cybot 1 Posted January 10, 2020 Share Posted January 10, 2020 I am trying to update my laptops MSI Dragon Center 2 software, but it is being blocked by both windows defender, ESET ESSP, and windows smart screen. I try and extract the files, and the setup file files are deleted/quarantined as soon as they are accessed. the files that are falsely being marked as being a virus are: "setup_G.exe", "setup_P.exe", and "setup_W.exe" the files for the setup program are contained in a .ZIP file and are downloaded from the manufacturer website from the following URL: https://download.msi.com/uti_exe/nb/ap_DragonCenterv2.6.1912.2601_2.6.1912.2601_0xc5b28391.zip . scanning the .zip file returns multiple threats, and when a file extraction is attempted, the files get removed. THERE IS NO VIRUS THERE IS NOTHING HARMFUL WITH THESE FILES. THIS IS A FALSE DETECTION!!! this happened once before with a previous version of the software, and I had to wait for a new version to come out before I could install it because of the issue. I tried to raise this issue when It happened before on the MSI support forum, and I was called a liar and told my system was so badly infected I needed to do format and clean install. For the record, my system is not infected and never has been. the software does not suddenly get a certain version being detected as a virus, get several new versions released, and then suddenly get marked as containing a virus once again. the only conclusion I can come to, is that someone is dicking around with the reporting system and making false reports in an attempt to harm MSI's reputation or something. in researching the issue the first time it happened, I came across only one site where virus containing software gets reported, that was reporting the software as containing viruses. URL : https://www.hybrid-analysis.com/sample/1b948a4297783a028ce5fb4a8a0d25e5ebfd576d4ce2fde7fec18700b536eb48?environmentId=100 . virus's being detect are all named generik. followed by some random letters. I have made previous reports inside ESSP program reporting the falsely flagged files, but it is, as I stated, happening again. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,072 Posted January 10, 2020 Administrators Share Posted January 10, 2020 The FP should be fixed already. Next time kindly please follow the instructions reporting possible false positives at https://support.eset.com/en/submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab. Link to comment Share on other sites More sharing options...
cybot 1 Posted January 11, 2020 Author Share Posted January 11, 2020 apologies. in the previous case, I did follow that guide, but when the same issue reoccurs, it looks like nothing was done about the false positive. ESSP is no longer flagging the setup files. thanks and sorry for how I went about reporting the issue this time around. Link to comment Share on other sites More sharing options...
cybot 1 Posted January 11, 2020 Author Share Posted January 11, 2020 issue is not fixed when running the Dragon Center 2 setup file, a message from ESSP saying that the file setup.exe was infected. it had the following message: Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 1/10/2020 7:29:58 PM;Real-time file system protection;file;C:\Users\Cybot\AppData\Local\Temp\{E3E1BF59-57C1-4792-BC38-9C2F0F58204B}\setup.exe;a variant of Win32/GenKryptik.EBBO trojan;cleaned by deleting;MSI\Cybot;Event occurred on a new file created by the application: C:\Users\Cybot\AppData\Local\Temp\{686B90F5-2E1E-4F34-BBA4-F8D0F93C66C5}\setup_G.exe (0C7B66731131D984E5AE95ADD4D757355994E17E).;F10C1F5A7B954F5D2293F02B23250CDFFD81ABC2;12/26/2019 12:24:25 AM 1/10/2020 7:30:21 PM;Real-time file system protection;file;C:\Users\Cybot\AppData\Local\Temp\{436D8C86-4FCF-482E-8308-9DFE3FBCA482}\setup.exe;a variant of Win32/GenKryptik.EBBO trojan;cleaned by deleting;MSI\Cybot;Event occurred on a new file created by the application: C:\Users\Cybot\AppData\Local\Temp\{F382F35F-1B93-4A33-AC2B-D25F03D842DA}\setup_G.exe (0C7B66731131D984E5AE95ADD4D757355994E17E).;F10C1F5A7B954F5D2293F02B23250CDFFD81ABC2;12/26/2019 12:24:25 AM 1/10/2020 7:30:37 PM;Real-time file system protection;file;C:\Users\Cybot\AppData\Local\Temp\{D85B2B46-78E3-47A2-868E-AF8CEBA0E5B0}\setup.exe;a variant of Win32/GenKryptik.EBBO trojan;cleaned by deleting;MSI\Cybot;Event occurred on a new file created by the application: C:\Users\Cybot\AppData\Local\Temp\{5338A8ED-DF72-46AC-B796-5127C29B9014}\setup_G.exe (0C7B66731131D984E5AE95ADD4D757355994E17E).;F10C1F5A7B954F5D2293F02B23250CDFFD81ABC2;12/26/2019 12:24:25 AMAM so the files are no longer blocked from being extracted from the setup .zip file, but I still can not run the setup program. Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 11, 2020 Share Posted January 11, 2020 (edited) Looks like the installer is possibly infected. The hash, F10C1F5A7B954F5D2293F02B23250CDFFD81ABC2 , shown in the posted Eset log files is detected by multiple other AVs on Virus Total: https://www.virustotal.com/gui/file/687020b6737ccf0879bc7bdd5d550415f5628f3959efc946e56fa0afc88e5844/detection Of note is neither BitDefender or Kaspersky detects the setup.exe file. My best guess is this software contains code that mimics Kryptik malware. The vendor should be informed of this and revise its code accordingly. Edited January 11, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 11, 2020 Share Posted January 11, 2020 (edited) Tencent has a detailed analysis on Virus Total of what setup.exe is doing: Quote Process Behaviour: Create process Detail info: [0x000001b4]ImagePath = C:\WINDOWS\explorer.exe, CmdLine = C:\WINDOWS\explorer.exe Behaviour: Create process of additional file Detail info: [0x0000040c]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{96CB3EE7-A119-4384-A05B-C7B5B303EED4} Behaviour: Set thread context Detail info: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{96CB3EE7-A119-4384-A05B-C7B5B303EED4}\%temp%\****.exe Behaviour: Enumerate process Detail info: N/A Behaviour: Write data over remote process Detail info: TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x0007f3c0, Size = 0x00000c35 TargetPID = 0x000001b4 Basically, a new explorer.exe instance is starting up and code is being injected into it remotely. Not what I would call normal program installer behavior. One possible scenario is the MSI server or proxy has been compromised and instead of downloading legit software is downloading Kryptik malware. Edited January 11, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 11, 2020 Share Posted January 11, 2020 (edited) Update - I just rescanned the hash at VT and now both BitDefender and Emsisoft among others are now additionally detecting the setup file. Update 1/12/2020 - 31 AV engines now detect this on VT. Only AVs of significance not detecting are Windows Defender and Kaspersky. Both these, I believe, do not enable PUA detection by default. Interestingly, Windows Defender that originally detected is no longer doing so. So it might be these detections are FPs. If this does turn out to be the case, Eset can't be faulted given the large number of other security product detection's. The real culprit here is MSI for putting suspect code in its software. I for one am not a big fan of graphic card manufacture optional non-driver software which over the years have shown consistent issues. Edited January 12, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 11, 2020 Share Posted January 11, 2020 (edited) One other comment. A lot of the detections for this on VT are for Trojan.GenericKD.xxxxx. This is used by a number of AV vendors for PUA's; i.e. potentially unwanted application: Quote Trojan.Generic.KD is a specific detection used by BitDefender Antivirus, BitDefender Internet Security and other antivirus products to indicate and detect a Potentially Unwanted Program. A potentially unwanted application is a program that contains adware, installs toolbars or has other unclear objectives. Trojan.Generic.KD it’s technically not a virus, but it does exhibit plenty of malicious traits, such as rootkit capabilities to hook deep into the operating system, browser hijacking, and in general just interfering with the user experience. The industry generally refers to it as a “PUP,” or potentially unwanted program. The Trojan.Generic.KD infection is used to boost advertising revenue, as in the use of blackhat SEO, to inflate a site’s page ranking in search results. Trojan.Generic.KD is an ad-supported (users may see additional banner, search, pop-up, pop-under, interstitial and in-text link advertisements) cross web browser plugin for Internet Explorer (BHO) and Firefox/Chrome (plugin) and distributed through various monetization platforms during installation. The browser extension includes various features that will modify the default or custom settings of the browser including the home page, search settings and in some cases will modify Internet Explorer’s load time threshold, place a lock file within Firefox to prevent competing software from changing its settings as well as disable the browser’s Content Security Policy in order to allow for cross site scripting of the plugin. https://malwaretips.com/blogs/trojan-generic-kd-removal/ Edited January 11, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 12, 2020 Share Posted January 12, 2020 Hum ....... Based on your last MSI forum posting: https://forum-en.msi.com/index.php?topic=330500.0 , you were successful in installing this software. I assume this means Eset changed its detection to a PUA alert which you overrode. In this case, I wish you luck in the future trouble free operation of your PC build. Link to comment Share on other sites More sharing options...
Recommended Posts