Malware Information

TomFace · January 30, 2018

I ran an in-depth EIS scan on my machine today which came back clean. I just did a scan with EEK (Emsisoft Emergency Kit) as I occasional do, and it found this:

C:\Users\(Computer name)|Downloads\ESETIRCBotANRCleaner.exe detected: DeepScan:Generic.Malware.P!g.58CC067A (B) [krnl.xmd]

As I am not an expert in researching malware, can anyone please give me more information about this vermin (like it's purpose)? I do not visit risky websites and run a "clean" machine (or at least I try).

It was quarantined and cleaned by EEK.

Any information would be appreciated (and thanks in advance).

Edited January 30, 2018 by TomFace

itman · January 30, 2018

I didn't do an extensive search, but appears to show up on a lot on Eset distributor web sites

https://support.eset.de/kb2903/

https://www.eset.com/kh/download/utilities/detail/family/47/

https://www.eset.ie/ie/download/utilities/detail/family/47/

Edited January 30, 2018 by itman

cyberhash · January 30, 2018

Smells like a false positive by EEK. Upload it to virustotal and see what it's detection rate is

Even Emsisoft state that anything with "Gen or Generic" in the wording, detected by their software has a possibility of being a FP.

peteyt · January 31, 2018

2 hours ago, TomFace said:

I ran an in-depth EIS scan on my machine today which came back clean. I just did a scan with EEK (Emsisoft Emergency Kit) as I occasional do, and it found this:

C:\Users\(Computer name)|Downloads\ESETIRCBotANRCleaner.exe detected: DeepScan:Generic.Malware.P!g.58CC067A (B) [krnl.xmd]

As I am not an expert in researching malware, can anyone please give me more information about this vermin (like it's purpose)? I do not visit risky websites and run a "clean" machine (or at least I try).

It was quarantined and cleaned by EEK.

Any information would be appreciated (and thanks in advance).

The fact eset is in the filename makes me also wonder if it is a false positive

Peter Randziak · January 31, 2018

Hello,

@TomFace check the digital signature of the file, the tools released by us should have a valid one,.

If the signature is O.K. you can send the file to Emisoft as a false positive report.

If the file is not signed or the signature is not valid, please send it to me to check.

Regards, P.R.

TomFace · January 31, 2018

5 hours ago, Peter Randziak said:

Hello,

@TomFace check the digital signature of the file, the tools released by us should have a valid one,.

If the signature is O.K. you can send the file to Emisoft as a false positive report.

If the file is not signed or the signature is not valid, please send it to me to check.

Regards, P.R.

Peter, thanks for the reply. I am not sure how to check the digital signature. Can you tell me how to do that as the file is still in EEK quarantine?. In addition, I did submit the file to Emsisoft (through EEK) and they said:

"Since the reported file was detected by our BitDefender engine, therefore we will forward this to BitDefender for further analysis. Any false positive detections or misclassification that may found during analysis will be fixed as soon as possible."

They will advise me of the results of their inquiry. While I know people cannot not be 100% (just like any A/V program), I just get a bit "excited" :blink: with any detection (even if it's one every 2-4 years). My OCD must be showing.

Thanks to itman, cyberhash and peteyt for their replies as well.

Edited January 31, 2018 by TomFace

Peter Randziak · January 31, 2018

Hello @TomFace

you will probably have to recover the file from the quarantine to be able to do that.

On Windows just right click on the file -> Properties -> Digital Signatures -> Details as shown on the screenshot.

The tool is quite old so probably it will have same SHA1 as mine "c553a7d911b531c7faa4c9aa821c4d2c4f4c31d5 " (I downloaded the actual one)

Regards, P.R.

TomFace · January 31, 2018

Think I'll wait to see what ESMSI/BitDefender has to say. Thinking about it, the only thing I recently downloaded from ESET (other than the daily EIS updates) was the "newer" bits for the ESET Online scanner (I ran it 2 days ago...maybe. I also always use the same link I have saved in my favorites) . I run it occasional (just because) so I have the Online scanner main files. Just a thought as the file description had "downloads" in the description. I installed EIS on 12/1/17 (it was 11.0.149.0 back then-currently I run EIS 11.0.159.0).

Edited January 31, 2018 by TomFace

Peter Randziak · January 31, 2018

Hello @TomFace

O.K. please let us know than what was the response.

Or you can send the file to me to do the check if you want.

Regards, P.R.

TomFace · January 31, 2018

Just now, Peter Randziak said:

Hello @TomFace

O.K. please let us know than what was the response.

Or you can send the file to me to do the check if you want.

Regards, P.R.

To do that I need to restore the file....correct?

Peter Randziak · January 31, 2018

Hello @TomFace

I assume yes, but I never used the Emisoft product,...

Regards, P.R.

TomFace · January 31, 2018

Again, I think I'll let "sleeping dogs lie" at least for the moment. I only use EEK on occasion....like a 2nd opinion scanner (akin to HitmanPro).

Thanks again Peter.

itman · January 31, 2018

Personally, I think this is a false positive detection by EEK. To start out with, the Eset tool is a specialized cleaner for a specific type of malware. As pointed out, it's a bit dated and from what I can tell doesn't support Win 8.1 or 10. The way Emsisoft software works is to monitor unknown software for suspicious activity. I believe this Eset cleaner would fall into that category.

The only thing that is a mystery is how the Eset cleaner software ending up your download folder? Malware for the most part will use other directories. What might have occurred here is the Eset Online Scanner downloaded it on demand during a scan possibly?

TomFace · January 31, 2018

7 minutes ago, itman said:

Personally, I think this is a false positive detection by EEK. To start out with, the Eset tool is a specialized cleaner for a specific type of malware. As pointed out, it's a bit dated and from what I can tell doesn't support Win 8.1 or 10. The way Emsisoft software works is to monitor unknown software for suspicious activity. I believe this Eset cleaner would fall into that category.

The only thing that is a mystery is how the Eset cleaner software ending up your download folder? Malware for the most part will use other directories. What might have occurred here is the Eset Online Scanner downloaded it on demand during a scan possibly?

That's what I'm thinking as well itman.

1 hour ago, TomFace said:

Think I'll wait to see what ESMSI/BitDefender has to say. Thinking about it, the only thing I recently downloaded from ESET (other than the daily EIS updates) was the "newer" bits for the ESET Online scanner (I ran it 2 days ago...maybe. I also always use the same link I have saved in my favorites) . I run it occasional (just because) so I have the Online scanner main files. Just a thought as the file description had "downloads" in the description. I installed EIS on 12/1/17 (it was 11.0.149.0 back then-currently I run EIS 11.0.159.0).

I will post EMSI's reply once I get it.

Marcos · January 31, 2018

Definitely it's a false positive on our cleaner. It's unthinkable that ESET would sign and release a malicious tool / file

TomFace · January 31, 2018

23 minutes ago, Marcos said:

Definitely it's a false positive on our cleaner. It's unthinkable that ESET would sign and release a malicious tool / file

Thanks Marcos. I appreciate your input. But the detection and the fact that I did use the ESET Online scanner just prior to the detection makes me wonder what the connection is.

I know ESET would NEVER release a malicious anything on purpose. But facts are facts. As I said previously, people, just like all A/V programs, are never 100% reliable (including myself). I am still a loyal ESET user because I know how well it works for me.

Edited January 31, 2018 by TomFace

itman · January 31, 2018

24 minutes ago, Marcos said:

Definitely it's a false positive on our cleaner. It's unthinkable that ESET would sign and release a malicious tool / file

Correct.

However, I will point out a tactic being employed by Mimikatz to defeat for example SmartScreen scanning of PowerShell signed script downloads. In essence, it is copying MS code signed certs. from validly signed Powershell scripts and using those for their malicious scripts. Granted, the download hash and the signature hash don't match but it has been demonstrated that SmartScreen only checks that the script download is MS code signed and doesn't validate the download hash matches the signature hash.

Me thinks that the this Eset download needs to be thoroughly examined for like above discrepancies. For example, does Eset's realtime scanner verify that the download hash matches the cert. hash for anything Eset cert. signed?

TomFace · January 31, 2018

From Emsisoft:

"BitDefender just confirmed that this is false positive and the detection will be removed in the next update."

Thanks to all who responded to my post. Again, how that filed downloaded to my machine is a (partial) mystery to me. Hopefully someone will look it to it.

Edited January 31, 2018 by TomFace

Sign In

Malware Information

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics