature is O.K. you can send the file to Emisoft as a false positive report. If the file is not signed or the signature is not valid, please send it to me to check. Regards, P.R. Link to comment Share on other sites More sharing options...
TomFace 539 Posted January 31, 2018 Author Share Posted January 31, 2018 (edited) 5 hours ago, Peter Randziak said: Hello, @TomFace check the digital signature of the file, the tools released by us should have a valid one,. If the signature is O.K. you can send the file to Emisoft as a false positive report. If the file is not signed or the signature is not valid, please send it to me to check. Regards, P.R. Peter, thanks for the reply. I am not sure how to check the digital signature. Can you tell me how to do that as the file is still in EEK quarantine?. In addition, I did submit the file to Emsisoft (through EEK) and they said: "Since the reported file was detected by our BitDefender engine, therefore we will forward this to BitDefender for further analysis. Any false positive detections or misclassification that may found during analysis will be fixed as soon as possible." They will advise me of the results of their inquiry. While I know people cannot not be 100% (just like any A/V program), I just get a bit "excited" with any detection (even if it's one every 2-4 years). My OCD must be showing. Thanks to itman, cyberhash and peteyt for their replies as well. Edited January 31, 2018 by TomFace Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,169 Posted January 31, 2018 ESET Moderators Share Posted January 31, 2018 Hello @TomFace you will probably have to recover the file from the quarantine to be able to do that. On Windows just right click on the file -> Properties -> Digital Signatures -> Details as shown on the screenshot. The tool is quite old so probably it will have same SHA1 as mine "c553a7d911b531c7faa4c9aa821c4d2c4f4c31d5 " (I downloaded the actual one) Regards, P.R. Link to comment Share on other sites More sharing options...
TomFace 539 Posted January 31, 2018 Author Share Posted January 31, 2018 (edited) Think I'll wait to see what ESMSI/BitDefender has to say. Thinking about it, the only thing I recently downloaded from ESET (other than the daily EIS updates) was the "newer" bits for the ESET Online scanner (I ran it 2 days ago...maybe. I also always use the same link I have saved in my favorites) . I run it occasional (just because) so I have the Online scanner main files. Just a thought as the file description had "downloads" in the description. I installed EIS on 12/1/17 (it was 11.0.149.0 back then-currently I run EIS 11.0.159.0). Edited January 31, 2018 by TomFace Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,169 Posted January 31, 2018 ESET Moderators Share Posted January 31, 2018 Hello @TomFace O.K. please let us know than what was the response. Or you can send the file to me to do the check if you want. Regards, P.R. Link to comment Share on other sites More sharing options...
TomFace 539 Posted January 31, 2018 Author Share Posted January 31, 2018 Just now, Peter Randziak said: Hello @TomFace O.K. please let us know than what was the response. Or you can send the file to me to do the check if you want. Regards, P.R. To do that I need to restore the file....correct? Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,169 Posted January 31, 2018 ESET Moderators Share Posted January 31, 2018 Hello @TomFace I assume yes, but I never used the Emisoft product,... Regards, P.R. Link to comment Share on other sites More sharing options...
TomFace 539 Posted January 31, 2018 Author Share Posted January 31, 2018 Again, I think I'll let "sleeping dogs lie" at least for the moment. I only use EEK on occasion....like a 2nd opinion scanner (akin to HitmanPro). Thanks again Peter. Link to comment Share on other sites More sharing options...
itman 1,749 Posted January 31, 2018 Share Posted January 31, 2018 Personally, I think this is a false positive detection by EEK. To start out with, the Eset tool is a specialized cleaner for a specific type of malware. As pointed out, it's a bit dated and from what I can tell doesn't support Win 8.1 or 10. The way Emsisoft software works is to monitor unknown software for suspicious activity. I believe this Eset cleaner would fall into that category. The only thing that is a mystery is how the Eset cleaner software ending up your download folder? Malware for the most part will use other directories. What might have occurred here is the Eset Online Scanner downloaded it on demand during a scan possibly? Link to comment Share on other sites More sharing options...
TomFace 539 Posted January 31, 2018 Author Share Posted January 31, 2018 7 minutes ago, itman said: Personally, I think this is a false positive detection by EEK. To start out with, the Eset tool is a specialized cleaner for a specific type of malware. As pointed out, it's a bit dated and from what I can tell doesn't support Win 8.1 or 10. The way Emsisoft software works is to monitor unknown software for suspicious activity. I believe this Eset cleaner would fall into that category. The only thing that is a mystery is how the Eset cleaner software ending up your download folder? Malware for the most part will use other directories. What might have occurred here is the Eset Online Scanner downloaded it on demand during a scan possibly? That's what I'm thinking as well itman. 1 hour ago, TomFace said: Think I'll wait to see what ESMSI/BitDefender has to say. Thinking about it, the only thing I recently downloaded from ESET (other than the daily EIS updates) was the "newer" bits for the ESET Online scanner (I ran it 2 days ago...maybe. I also always use the same link I have saved in my favorites) . I run it occasional (just because) so I have the Online scanner main files. Just a thought as the file description had "downloads" in the description. I installed EIS on 12/1/17 (it was 11.0.149.0 back then-currently I run EIS 11.0.159.0). I will post EMSI's reply once I get it. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted January 31, 2018 Administrators Share Posted January 31, 2018 Definitely it's a false positive on our cleaner. It's unthinkable that ESET would sign and release a malicious tool / file Link to comment Share on other sites More sharing options...
TomFace 539 Posted January 31, 2018 Author Share Posted January 31, 2018 (edited) 23 minutes ago, Marcos said: Definitely it's a false positive on our cleaner. It's unthinkable that ESET would sign and release a malicious tool / file Thanks Marcos. I appreciate your input. But the detection and the fact that I did use the ESET Online scanner just prior to the detection makes me wonder what the connection is. I know ESET would NEVER release a malicious anything on purpose. But facts are facts. As I said previously, people, just like all A/V programs, are never 100% reliable (including myself). I am still a loyal ESET user because I know how well it works for me. Edited January 31, 2018 by TomFace Link to comment Share on other sites More sharing options...
itman 1,749 Posted January 31, 2018 Share Posted January 31, 2018 24 minutes ago, Marcos said: Definitely it's a false positive on our cleaner. It's unthinkable that ESET would sign and release a malicious tool / file Correct. However, I will point out a tactic being employed by Mimikatz to defeat for example SmartScreen scanning of PowerShell signed script downloads. In essence, it is copying MS code signed certs. from validly signed Powershell scripts and using those for their malicious scripts. Granted, the download hash and the signature hash don't match but it has been demonstrated that SmartScreen only checks that the script download is MS code signed and doesn't validate the download hash matches the signature hash. Me thinks that the this Eset download needs to be thoroughly examined for like above discrepancies. For example, does Eset's realtime scanner verify that the download hash matches the cert. hash for anything Eset cert. signed? Link to comment Share on other sites More sharing options...
TomFace 539 Posted January 31, 2018 Author Share Posted January 31, 2018 (edited) From Emsisoft: "BitDefender just confirmed that this is false positive and the detection will be removed in the next update." Thanks to all who responded to my post. Again, how that filed downloaded to my machine is a (partial) mystery to me. Hopefully someone will look it to it. Edited January 31, 2018 by TomFace Link to comment Share on other sites More sharing options...
Recommended Posts