Jump to content

Malware Information


TomFace

Recommended Posts

I ran an in-depth EIS scan on my machine today which came back clean. I just did a scan with EEK (Emsisoft Emergency Kit) as I occasional do, and it found this:

C:\Users\(Computer name)|Downloads\ESETIRCBotANRCleaner.exe  detected: DeepScan:Generic.Malware.P!g.58CC067A (B) [krnl.xmd]

As I am not an expert in researching malware, can anyone please give me more information about this vermin (like it's purpose)? I do not visit risky websites and run a "clean" machine (or at least I try).

It was quarantined and cleaned by EEK.

Any information would be appreciated (and thanks in advance). 

Edited by TomFace
Link to comment
Share on other sites

I didn't do an extensive search, but appears to show up on a lot on Eset distributor web sites

https://support.eset.de/kb2903/

https://www.eset.com/kh/download/utilities/detail/family/47/

https://www.eset.ie/ie/download/utilities/detail/family/47/

 

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members

Smells like a false positive by EEK. Upload it to virustotal and see what it's detection rate is

Even Emsisoft state that anything with "Gen or Generic" in the wording, detected by their software has a possibility of being a FP.

Link to comment
Share on other sites

  • Most Valued Members
2 hours ago, TomFace said:

I ran an in-depth EIS scan on my machine today which came back clean. I just did a scan with EEK (Emsisoft Emergency Kit) as I occasional do, and it found this:

C:\Users\(Computer name)|Downloads\ESETIRCBotANRCleaner.exe  detected: DeepScan:Generic.Malware.P!g.58CC067A (B) [krnl.xmd]

As I am not an expert in researching malware, can anyone please give me more information about this vermin (like it's purpose)? I do not visit risky websites and run a "clean" machine (or at least I try).

It was quarantined and cleaned by EEK.

Any information would be appreciated (and thanks in advance). 

The fact eset is in the filename makes me also wonder if it is a false positive

Link to comment
Share on other sites

  • ESET Moderators

Hello,

@TomFace check the digital signature of the file, the tools released by us should have a valid one,.

If the signature is O.K. you can send the file to Emisoft as a false positive report.

If the file is not signed or the signature is not valid, please send it to me to check.

Regards, P.R.

Link to comment
Share on other sites

5 hours ago, Peter Randziak said:

Hello,

@TomFace check the digital signature of the file, the tools released by us should have a valid one,.

If the signature is O.K. you can send the file to Emisoft as a false positive report.

If the file is not signed or the signature is not valid, please send it to me to check.

Regards, P.R.

Peter, thanks for the reply. I am not sure how to check the digital signature. Can you tell me how to do that as the file is still in EEK quarantine?. In addition, I did submit the file to Emsisoft (through EEK) and they said:

"Since the reported file was detected by our BitDefender engine, therefore we will forward this to BitDefender for further analysis. Any false positive detections or misclassification that may found during analysis will be fixed as soon as possible."

They will advise me of the results of their inquiry. While I know people cannot not be 100% (just like any A/V program), I just get a bit "excited":blink: with any detection (even if it's one every 2-4 years). My OCD must be showing:P. 

Thanks to itman, cyberhash and peteyt for their replies as well. ;)

Edited by TomFace
Link to comment
Share on other sites

  • ESET Moderators

Hello @TomFace

you will probably have to recover the file from the quarantine to be able to do that.

On Windows just right click on the file -> Properties -> Digital Signatures -> Details as shown on the screenshot.

The tool is quite old so probably it will have same SHA1 as mine "c553a7d911b531c7faa4c9aa821c4d2c4f4c31d5 " (I downloaded the actual one)

Regards, P.R.

Digital_Signature_check.JPG

Link to comment
Share on other sites

Think I'll wait to see what ESMSI/BitDefender has to say. Thinking about it, the only thing I recently downloaded from ESET (other than the daily EIS updates) was the "newer" bits for the ESET Online scanner (I ran it 2 days ago...maybe. I also always use the same link I have saved in my favorites) . I run it occasional (just because) so I have the Online scanner main files. Just a thought as the file description had "downloads" in the description. I installed EIS on 12/1/17 (it was 11.0.149.0 back then-currently I run EIS 11.0.159.0).

Edited by TomFace
Link to comment
Share on other sites

Just now, Peter Randziak said:

Hello @TomFace

O.K. please let us know than what was the response.

Or you can send the file to me to do the check if you want.

Regards, P.R.

To do that I need to restore the file....correct?

Link to comment
Share on other sites

Again, I think I'll let "sleeping dogs lie" at least for the moment. I only use EEK on occasion....like a 2nd opinion scanner (akin to HitmanPro).

Thanks again Peter.

Link to comment
Share on other sites

Personally, I think this is a false positive detection by EEK. To start out with, the Eset tool is a specialized cleaner for a specific type of malware. As pointed out, it's a bit dated and from what I can tell doesn't support Win 8.1 or 10. The way Emsisoft software works is to monitor unknown software for suspicious activity. I believe this Eset cleaner would fall into that category.

The only thing that is a mystery is how the Eset cleaner software ending up your download folder? Malware for the most part will use other directories. What might have occurred here is the Eset Online Scanner downloaded it on demand during a scan possibly?

Link to comment
Share on other sites

7 minutes ago, itman said:

Personally, I think this is a false positive detection by EEK. To start out with, the Eset tool is a specialized cleaner for a specific type of malware. As pointed out, it's a bit dated and from what I can tell doesn't support Win 8.1 or 10. The way Emsisoft software works is to monitor unknown software for suspicious activity. I believe this Eset cleaner would fall into that category.

The only thing that is a mystery is how the Eset cleaner software ending up your download folder? Malware for the most part will use other directories. What might have occurred here is the Eset Online Scanner downloaded it on demand during a scan possibly?

That's what I'm thinking as well itman.:o

1 hour ago, TomFace said:

Think I'll wait to see what ESMSI/BitDefender has to say. Thinking about it, the only thing I recently downloaded from ESET (other than the daily EIS updates) was the "newer" bits for the ESET Online scanner (I ran it 2 days ago...maybe. I also always use the same link I have saved in my favorites) . I run it occasional (just because) so I have the Online scanner main files. Just a thought as the file description had "downloads" in the description. I installed EIS on 12/1/17 (it was 11.0.149.0 back then-currently I run EIS 11.0.159.0).

I will post EMSI's reply once I get it.

Link to comment
Share on other sites

  • Administrators

Definitely it's a false positive on our cleaner. It's unthinkable that ESET would sign and release a malicious tool / file ;)

Link to comment
Share on other sites

23 minutes ago, Marcos said:

Definitely it's a false positive on our cleaner. It's unthinkable that ESET would sign and release a malicious tool / file ;)

Thanks Marcos. I appreciate your input. But the detection and the fact that I did use the ESET Online scanner just prior to the detection makes me wonder what the connection is. 

I know ESET would NEVER release a malicious anything on purpose. But facts are facts. As I said previously, people, just like all A/V programs, are never 100% reliable (including myself:P). I am still a loyal ESET user because I know how well it works for me:).

Edited by TomFace
Link to comment
Share on other sites

24 minutes ago, Marcos said:

Definitely it's a false positive on our cleaner. It's unthinkable that ESET would sign and release a malicious tool / file

Correct.

However, I will point out a tactic being employed by Mimikatz to defeat for example SmartScreen scanning of PowerShell signed script downloads. In essence, it is copying MS code signed certs. from validly signed Powershell scripts and using those for their malicious scripts. Granted, the download hash and the signature hash don't match but it has been demonstrated that SmartScreen only checks that the script download is MS code signed and doesn't validate the download hash matches the signature hash.

Me thinks that the this Eset download needs to be thoroughly examined for like above discrepancies. For example, does Eset's realtime scanner verify that the download hash matches the cert. hash for anything Eset cert. signed?

Link to comment
Share on other sites

From Emsisoft:

 "BitDefender just confirmed that this is false positive and the detection will be removed in the next update."

Thanks to all who responded to my post:). Again, how that filed downloaded to my machine is a (partial) mystery to me. Hopefully someone will look it to it.

Edited by TomFace
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...