RocknRollRobot 0 Posted March 4, 2019 Share Posted March 4, 2019 C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.348.1.9\amd64_microsoft-windows-f..cluster-agentserver_31bf3856ad364e35_10.0.17763.348_none_ace0266be373970d\r\fcsrv.exe probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus Eset discovered this on several of our computers this morning, could this be a false positive? I've tried googling everywhere and even checking through the forums here. Does anyone know about this? Thank you. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted March 4, 2019 Administrators Share Posted March 4, 2019 If you check the file fcsrv.exe I assume it's not an executable despite it has the exe extension. You can submit it as per the instructions as per https://support.eset.com/kb141/. However, such "FP's" may happen since the exe extension is deceptive in this case. Link to comment Share on other sites More sharing options...
itman 1,707 Posted March 4, 2019 Share Posted March 4, 2019 (edited) File exists on my Win 10 1809 build and just performed an Eset Context scan on it and it came up clean. Eset detection appears to relate to ransomware origins. Definitely a strange location for malware to be located in that I would think that Win directory can only be accessed via some type of Win Update installation. Submit file to Virus Total for a scan and see what is detected. Edited March 4, 2019 by itman Link to comment Share on other sites More sharing options...
RocknRollRobot 0 Posted March 4, 2019 Author Share Posted March 4, 2019 Thank you for the replies. I did submit it, but I figure I would ask on here just in case anyone had any input. It is weird because I have the same exact file path and .exe on my computer. I scanned the file with Eset and nothing came up. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted March 4, 2019 Administrators Share Posted March 4, 2019 As expected, it's not an executable but has the exe extensions which triggers heuristics on it. The file is not currently detected. Link to comment Share on other sites More sharing options...
itman 1,707 Posted March 4, 2019 Share Posted March 4, 2019 As far as this goes: Quote probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus All I could find is questionable references to it being something RDP related used in DoS attacks. Link to comment Share on other sites More sharing options...
Lartic 0 Posted March 15, 2019 Share Posted March 15, 2019 (edited) Pretty sure this is a false positive. I'm testing an image I'm building that I made yesterday. It's been on the network all of an 30 minutes? Joined the domain, installed KACE SMA, and ESET. Next inventory that occurred got the same exact virus warning. A coworker also got this AV warning a few weeks back, and we weren't really able to pin point what it was for, but at this point, a new machine getting the same AV warning after 30 minutes? Pretty sure this is a false positive. I also submitted the issue to ESET and have yet to receive any sort of reply. Quote All I could find is questionable references to it being something RDP related used in DoS attacks. I found something about it being part of Failover manager, however the VM I'm working on doesn't have failover manager installed. Edited March 15, 2019 by Lartic Link to comment Share on other sites More sharing options...
itman 1,707 Posted March 15, 2019 Share Posted March 15, 2019 I believe this one of the detections Eset uses when it detects a suspicious driver. Here's a 2013 Eset posting where it was flagging Windows Defender engine related file: https://forum.eset.com/topic/990-windows-defender-false-positive/ . In this case, it was positively identified as a FP. Link to comment Share on other sites More sharing options...
Recommended Posts