Is ExtenBro.Agent.DP a Trojan?

[portman 0]

I am running Endpoint 6.6.2072.4 on a Windows 7 64bit platform. It just identified 20 instances of  ExtenBro.Agent.DP as Trojan located in multiple locations on my System Drive.

I have not been able to find any credible evidence of the existence of the malware on line.

Does anyone have any information?

 

 

[Marcos 4,934]

Please post the appropriate records from the Detected threats log.

[portman 0]

Marcos -

 

I will post the log just as soon as eSet completes its Scan, but I cannot understand why you need that data just to answer a simple question.

 

Is  ExtenBro.Agent.DP a trojan or not? Simple question, needing a one word answer: Yes, No, Don'no.

The response will simply lead me to delete or ignore the offending items - they do not present an alternative to "Clean" them.

 

 

Edited October 7, 2018 by portman
omited a word.

[itman 1,630]

4 hours ago, portman said:

I have not been able to find any credible evidence of the existence of the malware on line

Upload one of the detected files to VirusTotal.

[portman 0]

Wiseman -

I would be happy to do the upload and I have isolated one of the .

Could you please tell me how to upload a file to "Virus Total"?

The file containing the supposed Trojan is named:

tmp-9er.xpi

 

[portman 0]

I figured out how to upload the file to Virus Total and scanned it.

All of the services except eSet reported it as a clean file.

eSet reports it's content - JS/ExtenBro.Agent.DP - as a threatbut the file is marked as clean.

 

 

[portman 0]

Marcos - Attache please find the detected threat log

eSEt Detected Threat Logs.zip

[Marcos 4,934]

Please gather all logs with ELC. The Detected threats log is empty.

The sample that was used to create a detection was dropped by an InnoSetup installer so it's likely it was installed with some programs on your machine.
You are right, ESET appears to be the only AV to detect it which is a good example of how well ESET protects users from threats that are missed also by AVs with 100% detection in tests.

[itman 1,630]

Files with the .xpi suffix are Firefox extensions. They are basically zipped files.

[portman 0]

itman -

I know they are zipped files and I know they are related to Firefox extensions. It is the file zipped up in a few of them that eSet is identifying as a Trojan and that file is ExtenBro.Agent.DP.

I am running a complete Log Collection now and will upload it shortly.

 

 

[Marcos 4,934]

15 hours ago, itman said:

Files with the .xpi suffix are Firefox extensions. They are basically zipped files. 

I overlooked the information that it was found in an xpi file. It's unlikely to be a false positive, however, @portman please submit the xpi file to ESET for further analysis to confirm the detection. For instructions, read https://support.eset.com/kb141.

[Nightowl 198]

22 hours ago, portman said:

I am running Endpoint 6.6.2072.4 on a Windows 7 64bit platform. It just identified 20 instances of  ExtenBro.Agent.DP as Trojan located in multiple locations on my System Drive.

I have not been able to find any credible evidence of the existence of the malware on line.

Does anyone have any information?

 

 

Where did ESET find these files? , in the cache of the browser?

Virusradar has no description for this trojan yet , I found description for one that ends with .DJ instead of .DP : https://howtoremove.guide/jsextenbro-agent-dj-trojan-virus-remove/

According to Microsoft description for the same name but different ending , that the trojan when active prevents your PC from accessing update files through Hosts file in Windows " %windir%/system32/Drivers/etc/hosts " If you could take a look at your hosts file and check if it has been modified by the trojan , for the best measure keep the trojan in Quarantine now till you make sure that it's a trojan or it's a false positive that you will be able to restore it(if you are interested).

I found this from Sophos also : https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-DP/detailed-analysis.aspx

You could find more information here to help you determine whether that was a false positive or not , All of the sites that I have searched list that this trojan once active will change the hosts files in order to prevent you from communicating with the servers of the AV that you do use , but one thing that is missing from the list is the ESET servers.

According to Sophos , that the trojan will try to terminate your AV , the list is in their website , but egui is not among them , so it shouldn't be terminated because the AV won't look for it , because it's not made to look for it , and even in the hosts file it's not in the design to block ESET updates ,

Please do check your hosts file to determine if the trojan was running before.

Edited October 8, 2018 by Rami

[portman 0]

Marcos -

 

I have followed your instructions and uploaded the file to eSet support under a case #. They are looking at it now.

[portman 0]

Rami -

 

Thank you for your comments. Please note that in my original search I also found the Virusradar and Saphos sites, but I did not deem their reports credible as the only changes in my Host file have been made by Spybot and also because they are not as well known as eSet, MS, etc etc.

 

Also note, that it is entirely possible that eSet simply delivered a false positve here and I would really rather have them determine that.

With these notifications as I may have mentioned in an earlier post, there is no option to Quarantine the suckers. I can only delete or ignore, so for a few more hours, I will just ignore.

 

 

[Nightowl 198]

17 hours ago, portman said:

Rami -

 

Thank you for your comments. Please note that in my original search I also found the Virusradar and Saphos sites, but I did not deem their reports credible as the only changes in my Host file have been made by Spybot and also because they are not as well known as eSet, MS, etc etc.

 

Also note, that it is entirely possible that eSet simply delivered a false positve here and I would really rather have them determine that.

With these notifications as I may have mentioned in an earlier post, there is no option to Quarantine the suckers. I can only delete or ignore, so for a few more hours, I will just ignore.

 

 

When ESET detects something and no action is selected , it will go into Quarantine unless you told it to ignore the file, but the Trojan that you are talking about should do some changes to hosts file to prevent AVs to connect to their update servers.

[portman 0]

Thanks Rami -

 

I did not know that if I take no action they get sent to Quarantine.

 

I did click on No Action, but the files did NOT get sent to Quarantine they just stayed where they were and still are.

No problem - as they did not interact with my Host file, I will wait for eSet to reply.

Thanks again,

 

 

 

 

[itman 1,630]

As far as what Eset quarantines, it depends on what protection feature detected the PUA.

As a general rule unless the PUA exists on disk, it will not be quarantined. So, most PUA alerts that are detected via Eset's web filtering protection do not result in a quarantine entry being created. This is a very important point to note since when you select "Ignore," you are allowing the PUA detection to run in the browser's memory space or to be downloaded to disk. 

Edited October 9, 2018 by itman

[Nightowl 198]

31 minutes ago, portman said:

Thanks Rami -

 

I did not know that if I take no action they get sent to Quarantine.

 

I did click on No Action, but the files did NOT get sent to Quarantine they just stayed where they were and still are.

No problem - as they did not interact with my Host file, I will wait for eSet to reply.

Thanks again,

 

 

 

 

As ITman said , No action is the same as ignore , ESET will do nothing to the detected threat whether it was a false positive , PUA , a real threat , no action is no action.