ML/Augur found by ESET NOD32 INSIDE an application .exe I use often

[test_bot 0]

Scanning files, NOD32 detected ML/Augur inside an executable I use often.  Do I clean this, or ignore it?  How the heck did ML/Augur get inside the .exe?  Why would ESET want to clean its own code (ML/Augur)?  Is ML/Augur the intellectual property of ESET?

Edited October 23, 2019 by test_bot
spelling in title

[Marcos 5,070]

Maybe it's a PUA and you have a similar (maybe new) variant of it. Please submit the detected file in an archive encrypted with the password "infected" to samples[at]eset.com.

For instructions, refer to  How to submit Suspicious file to ESET Research Lab via program GUI or How do I report a false positive or whitelist my software with ESET?

[itman 1,659]

On 10/23/2019 at 11:25 AM, Marcos said:

Maybe it's a PUA and you have a similar (maybe new) variant of it.

Augur appears to be flagging anything that displays malicious behavior whether its malicious or not. Worse, it will flag via a Smart scan. So the process doesn't even have to execute.

For example, yesterday I ran my first Smart scan under 13.0.22. It detected HitmanPro Alert's Test Tool as ML/Augur - trojan. Granted this is a security test tool that performs all kinds of simulated nasty malware behavior. If the detection was at attempted execution time, I could accept the detection. Note this file has existed on my disk for years w/o prior Eset detection issues.

Also, I have been receiving feedback via PM that many others are having their security test tools and the like being detected by Augur.

I am all for more aggressive Eset detection methods, but believe the best application for same is at execution time. 

Is the solution here to disable Advanced Heuristics on the Smart Scan?  

[Marcos 5,070]

4 hours ago, itman said:

For example, yesterday I ran my first Smart scan under 13.0.22. It detected HitmanPro Alert's Test Tool as ML/Augur - trojan. Granted this is a security test tool that performs all kinds of simulated nasty malware behavior. If the detection was at attempted execution time, I could accept the detection. Note this file has existed on my disk for years w/o prior Eset detection issues.

I've downloaded and installed HitmanPro and HitmanPro.Alert on a machine with v13 installed, ran a scan but no file was detected and blocked. Any details about the files that were detected? Ideally if you could provide them or at least SHA1.

[itman 1,659]

1 hour ago, Marcos said:

I've downloaded and installed HitmanPro and HitmanPro.Alert

I was referring to neither.

As previously stated, it is the test tool designed to test HitmanPro Alert although it can be used to test any security software. Here's a video by the developer of OSArmor using it to test his product: https://www.youtube.com/watch?v=2fUBOVbAHcE .

Appears Sophos has discontinued the tool's download availability. I can't find it anymore on their web site.

-EDIT- Found an older version of the tool here: https://www.softpedia.com/get/Security/Security-Related/Exploit-Test-Tool.shtml

Edited October 25, 2019 by itman

[itman 1,659]

@Marcos, here's the user manual for the test tool: https://dl.surfright.nl/Exploit Test Tool Manual.pdf . It's for ver. 1.6 of the tool. However aside from new tests added in later test tool versions, the operations involved in testing are the same.

You can save me some work by seeing how Augur performs against these tests. Of course, Augur first has to allow the tool to run.