Jump to content

Archived

This topic is now archived and is closed to further replies.

PassingBy

Stalking PUA notifications after update

Recommended Posts

Hi there,

After the update i am receiving hundreds of PUA notifications (one every 6 or 7 seconds) for the same apps. All of them with "AugurML" and in particular associated to IOBIT products and utorrent.

 

Is there any way to stop this? It is driving me mad. The more i click ignore, the more it pops up again.

 

 

 

Augur.png

Share this post


Link to post
Share on other sites
1 hour ago, PassingBy said:

Hi there,

After the update i am receiving hundreds of PUA notifications (one every 6 or 7 seconds) for the same apps. All of them with "AugurML" and in particular associated to IOBIT products and utorrent.

 

Is there any way to stop this? It is driving me mad. The more i click ignore, the more it pops up again.

 

 

 

Augur.png

If you click ignore or advanced is there an option to ignore for good.  There have been a few users bringing up utorrent alerts

Share this post


Link to post
Share on other sites

Could you please post the appropriate record from the detection log? (the whole row)

I've downloaded utorrent.exe and also tried to run manual update, however, I was not able to reproduce the ML/Augur detection. The application is detected as Win32/uTorrent.C potentially unwanted application and also contains WebCompanion PUA.

Share this post


Link to post
Share on other sites

I am starting to see a common denominator as far as these Augur detentions of  uTorrent. That is uTorrent is running from the AppData\Roaming directory.

@Marcos, check where uTorrent is running from on your installation.

One possibility is Augur has been trained to apply more aggressive detection methods for anything running from the user's AppData directory. Makes sense to me since the user AppData directory is a favorite spot for malware to run from.

Also a bit odd in this particular detection was that runtimebroker.exe was running uTorrent from the AppData\Roaming directory. That also might "have caught" Augur's attention.

Of note in regards to runtimebroker:

Quote

If you’ve just logged into Windows 8 or Windows 10 and haven’t run any apps yet, you probably won’t see RuntimeBroker.exe running yet. RuntimeBroker.exe gets triggered by Universal apps, and if the process ends, all currently open apps will immediately fully close.

So what does it do? Well, the Runtime Broker handles checking if an app is declaring all of its permissions (like accessing your Photos) and informing the user whether or not it’s being allowed. In particular, it is interesting to see how it functions when paired with access to hardware, such as an app’s ability to take webcam snapshots. Think of it as the middleman between your apps and your privacy/security.

https://www.groovypost.com/howto/runtimebroker-exe-process-windows-8-running/

In other words, a Win 10 Store downloaded app.

Share this post


Link to post
Share on other sites

I'm unable to reproduce the Augur detection on utorrent.exe in the ProgramData folder. We don't have detections that would differ depending on the folder a file is located in.

 

image.png

Share this post


Link to post
Share on other sites
4 hours ago, Marcos said:

I'm unable to reproduce the Augur detection on utorrent.exe in the ProgramData folder.

Check if uTorrent is running as a child process of RuntimeBroker.exe.

I am starting to believe Augur is flagging the Google store version.

-EDIT- Also make sure you run uTorrent.exe. Starting to believe Augur detection is only upon process startup.

Share this post


Link to post
Share on other sites
21 hours ago, peteyt said:

If you click ignore or advanced is there an option to ignore for good.  There have been a few users bringing up utorrent alerts

The reason why they do not get ignored resides in the fact that ESET does not specify whether they are threats or not and the PUA classification is not enough to make me want to ignore them. So i'd rather monitor them as they send outbound or receive inbound data. If the way ESET classifies these threats was clearer i'd have long ignored them.

Share this post


Link to post
Share on other sites
20 minutes ago, itman said:

Check if uTorrent is running as a child process of RuntimeBroker.exe.

I am starting to believe Augur is flagging the Google store version.

Both uTorrent and Hitman (the other software showing the issue) reside in user/appdata/roaming.

I'll try to post a log tomorrow

Hitman.png

Share this post


Link to post
Share on other sites
1 hour ago, PassingBy said:

Both uTorrent and Hitman (the other software showing the issue) reside in user/appdata/roaming.

Anything that accesses uTorrent.exe will trigger the PUA alert. In this instance, it was HitmanPro.

At this point, the only was to stop the alert is to create a real-time exclusion for uTorrent.exe by file hash or Eset detection: https://help.eset.com/eis/13/en-US/idh_detection_exclusions.html

Share this post


Link to post
Share on other sites
4 hours ago, PassingBy said:

The reason why they do not get ignored resides in the fact that ESET does not specify whether they are threats or not and the PUA classification is not enough to make me want to ignore them. So i'd rather monitor them as they send outbound or receive inbound data. If the way ESET classifies these threats was clearer i'd have long ignored them.

Eset is not alone in flagging of uTorrent:

Quote

According to Microsoft, uTorrent has a poor reputation and negatively impacts the performance of your system. The “dangerous” uTorrent executable is quarantined by Windows Defender, preventing it from operating. You can override this action and return uTorrent functional status. Microsoft isn’t alone in flagging uTorrent as malware. NOD32, Sophos, TrendMicro, and others also detect uTorrent has dangerous.

https://www.extremetech.com/computing/267410-microsoft-begins-flagging-utorrent-as-malware

Share this post


Link to post
Share on other sites

Many do. Like they do with many websites, not always for good reasons. At times they do contain miners. But the problem here is not much the detection but the unbearable amount of notifications due to the lack of a simple option that does not remove the threat but rather simply mutes the specific warning. I swear it is unbearable. More in general, what i do not appreciate about this behavior is the fact that ESET is not telling me whether the threat is real or not. That would allow me to take action (remove the software or leave it and ignore). Same problem with Iobit software (Uninstaller and drive updater). It keeps notifying elements of those as PUAs without telling me whether there is a threat or not. Put simply, the data is not enough to take a decision and this forces me (and maybe other users) to keep these in a limbo. It is a problem i never had before.

 

Share this post


Link to post
Share on other sites

Now it is doing the same with my attempt to download and install Bit-Torrent

Bit torrent.png

Share this post


Link to post
Share on other sites

That is correct, utorrent.exe is detected as a potentially unwanted application. In order to exclude it from detection completely, check "Exclude signature from detection" and click Ignore.

PUAs are not threats. For more information about what PUAs are, read https://support.eset.com/kb2629/.

Share this post


Link to post
Share on other sites
9 hours ago, PassingBy said:

Now it is doing the same with my attempt to download and install Bit-Torrent

Bit torrent.png

Yeah that is normal as it's a potential unwanted Application. These programs are not viruses but there may be a risk using them. These programs may come with extra unwanted stuff and may have bad business practises e.g. pester users, capture information they shouldn't, dubious marketing etc.

You can disable detection of these. When enabled it is down to the user to decide if they want to use the program. You can exclude it in the options if not. Googling software you will probably have people talking about the reasons AVs have marked it as PUAs and then you can decide yourself

Share this post


Link to post
Share on other sites
On 10/28/2019 at 10:53 AM, peteyt said:

Yeah that is normal as it's a potential unwanted Application. These programs are not viruses but there may be a risk using them. These programs may come with extra unwanted stuff and may have bad business practises e.g. pester users, capture information they shouldn't, dubious marketing etc.

You can disable detection of these. When enabled it is down to the user to decide if they want to use the program. You can exclude it in the options if not. Googling software you will probably have people talking about the reasons AVs have marked it as PUAs and then you can decide yourself

I removed uTorrent just to have this stopping. As i said in my previous posts, i can't ignore a PUA if i do not have enough information on what it is doing on my machine and ESET does not help in that. I find this lack of explanatory power appalling because it generates a grey zone where the user does not know what to with all these PUAs.

Share this post


Link to post
Share on other sites
On 10/28/2019 at 6:12 AM, Marcos said:

That is correct, utorrent.exe is detected as a potentially unwanted application. In order to exclude it from detection completely, check "Exclude signature from detection" and click Ignore.

PUAs are not threats. For more information about what PUAs are, read https://support.eset.com/kb2629/.

Hi Marcos,

I understand this and i do when possible. In this case, the notification started after the update. So user side, the question is whether Augur is now seeing things previous versions of ESET didn't see or whether that PUA is simply just another of those vaguely potential threats. As i said in my previous replies to other users, this creates a grey zone where the user does not know what to do. I removed uTorrent and did not install BitTorrent (also because ESET seemed to stop some part of the process, which is, again something i do not like). What ESET is missing in my opinion is a clear identification of threats as far as PUAs are concerned. Something either is a threat or it isn't. The other issue is how the window showing them is represented. Once again, the pop up window does not allow for a full visual of the threat and the path where it is located (you can't enlarge the window). Yet, ESET asks you which course of action you want to take. It is not a nice experience.

Share this post


Link to post
Share on other sites
2 hours ago, PassingBy said:

Hi Marcos,

I understand this and i do when possible. In this case, the notification started after the update. So user side, the question is whether Augur is now seeing things previous versions of ESET didn't see or whether that PUA is simply just another of those vaguely potential threats. As i said in my previous replies to other users, this creates a grey zone where the user does not know what to do. I removed uTorrent and did not install BitTorrent (also because ESET seemed to stop some part of the process, which is, again something i do not like). What ESET is missing in my opinion is a clear identification of threats as far as PUAs are concerned. Something either is a threat or it isn't. The other issue is how the window showing them is represented. Once again, the pop up window does not allow for a full visual of the threat and the path where it is located (you can't enlarge the window). Yet, ESET asks you which course of action you want to take. It is not a nice experience.

The problem is most PUAs are not technically threats at least in the traditional way. For example most PUAs are probably programs that try to get you to install extra stuff e.g. come with ask toolbar and other unwanted stuff so if anything they are adware. Most people probably just want their AV to detect viruses thus why some include PUAs but make it an optional setting for the user to decide. Most general users probably disable it but not fully sure on that.

As you mentioned one solution could be for eset to implent something that can give you a reason to why it is a pup but then again it would still be down to the user to look at that and decide if the reasons are okay enough for the user to decide @Marcos not sure if this would be possible or even a link to the reason?

Share this post


Link to post
Share on other sites
2 hours ago, peteyt said:

As you mentioned one solution could be for eset to implent something that can give you a reason to why it is a pup but then again it would still be down to the user to look at that and decide if the reasons are okay enough for the user to decide @Marcos not sure if this would be possible or even a link to the reason?

We do not reveal exact information why an application is classified as PUA for legal reasons. We disclose that only in the course of legal disputes with particular PUA vendors. As for users, we provide them with a general information about what PUAs are. They are in no way threats so the user can be sure that allowing a PUA will not cause any harm. A PUA may install a toolbar, give excessive false warnings about issues (e.g. in case of system cleaners), etc.

Share this post


Link to post
Share on other sites
5 hours ago, PassingBy said:

Once again, the pop up window does not allow for a full visual of the threat and the path where it is located (you can't enlarge the window). Yet, ESET asks you which course of action you want to take.

Not sure which window you are referring to because the window with action selection for PUAs was actually made resizable as of v11 or v12 if I remember correctly.

Share this post


Link to post
Share on other sites
5 hours ago, Marcos said:

We do not reveal exact information why an application is classified as PUA for legal reasons. We disclose that only in the course of legal disputes with particular PUA vendors. As for users, we provide them with a general information about what PUAs are. They are in no way threats so the user can be sure that allowing a PUA will not cause any harm. A PUA may install a toolbar, give excessive false warnings about issues (e.g. in case of system cleaners), etc.

Thanks for the reply I did wonder if there where legal issues. Isn't there also a organisation that kind of deals with similar software with a list of programs and a criteria?

Share this post


Link to post
Share on other sites
19 minutes ago, Marcos said:

Each vendor has its own internal criteria for PUAs.

Theres a website but cant remember and I'm sure it's been brought up on here possibly a scheme and they have a list of software that are basically puas with the reasons they are classed

Share this post


Link to post
Share on other sites

Probably you mean AppEsteem, however, as I said each vendor applies their own criteria. The fact that vendor A adds or removes a particular PUA detection doesn't mean that ESET must necessarily follow their decision.

Share this post


Link to post
Share on other sites

Hi all,

I have the same issue here, with the same annoying constant popups indicating an unwanted (ML/Augur) was found in a file, namely utorrent.exe . The location is exactly and some other people who have replied on here within the appdata folder. However, I cannot select exclude signature from detection as someone else suggested as it is greyed out. How can I select this? Are there alternative solutions?

 

Thank you! 

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...