Jump to content

STEALTH.POLY.CRYPT.TSR.DRIVER virus I've tried googling but can't find anything. Is this a false positive?


Recommended Posts

C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.348.1.9\amd64_microsoft-windows-f..cluster-agentserver_31bf3856ad364e35_10.0.17763.348_none_ace0266be373970d\r\fcsrv.exe    probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus

Eset discovered this on several of our computers this morning, could this be a false positive? I've tried googling everywhere and even checking through the forums here.

Does anyone know about this? Thank you.

Link to comment
Share on other sites

  • Administrators

If you check the file fcsrv.exe I assume it's not an executable despite it has the exe extension. You can submit it as per the instructions as per https://support.eset.com/kb141/. However, such "FP's" may happen since the exe extension is deceptive in this case.

Link to comment
Share on other sites

File exists on my Win 10 1809 build and just performed an Eset Context scan on it and it came up clean. Eset detection appears to relate to ransomware origins. Definitely a strange location for malware to be located in that I would think that Win directory can only be accessed via some type of Win Update installation. Submit file to Virus Total for a scan and see what is detected.

Eset_Servicing.thumb.png.fbafc06bc01631669eaaec664b897cac.png

 

Edited by itman
Link to comment
Share on other sites

Thank you for the replies. I did submit it, but I figure I would ask on here just in case anyone had any input.

It is weird because I have the same exact file path and .exe on my computer. I scanned the file with Eset and nothing came up.

Link to comment
Share on other sites

  • Administrators

As expected, it's not an executable but has the exe extensions which triggers heuristics on it. The file is not currently detected.

image.png

Link to comment
Share on other sites

As far as this goes:

Quote

probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus

All I could find is questionable references to it being something RDP related used in DoS attacks.

Link to comment
Share on other sites

  • 2 weeks later...

Pretty sure this is a false positive. I'm testing an image I'm building that I made yesterday. It's been on the network all of an 30 minutes? Joined the domain, installed KACE SMA, and ESET. Next inventory that occurred got the same exact virus warning. A coworker also got this AV warning a few weeks back, and we weren't really able to pin point what it was for, but at this point, a new machine getting the same AV warning after 30 minutes? Pretty sure this is a false positive. I also submitted the issue to ESET and have yet to receive any sort of reply.

 

Quote

All I could find is questionable references to it being something RDP related used in DoS attacks.

I found something about it being part of Failover manager, however the VM I'm working on doesn't have failover manager installed.

Edited by Lartic
Link to comment
Share on other sites

I believe this one of the detections Eset uses when it detects a suspicious driver. Here's a 2013 Eset posting where it was  flagging Windows Defender engine related file: https://forum.eset.com/topic/990-windows-defender-false-positive/ .:o In this case, it was positively identified as a FP.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...