Application Excluded but still not running unless i close Eset

[Raj Oberai 0]

Hello all,

I am using ESET Smart Security version 11.0.159.9, I have an application that i need to run on regular basis. I have added that Application to Exclusion list under-

 

- Real Time Protection 

- Web and Email - Protocol filtering

- Firewall - Application Modification Detection

 

I have excluded the path of the folder where the application is installed as well.

 

The application creates a link for application in temp folder and starts from there, I can't add the temp folder to exclusions due to obvious reasons.

 

Can anyone help as to why despite adding it to exclusions it is not running unless i close ESET?

 

It's path is -

C:\Users\USERNAME~1\AppData\Local\Temp

 

I have attached the images for path of the application (highlighted in yellow) and the places i have added it to exclusions.

 

Please ask if any other details is needs, i will try and provide that.

 

Thanks

Raj

 

 

[Marcos 4,935]

Remove all exclusions and exclude the path * with the detection name @NAME=MSIL/HackKMS.E.

[Raj Oberai 0]

19 minutes ago, Marcos said:

Remove all exclusions and exclude the path * with the detection name @NAME=MSIL/HackKMS.E.

My problem is not with that mate, it's with the "ITAutoUtility.exe", it's unable to launch until i pause protection, anyways i have done what you suggested.

Edited February 26, 2018 by Raj Oberai

[Raj Oberai 0]

Anyone

[Marcos 4,935]

Is it detected upon execution? Does temrporarily disabling HIPS and rebooting the machine make a difference?

[Raj Oberai 0]

2 hours ago, Marcos said:

Is it detected upon execution? Does temrporarily disabling HIPS and rebooting the machine make a difference?

Note, it's not detected upon execution. I have disabled HIPS and then tried but it didn't work (didn't reboot the machine after disabling HIPS though, will try that and revert).

[Raj Oberai 0]

2 hours ago, Marcos said:

Is it detected upon execution? Does temrporarily disabling HIPS and rebooting the machine make a difference?

Yes, it's working after disabling HIPS and rebooting

 

But isn't it risky to keep HIPS disabled? Any way to make it work without disabling HIPS?

 

Thanks 

[Marcos 4,935]

Disabling HIPS was not suggested as an ultimate solution to the issue. Now please re-enable HIPS, disable Advanced Memory Scanner and reboot the computer. Let us know if the issue is gone or not.

[Raj Oberai 0]

19 hours ago, Marcos said:

Disabling HIPS was not suggested as an ultimate solution to the issue. Now please re-enable HIPS, disable Advanced Memory Scanner and reboot the computer. Let us know if the issue is gone or not.

Hi

 

Under HIPS > Basic > Rules > I added that application to allow and now it's working

 

Thanks a lot.

 

Will mark this as Solved (if user don't have that option then you please do it)

[Marcos 4,935]

Basically it should work with default setting. Please temporarily disable the rule as well as Advanced Memory Scanner and check if the issue persists. I'd appreciate if you could provide me with instructions how to reproduce the issue.

[Raj Oberai 0]

23 hours ago, Marcos said:

Basically it should work with default setting. Please temporarily disable the rule as well as Advanced Memory Scanner and check if the issue persists. I'd appreciate if you could provide me with instructions how to reproduce the issue.

Nope, not working.

 

Sorry for late reply.

[itman 1,630]

On ‎2‎/‎28‎/‎2018 at 2:18 AM, Raj Oberai said:

Under HIPS > Basic > Rules > I added that application to allow and now it's working

This make no sense to me. By default, the HIPS would not block any .exe running from C:\Users\USERNAME~1\AppData\Local\Temp. If it did, most app installations would fail since many use that directory for installation .exe's.

I assume you have no existing user created HIPS rules that monitor .exe startup activity from C:\Users\USERNAME~1\AppData\Local\Temp directory?

As far as Advanced Memory Scanning detection possibility, it could also be Exploit or Ransomware Protection could be detecting something?

Have you checked your Eset logs; like the Detected Threats or the HIPS logs for any entries related to ITAutoUtility.exe?

Edited March 1, 2018 by itman

[Marcos 4,935]

12 hours ago, Raj Oberai said:

Nope, not working.

Ok, so re-enable Advanced Memory Scanner and now disable Exploit Blocker and Self-defense, one at a time.

[Raj Oberai 0]

On 3/2/2018 at 12:37 AM, itman said:

This make no sense to me. By default, the HIPS would not block any .exe running from C:\Users\USERNAME~1\AppData\Local\Temp. If it did, most app installations would fail since many use that directory for installation .exe's.

I assume you have no existing user created HIPS rules that monitor .exe startup activity from C:\Users\USERNAME~1\AppData\Local\Temp directory?

As far as Advanced Memory Scanning detection possibility, it could also be Exploit or Ransomware Protection could be detecting something?

Have you checked your Eset logs; like the Detected Threats or the HIPS logs for any entries related to ITAutoUtility.exe?

It doesn't give any message, the exe just failed to load the webpage it is supposed to load.

 

 

On 3/2/2018 at 1:22 AM, Marcos said:

Ok, so re-enable Advanced Memory Scanner and now disable Exploit Blocker and Self-defense, one at a time.

 

Ok will do it one by one and then report back if it helped in any way.

 

 

Thanks both

[Raj Oberai 0]

On 3/2/2018 at 1:22 AM, Marcos said:

Ok, so re-enable Advanced Memory Scanner and now disable Exploit Blocker and Self-defense, one at a time.

Disabling Exploit Blocker does the job, i.e. I am able to run "exe" after that.

 

Didn't try to disable Self Defense as the real issue was known (atleast i think so)

 

Waiting for your advice as to what to do now.

 

Thanks

[Marcos 4,935]

For reproducing the issue would it be enough to get that exe and run it on our testing machines?

[Raj Oberai 0]

29 minutes ago, Marcos said:

For reproducing the issue would it be enough to get that exe and run it on our testing machines?

Don't think so as that exe is part of a software package, but if you want i can copy that and zip it and upload it here.

 

Thanks

[itman 1,630]

6 hours ago, Raj Oberai said:

Don't think so as that exe is part of a software package, but if you want i can copy that and zip it and upload it here.

ITAutoUtility.exe has to stored somewhere on your hard drive. You posted previously it was located in C:\Users\USERNAME~1\AppData\Local\Temp directory. If so, go to VirusTotal web site and then upload it from the Temp directory for a scan. I am curious to see if any of the other AV vendors flag the file as malicious.

Edited March 3, 2018 by itman

[Raj Oberai 0]

On 3/3/2018 at 8:35 PM, itman said:

ITAutoUtility.exe has to stored somewhere on your hard drive. You posted previously it was located in C:\Users\USERNAME~1\AppData\Local\Temp directory. If so, go to VirusTotal web site and then upload it from the Temp directory for a scan. I am curious to see if any of the other AV vendors flag the file as malicious.

https://www.virustotal.com/#/file/2398033edcd6c02e2b10f062a3e94915dea189f56c56662b2515b1b3627bee78/detection

 

The above is the result of the scan.

 

Thanks

[itman 1,630]

Only Cylance flagged the file at VT.

However and of note is the following:

Quote

Compressed Parents

Date scanned: 2018-02-20

Detections: 10/66

File type: Win32 EXE

Name: CompuOffice_ServicePack.exe

Appears the CompuOffice installer does contain malware.

Note that when VT does a scan, AVs employed are only performing static analysis. If this .exe employs exploit behavior, they probably wouldn't detect it.

Zip up the file as @Marcos requested and post it here. I'll scan the file on a site that does dynamic analysis.

-EDIT- I will also add if this process does indeed perform exploiting activity, it will be difficult to test. An exploit requires a vulnerability. If the vulnerability does not exist on the test device, the exploit activity will be blocked by the OS or not run at all. 

Edited March 5, 2018 by itman

[Raj Oberai 0]

17 hours ago, itman said:

Only Cylance flagged the file at VT.

However and of note is the following:

Appears the CompuOffice installer does contain malware.

Note that when VT does a scan, AVs employed are only performing static analysis. If this .exe employs exploit behavior, they probably wouldn't detect it.

Zip up the file as @Marcos requested and post it here. I'll scan the file on a site that does dynamic analysis.

-EDIT- I will also add if this process does indeed perform exploiting activity, it will be difficult to test. An exploit requires a vulnerability. If the vulnerability does not exist on the test device, the exploit activity will be blocked by the OS or not run at all. 

I already zipped the file and Private Messaged it to @Marcos but he is yet to check his PM's.

I thought posting it here won't be safe hence PM'ed him.

Anyways here's the link for the file:

 

hxxp://www79.zippyshare.com/v/BdrcTBox/file.html

 

Thanks

[itman 1,630]

That download site has malware on it. It tried to download a fake flash player update.

Go here: https://www.hybrid-analysis.com/ and upload ITAutoUtility.exe for a scan. It will report back a percentage e.g.  xx/100 as to malicious status. Post what that percentage is.

[Marcos 4,935]

I'm getting the following notice regardless of whether HIPS is enabled or not. Didn't find any difference between HIPS being enabled and disabled.

The process ended normally in either case.

[Raj Oberai 0]

12 hours ago, itman said:

That download site has malware on it. It tried to download a fake flash player update.

Go here: https://www.hybrid-analysis.com/ and upload ITAutoUtility.exe for a scan. It will report back a percentage e.g.  xx/100 as to malicious status. Post what that percentage is.

Report

 

Not sure what details to give you hence i shared the link above, hopefully it will work.

 

Only reference in percentage i can found there was this-

Classification (TrID)

• 84.4% (.EXE) Win32 Executable Microsoft Visual Basic 6
• 6.7% (.DLL) Win32 Dynamic Link Library (generic)
• 4.6% (.EXE) Win32 Executable (generic)
• 2.0% (.EXE) Generic Win/DOS Executable
• 2.0% (.EXE) DOS Executable Generic

 

 

 

12 hours ago, Marcos said:

I'm getting the following notice regardless of whether HIPS is enabled or not. Didn't find any difference between HIPS being enabled and disabled.

The process ended normally in either case.

This file I don't have to click it myself, it needs to run when i click on a button (say login) on my software which use this file. When I don't have it as exclusion under Rules>HIPS it just don't open the webpage it is supposed to and nothing happens, when i add it as exclusion it opens the webpage just fine.

 

 

Thanks

[itman 1,630]

Hybrid-Analysis didn't find anything overly malicious. However, it noted a couple of things:

1. Software signing cert. not valid. VT also noted this.

2. Possible RPC suspicious activities.

3. Flagged this API call; NtQueryValueKey@NTDLL.DLL ValueName - CWDIllegalInDLLSearch

Also of note is VT showed Window's hooking i.e. SetWindowsHook. Did not see this specifically noted in Hybrid-Analysis report.

Since this appears to be income tax software - India based? - I still would be cautious. Remember the Ukraine WannaCry incident?

-EDIT- Also of note:

Unusual Characteristics

• CRC value set in PE header does not match actual value

  details  "ITAutoUtility.exe.bin" claimed CRC 780579 while the actual is CRC 950076

  source  Static Parser

  relevance  10/10

Edited March 7, 2018 by itman