Tino 0 Posted January 15, 2019 Share Posted January 15, 2019 (edited) Hi, I recently posted this thread: And now I have a similar problem: I regularly scan individual downloaded files, and one specific file was not detected as a virus, but scanning the folder ESET detects it as a trojan. The thread above was resolved - because it was about running a in depth scan or not. But here scanning a .exe directly showed no virus, while scanning a folder (right click -> scan) did. I mailed ESET samples, but got no respones. I guess it was a false positive, now scanning the folder (new detection routine I guess) also yields no virus... but still. 1.) i'm still not sure whether it was a FP and 2) how come this scan behavior is so weird`? Edited January 15, 2019 by Tino Link to comment Share on other sites More sharing options...
itman 1,741 Posted January 15, 2019 Share Posted January 15, 2019 9 minutes ago, Tino said: But here scanning a .exe directly showed no virus, while scanning a folder (right click -> scan) did. Was the folder you scanned an archive? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted January 15, 2019 Administrators Share Posted January 15, 2019 Try running a scan with ecls.exe to rule out possible differences in scanning by using different scan profiles and scan optimization. Ie. go to the folder C:\Program Files\ESET\ESET Security and run: Ecls.exe %Path_To_The_File_To_Scan% Is the file detected? Also please post the file here unless it's too big so that I can check if it's supposed to be detected or not. Link to comment Share on other sites More sharing options...
Tino 0 Posted January 16, 2019 Author Share Posted January 16, 2019 @itman: No, the folder was a regular one. The "Downloads" folder. I could post both logs if you want. @ Marcos: done, nothing was detected. I zipped the file to upload it.Here you go: possible false positive_apower-manager.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted January 16, 2019 Administrators Share Posted January 16, 2019 The file is not detected and I don't see any reason why it should be. Please provide a screen shot of the detection. Link to comment Share on other sites More sharing options...
Tino 0 Posted January 17, 2019 Author Share Posted January 17, 2019 Only folder scanned: Only specific file scanned: Link to comment Share on other sites More sharing options...
itman 1,741 Posted January 17, 2019 Share Posted January 17, 2019 (edited) I believe I know what is going on here although the Eset log entires are in German. You have both the original archive and a subsequent extracted .exe from it present in the Downloads folder. Assuming you have ThreatSense set to Normal scanning, it is detecting apower-manager.apk as the Trojan component. It could not clean the archived version of it for some reason and only will block the extraction of it. If Strict cleaning was deployed, I assume Eset would have just deleted the entire archive. It appears the extracted executable, apower-manager.exe is clean, hence no Eset scan alert for it. You can verify this by submitting the file to VirusTotal to see if any of the AV engines used there detect it as malware. Edited January 17, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,741 Posted January 18, 2019 Share Posted January 18, 2019 I will say this about this software, I would be leery of using it personally. Here is a sample named apower-manager.exe that was submitted to Hybrid-Analysis last year: https://www.reverse.it/sample/6db7d567d84c205ad90c3924e120acea2c73d3830f631be87de613f2d4e5f539?environmentId=100 . It determined that it was 100% malicious. However, every vendor listed at VirusTotal determined the sample was clean. I would submit your apower-manager.exe to Hybrid-Analysis for a scan and see what it finds. Link to comment Share on other sites More sharing options...
Tino 0 Posted January 18, 2019 Author Share Posted January 18, 2019 Hybrid Analysis results: whitelisted. but there were some malicious indicators. https://www.hybrid-analysis.com/sample/0ef232e127e0fbafb13db290e64cefb4025812ab307deaec69437fd480d1ab70 But this was not the file I used to actually install the program, that exact one was deleted by ESET back when I first found out about the apparent virus. I guess the one I submitted now is the same one though... Sorry but I still don't quite get what you said. First, you're talking about an "original archive". I believe that I did not even download an archive (i.e. zip file, correct?) but rather downloaded the exe file directly. Second, I'm not sure where apower-manager.apk comes from. Is it included in the exe? Third, you said that it appears that the (extracted) executable was clean, so it was not detected. My problem is: There was something detected (the .apk) when scanning the overarching Downloads-folder, which resulted in the deletion of the executable. So how come there is nothing wrong with the executable? Link to comment Share on other sites More sharing options...
itman 1,741 Posted January 18, 2019 Share Posted January 18, 2019 1 hour ago, Tino said: Sorry but I still don't quite get what you said. First, you're talking about an "original archive". I believe that I did not even download an archive (i.e. zip file, correct?) but rather downloaded the exe file directly. Thanks for the clarification. Based on your above context-menu folder scan screen shot, apower-manager.exe is an installer. Note the "INNO" reference shown. More detail on that here: https://en.wikipedia.org/wiki/Inno_Setup . When Eset scanned the installer for files contained within, it found an archived(ZIP) file containing apower-manager.apk which it classified as Trojan based malware. Why Eset did not the same detect Trojan when performing a context-menu scan on apower-manager.exe itself, my best guess is you did not clean the Trojan at the end of the previous folder scan? Eset internally recorded this decision for the file and did not redisplay the Trojan status. What I would do is delete apower-manager.exe in your Downloads folder. Then download it again from your original source web site. Now perform an Eset context-menu scan on the downloaded file and see if Eset detects the same Trojan as shown previously. Link to comment Share on other sites More sharing options...
itman 1,741 Posted January 18, 2019 Share Posted January 18, 2019 (edited) To get to the bottom of this, I went to the Apower web site here: https://www.apowersoft.com/phone-manager and downloaded apower-manager.exe. I then performed an Eset context-menu scan on apower-manager.exe in my Downloads folder. Results shown below: I then performed an Eset context-menu scan on the Downloads folder. Results shown below: The bottom line is apower-manager.exe shows no malware by either context-menu scan method; individual file or folder. Therefore, I can't duplicate the activity you posted about. Edited January 18, 2019 by itman Link to comment Share on other sites More sharing options...
Tino 0 Posted January 21, 2019 Author Share Posted January 21, 2019 Hi, sorry for my late Reply and thank you for your efforts. On 1/18/2019 at 5:21 PM, itman said: What I would do is delete apower-manager.exe in your Downloads folder. Then download it again from your original source web site. Now perform an Eset context-menu scan on the downloaded file and see if Eset detects the same Trojan as shown previously. I had done that already. To keep an overview, here's the full story: On January 1st I performed an in-depth scan of my entire computer. Then, to my surprise, A power manager.apk Was detected as a virus and hence a power manager.exe deleted. Testing ESET Scan behavior round #1, 1st. January: Right away, I did what you suggested now and downloaded a power manager.exe from the original source website again. Performing two scans with routine 18636 resulted in the above logs: On 1/17/2019 at 8:48 PM, Tino said: Only folder scanned: Only specific file scanned: Testing ESET Scan behavior round #2: When I started this thread on 15 January I again performed the scan that should have detected the file as a virus. It did not. I assume that is because the file was a false positive and ESET Has fixed this (new detection routine). That is why when you downloaded the file performed the two Scans, You could not replicate the behavior. On 1/18/2019 at 5:21 PM, itman said: Why Eset did not the same detect Trojan when performing a context-menu scan on apower-manager.exe itself, my best guess is you did not clean the Trojan at the end of the previous folder scan? Eset internally recorded this decision for the file and did not redisplay the Trojan status. If ESET behaved this way, it would be highly problematic I believe. A virus should always be detected whether I Did remove it before or not. And actually it was different: In " Testing ESET Scan behavior round #1" I first scanned the .exe file, no virus was detected, and then I scanned the download folder, and the virus was detected and removed. So to summarize: 1.) The file seems to be nonmalicious. 2.) It seems to me that a file that was believed by ESET to be a virus Was only detected at that time when scanning in a particular way (Folder scan, not the individual file). Which I still find rather troubling. Link to comment Share on other sites More sharing options...
Recommended Posts