False positive or real? Mcbuilder.exe

[Salenai 0]

Hi, I just scanned my computer with Eset Online Scanner and it found this:

C:\Windows\WinSxS\amd64_microsoft-windows-muicachebuilder_31bf3856ad364e35_10.0.17134.165_none_fba14b370afb4d95\mcbuilder.exe    pravdepodobne neznámy CRYPT.COM vírus    zmazaný

*probable Crypto.com virus* in english

I am unable to recover it because it is deleted but still, I do not tend to visit unsafe websites or anything. Is this known false positive? Thanks.

[Marcos 5,074]

If you view the file mcbuilder.exe, it most likely doesn't start with "MZ" and it's size is smaller than 64kB. Could you confirm? Files should not have the EXE extension unless they are PE executables. In this case it's scanned by heuristics because it treats it as an executable but in fact it is not an executable.

[Salenai 0]

I am unable to retrieve this file unfortunately, I only saved a log of the scan. I tried.

Only info I have about it is from the log, and I copied the contents of the log here,basically it is just that one line.

Does it seem like a false positive to you? Mcbuilder.exe is a normal part of windows, or?

Thanks

[Salenai 0]

Please, is it false positive,mcbuilder.eze is a normal part of windows,right?thx

[itman 1,659]

As far as Win 10 1803 goes, I have two Mcbuilder.exe files in the  C:\Windows\WinSxS\ directory. Both are 84K 89K.

On ‎9‎/‎17‎/‎2018 at 7:20 AM, Salenai said:

I am unable to retrieve this file unfortunately

Did you check your Eset quarantine file via Eset GUI lookup?

Edited September 19, 2018 by itman

[Salenai 0]

I had 4 mcbuilder.exe files before,now I have 3. One is 3,041 bytes, another 2,929 bytes, another 91,136 bytes.

Fourth one was deleted due to Eset.

I use eset online scanner and im unable to do it :/. Should I send other 3 files for analysis or is it not needed? Thx

Edited September 18, 2018 by Salenai

[itman 1,659]

4 hours ago, Salenai said:

I use eset online scanner and im unable to do it

Eset only performs malware removal assistance for users of the paid licensed versions of Eset. On the retail side that would be NOD32, Internet Security, and Smart Security versions.

[Salenai 0]

If this is truth then this is very insulting towards rest of users of your products.

This forum is called: Malware detection and cleaning.

Therefore it is general forum for all of your products, not just selected.

There is also a forum called: Eset online scanner ESET Internet Security & ESET Smart Security Premium

Here it makes sense that you would write something like this, but it is not a section of forum where I posted my thread. I posted it in general forum and got refused to get help. Nice.

And btw, I tried comparing both normal Eset and Eset online scanner and chose to use Eset Online Scanner because it performs much better in detection than classic Eset.

Thanks a lot for your "help". 

[Marcos 5,074]

It is ok to report possible false positives or give constructive feedback even from trial users. This is not a problem at all.

Currently we don't know yet if we will whitelist the detected file. In the first place, a non-executable file with the exe extension should not exist on a disk. In my opinion. renaming the file's extension should not cause any issues and would solve the problem with detection.

[Salenai 0]

Thanks,now this is something I liked to hear :).

I asked a friend of mine if he has such file (McBuilder.exe) in WinSxS folder in their particular subfolders and he has one, itman has 2, I had 4,now after detection by eset only 3. I guess it is part of windows. I know there was a big update for win 10 on 13th of september, I had 3 folders created containing McBuilder.exe during days afterwards. The one that was detected as (probably) false positive by eset was created on 17th of september.

i tried uploading 2 McBuilder.exe fromctheir folders (the ones with tiny size) files to virustotal and it was not detected by anything,third one has over 90 mbs and I was unable to upload it there due to size.

Edited September 19, 2018 by Salenai

[itman 1,659]

Suspect what the Eset Online scanner detected was crypto-loot.com which is a coin miner.

Edited September 19, 2018 by itman

[Marcos 5,074]

11 minutes ago, itman said:

Suspect what the Eset Online scanner detected was crypto-loot.com which is a coin miner.

No, it was the old heuristics for DOS files that triggered the detection. Disabling it should not negatively affect detection of current threats.

[Salenai 0]

So, it was probably false positive, right?

[itman 1,659]

As far as I am concerned, anything loaded to the Win global share directory should be in somewhat sync file size-wise with its corresponding system32 directory file. Mcbuilder.exe in the system32 directory for Win 10 1803 is 89K. I know of no reason why files of 2 - 3K in size would be assigned to this executable. If the file is not an executable, it most certainly shouldn't be named Mcbuilder.exe.

Edited September 19, 2018 by itman

[Salenai 0]

I tried testing those files by uploading them to virustotal and they came back completely clean (they were scanned by 57-59 antivirus programs).

Btw there are another 4 McBuilder.exe files in Wow64 subfolder of the WinSxS folder.

I scanned both Amd64 and WoW64 .exe files through virustotal and they all came back clean.

I uploaded them to microsoft file detection and they are reviewing/scanning them.