EFI/ COMPUTRACE

[Tatiana 2]

I understand that ESET can not eliminate detection of the EFI / COMPUTRACE threat because it depends solely on the manufacturer of the machine, BIOS update or Absolute Software.
The question is, Why on some machines does it detect it as a UEFI threat and on other machines it does not detect it even though it has it active? Could it be because ESET detected unusual connections or what other option could it be?

[Marcos 5,074]

Most likely detection of potentially unsafe applications is not enabled on the machines where it's not detected.

For more information about UEFI detections, please read https://support.eset.com/kb6567/.

[itman 1,659]

2 hours ago, Tatiana said:

Why on some machines does it detect it as a UEFI threat and on other machines it does not detect it even though it has it active?

Do all the devices have UEFI? Older PCs don't and just have a BIOS.

[Tatiana 2]

I was doing tests because this has happened to us before with some clients. In all the tests I have done are computers with UEFI. For example a client has 1000 pcs and this happens in 50pcs, despite having the same configurations, in fact in my test environment I have machines where I enable the computrace and I have strict security options and I do not detect it and in others yes.

For that reason I have the doubt

[itman 1,659]

13 hours ago, Tatiana said:

in fact in my test environment I have machines where I enable the computrace

This might be a factor. Computrace and like undesirable UEFI firmware is installed at the manufacture's facility. Also the only way to remove it is by re-flashing the firmware. Installing Computrace would not result in it being added to the firmware as far as I am aware of. 

Finally, Eset's UEFI protection only will warn you that this type of undesirable feature exists. It does not remove it.

[Tatiana 2]

I understand that as I told before. The exactly doubt is why in some cases is detected Computrace  but in other ones no? I dont know if it depends about computrace version or if it's detected some suspicious connections.

[Marcos 5,074]

This particular detection requires detection of potentially unsafe applications to be enabled which is disabled by default, however, since it covers legitimate tools that may be misused in the wrong hands for malicious purpose.

[Tatiana 2]

3 hours ago, Marcos said:

This particular detection requires detection of potentially unsafe applications to be enabled which is disabled by default, however, since it covers legitimate tools that may be misused in the wrong hands for malicious purpose.

All PC's what I'm talking about have turnered on the detection of potentially unsafe applications and some of them have the alert and the other ones don't

[itman 1,659]

55 minutes ago, Tatiana said:

All PC's what I'm talking about have turnered on the detection of potentially unsafe applications and some of them have the alert and the other ones don't

Personally, I don't believe this has anything to do with Eset detection but rather how CompuTrace is implemented on the devices. Here are a couple of discussions of this topic:

https://www.bleepingcomputer.com/forums/t/522805/lenovo-thinkpad-t510-bios-computrace-by-absolute-software/

https://forums.lenovo.com/t5/ThinkPad-T400-T500-and-newer-T/BIOS-option-to-quot-permanently-disable-quot-Computrace/td-p/104500

Of note, its UEFI status:

Quote

Disable = Permanently block the Computrace module interface.
Deactivate = Block the Computrace module interface (default).
Activate = Permit the Computrace module interface.

The Absolute Anti-Theft solution is presently Deactivated. Note that the Activate or Disable options will permanently Activate or Disable the feature and no further changes will be allowed.

 

Edited March 7, 2019 by itman

[Marcos 5,074]

Did you keep the default scheduled tasks intact? Especially the two startup scan tasks.

[Tatiana 2]

On 3/7/2019 at 4:01 PM, itman said:

Personally, I don't believe this has anything to do with Eset detection but rather how CompuTrace is implemented on the devices. Here are a couple of discussions of this topic:

https://www.bleepingcomputer.com/forums/t/522805/lenovo-thinkpad-t510-bios-computrace-by-absolute-software/

https://forums.lenovo.com/t5/ThinkPad-T400-T500-and-newer-T/BIOS-option-to-quot-permanently-disable-quot-Computrace/td-p/104500

Of note, its UEFI status:

 

In fact most of the Lenovo machines, in the anti-theft module have the option to disable the Computrace module and it works well because I have tried these machines. But others like HP, which are the client's machines, do not. That's why I can not deactivate them there.
The Lenovo machines with which I am testing have the module turned on and some are detected by ESET and others are not, taking into account that the scan and security options are active under the same conditions.

[Tatiana 2]

On 3/7/2019 at 9:12 PM, Marcos said:

Did you keep the default scheduled tasks intact? Especially the two startup scan tasks.

yes, they are with the default configuration of the startup tasks

[itman 1,659]

1 hour ago, Tatiana said:

The Lenovo machines with which I am testing have the module turned on and some are detected by ESET and others are not

Appears it boils down to what is Eset detecting when it pertains to LoJax: https://www.eset.com/us/about/newsroom/corporate-blog/what-you-need-to-know-about-lojax-the-new-stealthy-malware-from-fancy-bear/.

In the Lenovo forum link I previously posted, Absolute, the software vendor, discusses how Computrace functions. Without its monitoring service:

Quote

The Computrace service is purchased as a separate option and the monitoring Server will enable its agent security module through an interface provided by the BIOS. The Computrace tracking agent can only be used in the US, UK, Canada, and Australia. Computrace(R) and Absolute(R) are registered trademarks of Absolute Software Corporation.  

it appears the code implemented in the UEFI firmware does nothing. Assumed is the code in the firmware will only connect to Absolute's monitoring servers.

Note that the legit version of Computrace's firmware code is named LoJack. The malicious version is named LoJax. Here's an Eset technical write up on LoJax: https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf . Bottom line - just because there are settings in a device's UEFI indicating Computrace is installed does not mean that you are infected with the LoJax malware.

Edited March 11, 2019 by itman

[itman 1,659]

Continuing my prior posting, I realized I didn't answer your question why Eset is detecting LoJax on some network notebook devices but not others.

My best guess is:

1. The attacker entered your network remotely; most likely via RDP.

2. The attacker dropped an undetected worm into the network.

In either case, the attacker was able to infect devices currently attached to the network.

So my assumption as to why some devices were not infected with LoJax is they were not actively connected to the network at the time of the attack. Another possibility is the uninfected devices are newer Lenovo notebooks. Lenovo has patched the UEFI to prevent a LoJax infection although I have no direct knowledge this is the case.

Edited March 12, 2019 by itman

[itman 1,659]

On ‎3‎/‎6‎/‎2019 at 7:46 PM, Tatiana said:

I was doing tests because this has happened to us before with some clients. In all the tests I have done are computers with UEFI. For example a client has 1000 pcs and this happens in 50pcs, despite having the same configurations, in fact in my test environment I have machines where I enable the computrace and I have strict security options and I do not detect it and in others yes.

One final comment.

What you are doing is ill advised to say the least. Refer to the LoJax mitigation section of the Eset .pdf link I posted previously. Re-flashing the UEFI doesn't always remove LoJax in which case, the only alternative is to replace the motherboard.