Most Valued Members peteyt 393 Posted April 5, 2020 Most Valued Members Share Posted April 5, 2020 Not sure if this is an actual PUA or a false positive. Recently downloaded Medal of Honor a 2010 EA game via Steam. I'd played it years ago but re-downloaded it to play the other day and launching it I got an eset warning, possibly augur, stating something got blocked. Eset has warned me it is potentially unsafe today and given me the options to exclude, ignore etc. but the submit option is greyed out. As EA has sometimes not been the most reputable company when privacy is concerned I wondered if this was related to this but it picks the file up as BH/Crack.1 which shouldn't be the case as it was downloaded from Steam. Thought I'd post it on here in case it was a false positive. Had to zip the file as I can't upload exes directly. moh.zip Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 5, 2020 Share Posted April 5, 2020 9 hours ago, peteyt said: but it picks the file up as BH/Crack.1 Show a screen shot of the PUA alert. I have never seen an Eset detection that begins with "BH/." Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted April 6, 2020 Most Valued Members Share Posted April 6, 2020 17 hours ago, peteyt said: Not sure if this is an actual PUA or a false positive. Recently downloaded Medal of Honor a 2010 EA game via Steam. I'd played it years ago but re-downloaded it to play the other day and launching it I got an eset warning, possibly augur, stating something got blocked. Eset has warned me it is potentially unsafe today and given me the options to exclude, ignore etc. but the submit option is greyed out. As EA has sometimes not been the most reputable company when privacy is concerned I wondered if this was related to this but it picks the file up as BH/Crack.1 which shouldn't be the case as it was downloaded from Steam. Thought I'd post it on here in case it was a false positive. Had to zip the file as I can't upload exes directly. moh.zipUnavailable Hahahaha , ESET is smart , knows that EA Games are PUA fabioquadros_ 1 Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted April 7, 2020 Author Most Valued Members Share Posted April 7, 2020 On 4/5/2020 at 11:44 PM, itman said: Show a screen shot of the PUA alert. I have never seen an Eset detection that begins with "BH/." Will try and get one. Might not be able to get onto my desktop till wednesday. Checked VirusTotal and nothing Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted April 7, 2020 Most Valued Members Share Posted April 7, 2020 8 minutes ago, peteyt said: Will try and get one. Might not be able to get onto my desktop till wednesday. Checked VirusTotal and nothing Could be ESET Augur ? , but Augur detection should come with Augur name before the detection , maybe they have corrected the FP Link to comment Share on other sites More sharing options...
Administrators Marcos 5,069 Posted April 7, 2020 Administrators Share Posted April 7, 2020 It's a Deep Behavioral Inspection detection. It's possible to exclude it by the detection name or hash like anything else. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted April 7, 2020 Author Most Valued Members Share Posted April 7, 2020 1 hour ago, Marcos said: It's a Deep Behavioral Inspection detection. It's possible to exclude it by the detection name or hash like anything else. Is it a false positive though? I just thought it was odd that it would flag up for a mainstream AA game Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 7, 2020 Share Posted April 7, 2020 18 minutes ago, peteyt said: Is it a false positive though? I just thought it was odd that it would flag up for a mainstream AA game The Eset detection says it all. Eset is detecting is as cracked software. Looks like they are finally cracking down, pun intended, on that malware delivery method. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted April 7, 2020 Author Most Valued Members Share Posted April 7, 2020 1 hour ago, itman said: The Eset detection says it all. Eset is detecting is as cracked software. Looks like they are finally cracking down, pun intended, on that malware delivery method. But thats my point it can't be cracked as it was downloaded from steam the other day and hasn't been edited, patched etc. Unless there is a cracked version and eset can't distinguish the two? Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 7, 2020 Share Posted April 7, 2020 12 minutes ago, peteyt said: But thats my point it can't be cracked as it was downloaded from steam the other day and hasn't been edited, patched etc. Unless there is a cracked version and eset can't distinguish the two? Submit it to VT and see if anyone detects it as cracked. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted April 7, 2020 Author Most Valued Members Share Posted April 7, 2020 1 minute ago, itman said: Submit it to VT and see if anyone detects it as cracked. Already did before I did the post. I don't even think eset did on VT but could be wrong. Hoping to get onto my desktop tomorrow to check fully. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 7, 2020 Share Posted April 7, 2020 All I can say is you appear to be the first one to every get an Eset deep behavior detection. I for one have never seen anything showing a BH/........... detection. fabioquadros_ 1 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,069 Posted April 8, 2020 Administrators Share Posted April 8, 2020 We are checking it, however, also another AI reports it as most likely unsafe. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted April 8, 2020 Most Valued Members Share Posted April 8, 2020 (edited) 17 hours ago, itman said: Submit it to VT and see if anyone detects it as cracked. But as it's coming from Steam there shouldn't be any indication of cracks because it's not a pirated copy or cracked one. 17 hours ago, peteyt said: Already did before I did the post. I don't even think eset did on VT but could be wrong. Hoping to get onto my desktop tomorrow to check fully. Augur is not active on VT , it uses the database. Edited April 8, 2020 by Nightowl Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted April 9, 2020 Author Most Valued Members Share Posted April 9, 2020 (edited) On 4/5/2020 at 11:44 PM, itman said: Show a screen shot of the PUA alert. I have never seen an Eset detection that begins with "BH/." I have attached a copy to show you. Only just been able to get back onto the computer now. The first one shows the PUA alert - There submit for analysis window is greyed out. I have just been hitting ignore and then straight afterwards the next window comes up showing it was blocked. I've only been playing the single player campaign which works fine - haven't tried the online version, so I'm unusure what is being blocked as at least single player wise everything is working fine. Edited April 9, 2020 by peteyt Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 9, 2020 Share Posted April 9, 2020 35 minutes ago, peteyt said: I have attached a copy to show you. My best guess at this point is the game since it is an old one, might be manifesting behavior associated with cracking activity. An example of this behavior is here: https://null-byte.wonderhowto.com/how-to/hacks-behind-cracking-part-1-bypass-software-registration-0132568/ . An interesting Augur test would be to restore it from quarantine. Then set PUA default settings in Eset real-time section from "Balanced" to "Cautious." Note that the cautious setting corresponds to prior release 13.1 PUA detection level. Now try to run moh.exe and see if the same PUA alert is generated. Note that there are possible risks with this but it is the only way to determine if Augur's more aggressive settings are the source. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,069 Posted April 9, 2020 Administrators Share Posted April 9, 2020 Please post the information about installed modules. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted April 9, 2020 Author Most Valued Members Share Posted April 9, 2020 1 minute ago, Marcos said: Please post the information about installed modules. i have copied them below but unsure if I should have and apologise just in case - not sure if I should have included this in the insider forum Detection Engine: 21139P (20200409) Rapid Response module: 16049P (20200409) Update module: 1021 (20200218) Antivirus and antispyware scanner module: 1561 (20200326) Advanced heuristics module: 1198 (20200316) Archive support module: 1301 (20200403) Cleaner module: 1208 (20200319) Anti-Stealth support module: 1163 (20200401) Firewall module: 1402 (20200403) ESET SysInspector module: 1276 (20200217) Translation support module: 1795 (20200409) HIPS support module: 1388 (20200331) Internet protection module: 1395 (20200331) Web content filter module: 1075 (20200310) Advanced antispam module: 7852 (20200402) Database module: 1110 (20190827) Configuration module (39): 1866 (20200401) LiveGrid communication module: 1061 (20200402) Specialized cleaner module: 1014 (20200129) Banking & payment protection module: 1182 (20200409) Rootkit detection and cleaning module: 1025 (20191211) Network protection module: 1683P (20200214) Router vulnerability scanner module: 1067 (20200130) Script scanner module: 1070 (20200406) Connected Home Network module: 1035 (20191112) Cryptographic protocol support module: 1042 (20200227) Databases for advanced antispam module: 4704P (20200409) Deep behavioral inspection support module: 1091 (20200211) Advanced Machine Learning module: 1058 (20200401) Telemetry module: 1059 (20200204) Security Center integration module: 1020.1 (20200313) Link to comment Share on other sites More sharing options...
Administrators Marcos 5,069 Posted April 9, 2020 Administrators Share Posted April 9, 2020 What has changed is that the file is detected by Deep behavioral inspection as a potentially unsafe application, ie. not with default settings. Since the file is not digitally signed and has suspicious characteristics, we'd recommend excluding it. It is indeed weird that a file by Steam would be like that. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 9, 2020 Share Posted April 9, 2020 The problem here is deep behavior inspection is only supposed to be deployed on unknown processes: https://www.eset.com/int/about/newsroom/press-releases/research/eset-deep-behavioral-inspection-enables-deeper-monitoring-of-unknown-suspicious-processes/ LiveGrid reputation status clearly shows this is not an unknown process. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 9, 2020 Share Posted April 9, 2020 (edited) To begin, we are talking about 10 year old game software. Like software is notorious for "dodgy" behavior. AML which also monitors API call behavior sees something it hasn't been previously trained for. A fair assumption since we are again talking 10 year old software which is a "stretch" to run on Win 10. It in turns passes control to deep behavior inspection for a "look see." DBI is now running outside of normal context w/o LiveGrid analysis feedback. DBI sees API behavior related to cracking activity. Again we are talking about 10 year old game software that may indeed be using such in regards to anti-crack protection. In reality only the game software developer really knows what is going on but I believe the previous scenario is a reasonable one. Edited April 9, 2020 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted April 9, 2020 Most Valued Members Share Posted April 9, 2020 I believe the only thing that might do a dodgy behaviour is the anti-tamper software which is SecuROM 8 and SecuROM PA DRM, 5 machine limit. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 9, 2020 Share Posted April 9, 2020 I forgot about the DRM aspect. And that very well might be the crack Eset is detecting. Medal of Honor (2010) indeed has it for online activation: https://www.pcgamingwiki.com/w/index.php?title=Special:Ask&offset=100&limit=100&q=[[Category%3AGames]]+[[Uses+DRM%3A%3AOnline+activation]]&p=format%3Dtemplate%2Ftemplate%3DDRM-20list-2Frow%2Fintrotemplate%3DDRM-20list-2Fintro%2Foutrotemplate%3DDRM-20list-2Foutro&po=%3FDeveloped+by %3FPublished+by %3FRelease+date %3FAvailable+on I would contact Steam and see if they can shed some light on what is going on here. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 9, 2020 Share Posted April 9, 2020 (edited) What I did notice is that Medal of Honor (2010) can be downloaded from the publisher: https://www.ea.com/games/medal-of-honor/medal-of-honor for $4.99 versus Steam's price of $19.99. So they might only be hosting cracked software but grossly overcharging to boot. Edited April 9, 2020 by itman Link to comment Share on other sites More sharing options...
Recommended Posts