Jump to content

Virus not detected when scanning specific file - only folder


Tino
 Share

Recommended Posts

Hi, 

I recently posted this thread: 

 

And now I have a similar problem: I regularly scan individual downloaded files, and one specific file was not detected as a virus, but scanning the folder ESET detects it as a trojan. The thread above was resolved - because it was about running a in depth scan or not. But here scanning a .exe directly showed no virus, while scanning a folder (right click -> scan) did.

 

I mailed ESET samples, but got no respones. I guess it was a false positive, now scanning the folder (new detection routine I guess) also yields no virus... but still. 1.) i'm still not sure whether it was a FP and 2) how come this scan behavior is so weird`?

 

Edited by Tino
Link to comment
Share on other sites

9 minutes ago, Tino said:

But here scanning a .exe directly showed no virus, while scanning a folder (right click -> scan) did.

Was the folder you scanned an archive?

Link to comment
Share on other sites

  • Administrators

Try running a scan with ecls.exe to rule out possible differences in scanning by using different scan profiles and scan optimization.

Ie. go to the folder C:\Program Files\ESET\ESET Security and run:

Ecls.exe %Path_To_The_File_To_Scan%

Is the file detected? Also please post the file here unless it's too big so that I can check if it's supposed to be detected or not.

Link to comment
Share on other sites

I believe I know what is going on here although the Eset log entires are in German.

You have both the original archive and a subsequent extracted .exe from it present in the Downloads folder.  Assuming you have ThreatSense set to Normal scanning, it is detecting apower-manager.apk as the Trojan component. It could not clean the archived version of it for some reason and only will block the extraction of it. If Strict cleaning was deployed, I assume Eset would have just deleted the entire archive.

It appears the extracted executable, apower-manager.exe is clean, hence no Eset scan alert for it. You can verify this by submitting the file to VirusTotal to see if any of the AV engines used there detect it as malware.

Edited by itman
Link to comment
Share on other sites

I will say this about this software, I would be leery of using it personally.

Here is a sample named apower-manager.exe that was submitted to Hybrid-Analysis last year: https://www.reverse.it/sample/6db7d567d84c205ad90c3924e120acea2c73d3830f631be87de613f2d4e5f539?environmentId=100 . It determined that it was 100% malicious. However, every vendor listed at VirusTotal determined the sample was clean.

I would submit your apower-manager.exe to Hybrid-Analysis for a scan and see what it finds.

Link to comment
Share on other sites

Hybrid Analysis results: whitelisted. but there were some malicious indicators. 

https://www.hybrid-analysis.com/sample/0ef232e127e0fbafb13db290e64cefb4025812ab307deaec69437fd480d1ab70

 

But this was not the file I used to actually install the program, that exact one was deleted by ESET back when I first found out about the apparent virus. I guess the one I submitted now is the same one though... 

Sorry but I still don't quite get what you said. First, you're talking about an "original archive". I believe that I did not even download an archive (i.e. zip file, correct?) but rather downloaded the exe file directly. Second, I'm not sure where apower-manager.apk comes from. Is it included in the exe?  Third, you said that it appears that the (extracted) executable was clean, so it was not detected. My problem is: There was something detected (the .apk) when scanning the overarching Downloads-folder, which resulted in the deletion of the executable. So how come there is nothing wrong with the executable?

 

Link to comment
Share on other sites

1 hour ago, Tino said:

Sorry but I still don't quite get what you said. First, you're talking about an "original archive". I believe that I did not even download an archive (i.e. zip file, correct?) but rather downloaded the exe file directly.

Thanks for the clarification.

Based on your above context-menu folder scan screen shot, apower-manager.exe is an installer. Note the "INNO" reference shown. More detail on that here: https://en.wikipedia.org/wiki/Inno_Setup . When Eset scanned the installer for files contained within, it found an archived(ZIP) file containing apower-manager.apk which it classified as Trojan based malware.

Why Eset did not the same detect Trojan when performing a context-menu scan on apower-manager.exe itself, my best guess is you did not clean the Trojan at the end of the previous folder scan? Eset internally recorded this decision for the file and did not redisplay the Trojan status.

What I would do is delete apower-manager.exe in your Downloads folder. Then download it again from your original source web site. Now perform an Eset context-menu scan on the downloaded file and see if Eset detects the same Trojan as shown previously.

 

Link to comment
Share on other sites

To get to the bottom of this, I went to the Apower web site here: https://www.apowersoft.com/phone-manager and downloaded apower-manager.exe.

I then performed an Eset context-menu scan on apower-manager.exe in my Downloads folder. Results shown below:

apower_exe.png.cd5999a3c67b96c9d4dd5da1fd345e99.png 

I then performed an Eset context-menu scan on the Downloads folder. Results shown below:

apower_documents.thumb.png.1dc24fea46de1cf33f3e15db22584f28.png

The bottom line is apower-manager.exe shows no malware by either context-menu scan method; individual file or folder. Therefore, I can't duplicate the activity you posted about.

Edited by itman
Link to comment
Share on other sites

Hi, sorry for my late Reply and thank you for your efforts.

 

On 1/18/2019 at 5:21 PM, itman said:

What I would do is delete apower-manager.exe in your Downloads folder. Then download it again from your original source web site. Now perform an Eset context-menu scan on the downloaded file and see if Eset detects the same Trojan as shown previously.

 

I had done that already. To keep an overview, here's the full story: On January 1st  I performed an in-depth scan of my entire computer. Then, to my surprise, A power manager.apk Was detected as a virus and hence a power manager.exe deleted.

Testing ESET Scan behavior round #1, 1st. January: Right away, I did what you suggested now and downloaded a power manager.exe from the original source website again. Performing two scans with routine 18636 resulted in the above logs: 

On 1/17/2019 at 8:48 PM, Tino said:

 

Only folder scanned:

1062848556_Routine18636.thumb.PNG.5007c765792b5081d2769c83091e37ab.PNG

 

Only specific file scanned:

 

697145759_Routine18636onlyspecificfile.PNG.00b2b4dca8b5f4720662e6e0da899ae8.PNG

 

Testing ESET Scan behavior round #2: When I started this thread on 15 January I again performed the scan that should have detected the file as a virus. It did not. I assume that is because the file was a false positive and ESET Has fixed this (new detection routine). That is why when you downloaded the file performed the two Scans, You could not replicate the behavior.

 

On 1/18/2019 at 5:21 PM, itman said:

Why Eset did not the same detect Trojan when performing a context-menu scan on apower-manager.exe itself, my best guess is you did not clean the Trojan at the end of the previous folder scan? Eset internally recorded this decision for the file and did not redisplay the Trojan status.

If ESET behaved this way, it would be highly problematic I believe. A virus should always be detected whether I Did remove it before or not.

And actually it was different: In " Testing ESET Scan behavior round #1" I first scanned the .exe file, no virus was detected, and then I scanned the download folder, and the virus was detected and removed.

 

So to summarize: 1.) The file seems to be nonmalicious. 2.) It seems to me that a file that was believed by ESET to be a virus Was only detected at that time when scanning in a particular way (Folder scan, not the individual file). Which I still find rather troubling.

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...