Most Valued Members Nightowl 198 Posted July 25, 2019 Most Valued Members Share Posted July 25, 2019 Hello , I am encountering a Dell Optiplex 5250 (AIO) , when enabling unsafe applications scan , and scanning the UEFI (Deep Scan) it will show me a variant of EFI.CompuTrace.A , while the startup scan doesn't So I did understand that the BIOS is very old and should be updated , so I went to Dell website and downloaded the latest BIOS which is July 2019 , I have flashed the up-to date BIOS , and I scan again , ESET still detects the CompuTrace Can anyone explain to me more about the CompuTrace ? Thanks. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,909 Posted July 25, 2019 Administrators Share Posted July 25, 2019 For more information, please refer to: https://support.eset.com/kb6567/ https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf Nightowl 1 Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 198 Posted July 25, 2019 Author Most Valued Members Share Posted July 25, 2019 (edited) 7 minutes ago, Marcos said: For more information, please refer to: https://support.eset.com/kb6567/ https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf I will try to begin with Secure Boot and try again. Do you know why it doesn't get detected in the Startup scan? Thanks for the information Marcos Edited July 25, 2019 by Rami Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 198 Posted July 25, 2019 Author Most Valued Members Share Posted July 25, 2019 @Marcos, Secure Boot didn't fix it , BIOS is up-to date , there is nothing I can do about it right ? , old piece of hardware? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,909 Posted July 25, 2019 Administrators Share Posted July 25, 2019 Just now, Rami said: @Marcos, Secure Boot didn't fix it , BIOS is up-to date , there is nothing I can do about it right ? , old piece of hardware? It happens that vendors don't provide an updated UEFI firmware without CompuTrace. In such case, the only solution is to exclude the pot. unsafe application from detection by the detection name as suggested in the KB. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 198 Posted July 25, 2019 Author Most Valued Members Share Posted July 25, 2019 6 minutes ago, Marcos said: It happens that vendors don't provide an updated UEFI firmware without CompuTrace. In such case, the only solution is to exclude the pot. unsafe application from detection by the detection name as suggested in the KB. Ok thank you for the assistance. Link to comment Share on other sites More sharing options...
itman 1,627 Posted July 25, 2019 Share Posted July 25, 2019 (edited) On 7/25/2019 at 11:17 AM, Rami said: So I did understand that the BIOS is very old and should be updated , so I went to Dell website and downloaded the latest BIOS which is July 2019 , I have flashed the up-to date BIOS , and I scan again , ESET still detects the CompuTrace Can anyone explain to me more about the CompuTrace ? CompuTrace on Dell PCs can be disabled via BIOS/UEFI setting. Since you just updated your UEFI? the setting might now be called "Absolute." Refer to this Dell article: https://www.dell.com/support/article/us/en/04/sln316123/computrace-replaced-by-absolute-module-in-newest-bios-revisions?lang=en and other related articles on the Dell support web site. BTW - old hardware only use a BIOS. Newer hardware contain both a BIOS and UEFI. Lojax and like malware only affect the UEFI. -EDIT- Eset's classification of Computrace is correct. It is a potential unwanted application as contrast to Lojax which is malware. Edited July 27, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,627 Posted July 27, 2019 Share Posted July 27, 2019 Also there is some confusion about terminology. Computrace was originally named Lojack. There is a Trojanized malware version of Lojack which Eset name "Lojax" that is creating the confusion: Quote Starting in at least early 2017, trojanized versions of an older userland agent of the popular LoJack anti-theft software from Absolute Software were found in the wild . We call this trojanized LoJack agent LoJax . LoJack attracted a lot of attention in recent years as it implements a UEFI/BIOS module as a persistence mechanism . https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf Of note is Eset's detection for the malware version is LoJack agent LoJax. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 198 Posted July 28, 2019 Author Most Valued Members Share Posted July 28, 2019 10 hours ago, itman said: Also there is some confusion about terminology. Computrace was originally named Lojack. There is a Trojanized malware version of Lojack which Eset name "Lojax" that is creating the confusion: https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf Of note is Eset's detection for the malware version is LoJack agent LoJax. ESET is detecting CompuTrace , as far as I see because it's set in the BIOS even though it's deactivated , still the same , there is an option to disable , I will try that and scan again. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 198 Posted July 28, 2019 Author Most Valued Members Share Posted July 28, 2019 37 minutes ago, Rami said: ESET is detecting CompuTrace , as far as I see because it's set in the BIOS even though it's deactivated , still the same , there is an option to disable , I will try that and scan again. Even as Disabled it's still getting detected. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,909 Posted July 28, 2019 Administrators Share Posted July 28, 2019 2 minutes ago, Rami said: Even as Disabled it's still getting detected. You have 2 options: - disable detection of potentially unsafe applications - exclude the app by the detection name Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 198 Posted July 28, 2019 Author Most Valued Members Share Posted July 28, 2019 Just now, Marcos said: You have 2 options: - disable detection of potentially unsafe applications - exclude the app by the detection name Yes I understood that from your earlier post , but I thought if I disable it in the BIOS(It was set as Deactivated) it would disappear(the detection) Thanks again. Link to comment Share on other sites More sharing options...
itman 1,627 Posted July 28, 2019 Share Posted July 28, 2019 (edited) 5 hours ago, Rami said: Yes I understood that from your earlier post , but I thought if I disable it in the BIOS(It was set as Deactivated) it would disappear(the detection) Thanks again. Did a bit more checking. It appears once Computrace is activated in the BIOS/UEFI, there is no way to permanently disable it. This actually is by design to prevent whomever stole your laptop, etc. from doing the same. It also appears that setting is controlled by the chip firmware itself. And reflashing the BIOS/UEFI won't deactivate it. Edited July 28, 2019 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 198 Posted July 28, 2019 Author Most Valued Members Share Posted July 28, 2019 5 minutes ago, itman said: Did a bit more checking. It appears once Computrace is activated in the BIOS/UEFI, there is no way to permanently disable it. This actually is by design to prevent whomever stole your laptop, etc. from doing the same. It also appears that setting is controlled by the chip firmware itself. And reflashing the BIOS/UEFI won't deactivate it. Yeah once you disable it you can't enable also , the PC is set as deactivated when ESET detected , disabling didn't help that much , I could understand because the code of CompuTrace is still in BIOS even though it's disabled. I can understand it's Dell's .. Link to comment Share on other sites More sharing options...
itman 1,627 Posted July 28, 2019 Share Posted July 28, 2019 1 hour ago, Rami said: I can understand it's Dell's .. Contact Dell support. They might have a special firmware flash utility or procedure to deactivate. I would imagine this would require you proving to them that you are the real owner of the device. Also if the chip is not soldered to the motherboard, they could sent you a new chip. Chip replacement is dicey. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 198 Posted July 28, 2019 Author Most Valued Members Share Posted July 28, 2019 17 minutes ago, itman said: Contact Dell support. They might have a special firmware flash utility or procedure to deactivate. I would imagine this would require you proving to them that you are the real owner of the device. Also if the chip is not soldered to the motherboard, they could sent you a new chip. Chip replacement is dicey. I will check about that , Thanks again. Link to comment Share on other sites More sharing options...
Recommended Posts