Jump to content

Archived

This topic is now archived and is closed to further replies.

cmit

Blocked EDTD? ntoskrnl.exe?

Recommended Posts

Could ESET experts help explain what these messages mean?

Same computer name, same infected file/message.
Infection identified changed from 'suspicious object' to 'blocked EDTD'.

Was it really a threat file that got deleted thanks to EDTD?
Would the ESET EndPoint Antivirus (without EDTD) still catch it?

My understanding is the ntoskernl.exe could be related to BSOD but need confirmation.

image.png.45e22347d0bb68aca112fb091e0082b5.png

image.png.41cafe153eff26f5e1a8906e8d910b84.png

 

Share this post


Link to post
Share on other sites

The only files I have in that directory on Win 10 are .xml and .cdf-ms files.

Share this post


Link to post
Share on other sites
15 minutes ago, itman said:

The only files I have in that directory on Win 10 are .xml and .cdf-ms files.

Which means....?

(this computer runs Win7 x64)

Share this post


Link to post
Share on other sites

What I read on the web is that directory is used by both installers and Win Updates as basically a work directory during their respective processing. Also, both are supposedly responsible for cleanup; i.e. deletion of files in that directory.

Note that the last Win 7 cumulative update was pretty much a mess for a lot a devices. You will have to submit those files to Eset for analysis before a definitive verdict can be rendered if they are truly malicious.

Share this post


Link to post
Share on other sites

Hi Guys,

this thing was identified as malicious, however, it's False Positive. We've added that to whitelist not to trigger, however, we're investigating what has happened, which system and why it was identified that as malicious. The issue will be fixed properly after that investigation.

Anyway, for imagination if that would not be FP, then to your questions:

Was it really a threat file that got deleted thanks to EDTD? - YES
Would the ESET EndPoint Antivirus (without EDTD) still catch it? - No, it would not. Into EDTD are sent only files which Endpoint identified as clean, but "interesting" to further investigation

Share this post


Link to post
Share on other sites
5 hours ago, Matus said:

Hi Guys,

this thing was identified as malicious, however, it's False Positive. We've added that to whitelist not to trigger, however, we're investigating what has happened, which system and why it was identified that as malicious. The issue will be fixed properly after that investigation.

Anyway, for imagination if that would not be FP, then to your questions:

Was it really a threat file that got deleted thanks to EDTD? - YES
Would the ESET EndPoint Antivirus (without EDTD) still catch it? - No, it would not. Into EDTD are sent only files which Endpoint identified as clean, but "interesting" to further investigation

- Could you explain what this deleted 'false positive' file really is and what does it do? (not sure if it's even related to the blue screen of death or related to Windows Updates)
- Why it re-appeared 3 times after got deleted the first time?
- What negative affects might happen to this computer since now this 'false positive' already got deleted (or will it reappear again)?

noticed this same 'false positive' happened on two computers so far.

Share this post


Link to post
Share on other sites

1, Since it was found in the WinSxS\temp\PendingRenames folder, judging from the name of the executable I assume it was created during a Windows update.

2, Probably because Windows update attempted to download and install it again and again.

3, Windows update should install it alright once it's not detected / blocked. Still, it's just a hunch that it was Windows update that generated the file.

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

3, Windows update should install it alright once it's not detected / blocked. Still, it's just a hunch that it was Windows update that generated the file.

I think that is a good assumption. On my Win 10 build for example, ntoskrnl.exe was updated as a result of the 4/9 cumulative update.

Whether the file deleted in C:\Windows\WinSxS\Temp could cause a blue screen is debatable. The only way I see this happening is if C:\Windows\System32\ntosknrl.exe was deleted in the Win Updating processing and the file in C:\Windows\WinSxS\Temp was its replacement. Since Win Updating is performed in isolated off-line fashion, I really don't see how Eset in any fashion could have deleted the file prior to full completion of Win Updating processing. However Win Updating on Win 7 is "pretty primitive" compared to that done on Win 10, so anything in this regard is possible.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...