Custom Scan Completed: Detection Occurred Not Cleaned?

[moeetee 0]

I did a scan and ESET says scan is done but detection occurred 1 but not cleaned. What is it and how do I clean it?

 

Attach is the log file.

 

 

[Marcos 4,923]

\\Uefi Partition » UEFI » uefi:\\Volume 5\Application {057AD6B7-3525-40C8-9D21-552642894E3A} - a variant of EFI/CompuTrace.A potentially unsafe application - unable to clean

UEFI detections cannot be cleaned. You can try installing the latest version of the UEFI firmware and if it doesn't help, exclude the PUA from detection. For more information please read https://support.eset.com/en/kb6567-you-receive-an-eset-uefi-detection

[moeetee 0]

6 minutes ago, Marcos said:

\\Uefi Partition » UEFI » uefi:\\Volume 5\Application {057AD6B7-3525-40C8-9D21-552642894E3A} - a variant of EFI/CompuTrace.A potentially unsafe application - unable to clean \\Uefi Partition » UEFI » uefi:\\Volume 5\Application {057AD6B7-3525-40C8-9D21-552642894E3A} - a variant of EFI/CompuTrace.A potentially unsafe application - unable to clean

UEFI detections cannot be cleaned. You can try installing the latest version of the UEFI firmware and if it doesn't help, exclude the PUA from detection. For more information please read https://support.eset.com/en/kb6567-you-receive-an-eset-uefi-detection

What is a CompuTrace though? Why can't it be cleaned? Is it a virus?

[Marcos 4,923]

You can find more information at https://www.eset.com/int/uefi-rootkit-cyber-attack-discovered/ or https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf.

[itman 1,630]

1 hour ago, moeetee said:

What is a CompuTrace though? 

https://security.stackexchange.com/questions/53698/detecting-and-removing-absolute-persistence-technology

It might be possible to remove Computrace by accessing your UEFI settings at boot time and disabling it from there: https://forum.eset.com/topic/16830-detection-of-computrace-variants-in-uefi-and-pre-loaded-software/?do=findComment&comment=84392 . Note this only applies to the non-malware based versions of it. Also this option appears to only work for select OEM manufacturers.

1 hour ago, moeetee said:

Why can't it be cleaned?

https://support.eset.com/en/kb6567-you-receive-an-eset-uefi-detection

1 hour ago, moeetee said:

Is it a virus?

Possibly. Is this a fresh install of Eset on the device? If so, assume Computrace is OEM manufacturer related.

If this detection occurred on a device where Eset had been installed for some time, assume its malware related. One possibility is a manufacturer initiated UEFI/BIOS upgrade and the firmware update was compromised.

Edited April 23, 2020 by itman

[moeetee 0]

2 hours ago, itman said:

https://security.stackexchange.com/questions/53698/detecting-and-removing-absolute-persistence-technology

It might be possible to remove Computrace by accessing your UEFI settings at boot time and disabling it from there: https://forum.eset.com/topic/16830-detection-of-computrace-variants-in-uefi-and-pre-loaded-software/?do=findComment&comment=84392 . Note this only applies to the non-malware based versions of it. Also this option appears to only work for select OEM manufacturers.

https://support.eset.com/en/kb6567-you-receive-an-eset-uefi-detection

Possibly. Is this a fresh install of Eset on the device? If so, assume Computrace is OEM manufacturer related.

If this detection occurred on a device where Eset had been installed for some time, assume its malware related. One possibility is a manufacturer initiated UEFI/BIOS upgrade and the firmware update was compromised.

No this device had already had Eset. Where did this come from and what can it do? Better yet, why wasnt ESET able to detect/prevent it?

[Marcos 4,923]

UEFI in integrated part of your motherboard but unlike legacy BIOS, it can be updated programmatically. Most likely you already had CompuTrace there when you bought it. There is no proactive real-time UEFI protection; it's scanned once in several days since it's resource and time consuming.

[itman 1,630]

1 hour ago, moeetee said:

Where did this come from and what can it do?

Check if your device is listed on this web site: https://www.absolute.com/partners/device-compatibility/ . If it is, assume CompuTrace was installed in the UEFI by the manufacturer. You will have to contact them about how to disable/remove it.

[moeetee 0]

What device? My computer was custom build. So are you saying CompuTrace was installed in what exactly, my motherboard? I currently have a ASUSTeK COMPUTER INC.  STRIX B250I GAMING.

What is this file that ESET picked up and what does it do and how has it hurted me since it was installed?

[itman 1,630]

54 minutes ago, moeetee said:

My computer was custom build. So are you saying CompuTrace was installed in what exactly, my motherboard? I currently have a ASUSTeK COMPUTER INC.  STRIX B250I GAMING.

I don't see that listed on the Absolute web site, so it wouldn't have been something installed by default. So let's get into the detail on this.

CompuTrace is an anti-theft feature built into the UEFI/BIOS by the computer manufacturer. Think of it as a hardware equivalent to Eset's Anti-Theft protection. The Absolute software is an optional feature also many times installed by the PC manufacture that serves two purposes. The first is to auto re-enable the CompuTrace feature if the thief tried to disable it. The second purpose is to be able to location track where the stolen device is.

The problem is this. The Absolute software was mysteriously showing up on devices where CompuTrace was installed. And the versions of the Absolute software installed were malicious. You can read all about this here: https://securelist.com/absolute-computrace-revisited/58278/  . The malicious versions allowed the hacker to install a UEFI based rootkit; i.e. Lojax,  which is what Eset is detecting.

The problem is this in a nutshell. Once the Absolute software gets installed, the only concern that can remove/deactivate it is Absolute. This is by design. And they can only do so for their legit versions of the software.

Your best solution here is to contact ASUSTek and see if they have a UEFI/BIOS firmware upgrade for your PC/Laptop that does not include CompuTrace.

Edited April 24, 2020 by itman

[moeetee 0]

1 hour ago, itman said:

I don't see that listed on the Absolute web site, so it wouldn't have been something installed by default. So let's get into the detail on this.

CompuTrace is an anti-theft feature built into the UEFI/BIOS by the computer manufacturer. Think of it as a hardware equivalent to Eset's Anti-Theft protection. The Absolute software is an optional feature also many times installed by the PC manufacture that serves two purposes. The first is to auto re-enable the CompuTrace feature if the thief tried to disable it. The second purpose is to be able to location track where the stolen device is.

The problem is this. The Absolute software was mysteriously showing up on devices where CompuTrace was installed. And the versions of the Absolute software installed were malicious. You can read all about this here: https://securelist.com/absolute-computrace-revisited/58278/  . The malicious versions allowed the hacker to install a UEFI based rootkit; i.e. Lojax,  which is what Eset is detecting.

The problem is this in a nutshell. Once the Absolute software gets installed, the only concern that can remove/deactivate it is Absolute. This is by design. And they can only do so for their legit versions of the software.

Your best solution here is to contact ASUSTek and see if they have a UEFI/BIOS firmware upgrade for your PC/Laptop that does not include CompuTrace.

Why did ESET out of the blue detect this now? I did a custom scan and not a regular scan?

When you said the malicious versions allowed the "hacker" - what hacker? Who installed this Absolute software or someone who did recently on my computer?

If you meant hacker with regards to from the manufacturer, then what is harmful or potentially be harmful? 

[Marcos 4,923]

2 hours ago, moeetee said:

Why did ESET out of the blue detect this now? I did a custom scan and not a regular scan?

1, CompuTrace is classified as a potentially unsafe application. This detection is disabled by default so it's likely that you have enabled it just recently.

2, UEFI is not scanned during each automatic startup scan. However, it can be scanned on demand if selected among the targets. Maybe you didn't have it selected before.

Quote

When you said the malicious versions allowed the "hacker" - what hacker? Who installed this Absolute software or someone who did recently on my computer?

It was the maker of your motherboard and they added it as an optional Anti-Theft feature that you can pay for.

[moeetee 0]

15 minutes ago, Marcos said:

1, CompuTrace is classified as a potentially unsafe application. This detection is disabled by default so it's likely that you have enabled it just recently.

2, UEFI is not scanned during each automatic startup scan. However, it can be scanned on demand if selected among the targets. Maybe you didn't have it selected before.

It was the maker of your motherboard and they added it as an optional Anti-Theft feature that you can pay for.

When you say 1."... [t]his detection is disabled by default so it's likely that you have enabled it just recently." What do you mean I would have enabled it recently? I haven't disabled-reenabled my protection setups. I just did a custom-scan because someone had me do a FixMe.IT session and I didn't know it would automatically give full mouse/control to the other person on the other side so I can scared and did the same the same day.

2. UEFI is not scanned during each automatic startup scan. However, it can be scanned on demand if selected among the targets. Maybe you didn't have it selected before. 

-  Can you show me what do you mean by ondemand if selected? Would you please share me to check if it or wasnt selected?

 

Thank you for your responses.

[itman 1,630]

Here's another article on this issue from MalwareBytes: https://blog.malwarebytes.com/cybercrime/hacking/2018/10/lojack-for-computers-used-to-attack-european-government/

At this point it really doesn't matter how your device became infected. The thing to concentrate on is how fix the issue. That can only be done by replacing the infected UEFI/BIOS with either a prior legit one. Or preferably, an updated one from Asus that does not contain the Computrace feature.

Again, you need to contact AsusTek directly.  Or alternatively, search their web site for the original UEFI/BIOS download for your device. Or preferably, an updated UEFI/BIOS version that does not include the Computrace option. Asus should also have a Windows based UEFI/BIOS utility software that will allow you to "flash" update the UEFI/BIOS from within Windows using the UEFI/BIOS update you previously downloaded. If this activity is beyond your technical skills, you should seek professional assistance. If a UEFI/BIOS flash update is not performed properly, your device will be rendered permanently unusable.

Edited April 24, 2020 by itman

[itman 1,630]

@Marcos  to begin, this device is a gaming desktop. I went through the BIOS setup info here: https://dlcdnets.asus.com/pub/ASUS/mb/LGA1151/STRIX_B250I_GAMING/E12478_STRIX_B250I_GAMING_UM_WEB.pdf and there is no reference to CompuTrace. This makes sense since it is only installed on laptops/notebooks for theft protection.

This leads to the following conclusions. Eset's CompuTrace UEFI detection is a false positive. Or, Eset is detecting the presence of the Lojax rootkit in the UEFI regardless of how it was placed there.

Of note is this device's UEFI/BIOS did have a vulnerability advisor from Asus:

Quote

2017/11/22 3.65 MBytes

MEUpdateTool

Intel has identified security issue that could potentially place impacted platform at risk.

Use ME Update tool to update your ME.

*We suggest you update ME Driver to the latest Version 11.7.0.1040 simultaneously.
Please download the file and check the MD5 code first.

https://www.asus.com/us/Motherboards/ROG-STRIX-B250I-GAMING/HelpDesk_Download/

Edited April 24, 2020 by itman

[moeetee 0]

2 hours ago, itman said:

@Marcos  to begin, this device is a gaming desktop. I went through the BIOS setup info here: https://dlcdnets.asus.com/pub/ASUS/mb/LGA1151/STRIX_B250I_GAMING/E12478_STRIX_B250I_GAMING_UM_WEB.pdf and there is no reference to CompuTrace. This makes sense since it is only installed on laptops/notebooks for theft protection.

This leads to the following conclusions. Eset's CompuTrace UEFI detection is a false positive. Or, Eset is detecting the presence of the Lojax rootkit in the UEFI regardless of how it was placed there.

Of note is this device's UEFI/BIOS did have a vulnerability advisor from Asus:

https://www.asus.com/us/Motherboards/ROG-STRIX-B250I-GAMING/HelpDesk_Download/

I had someone do a FixMe.IT session and I didn't know it would automatically give the person full mouse/control and how easy it was for them to install things on my computer without any large visual consenting request or a popup. I mean after I installed that software and tried to remote my laptop to see how it worked, I wasn't able to install programs in my computer on the other side in the session without a popup consent but I was able to literally install a FixMe.It Client Session.exe by simply clicking the install button on my end as the "technician". But, I'm not to sure if this can be derived from that or this Lojox just so happy to be in my computer? And I did the scan and it picked up on it?

Edited April 24, 2020 by moeetee

[itman 1,630]

Thinking more about the Asus MEUpdateTool update to patch the ME Intel vulnerability, I suspect that was to patch Intel Spectre/Meltdown CPU vulnerabilities. In any case if not so done previously, this UEFI/BIOS update should be applied.

At this point I would say that the Eset Advanced Scan Computrace detection is a false positive and ignore it. I state this for the following reason. Eset at startup time by default scans the UEFI/BIOS. As I recollect, every forum posting about CompuTrace Lojax detection shortly after Eset introduced the protection was occurring at boot time. Since you have not been receiving any alerts from Eset at startup time about CompuTrace Lojax, I would say at this time you are not infected with it.

[moeetee 0]

1 minute ago, itman said:

Thinking more about the Asus MEUpdateTool update to patch the ME Intel vulnerability, I suspect that was to patch Intel Spectre/Meltdown CPU vulnerabilities. In any case if not so done previously, this UEFI/BIOS update should be applied.

At this point I would say that the Eset Advanced Scan Computrace detection is a false positive and ignore it. I state this for the following reason. Eset at startup time by default scans the UEFI/BIOS. As I recollect, every forum posting about CompuTrace Lojax detection shortly after Eset introduced the protection was occurring at boot time. Since you have not been receiving any alerts from Eset at startup time about CompuTrace Lojax, I would say at this time you are not infected with it.

So you think it was a coincidence that I may have been paranoid from the remote session I had with someone and then did the custom scan the same day?

[itman 1,630]

There was a fairly recent Asus vulnerability noted here: https://pokde.net/system/security/asus-releases-update-to-patch-asus-live-update-vunerability-also-created-a-new-diagnostic-tool-to-check-if-you-are-affected/ . Of note was that initially and at the time of discovery, only 600 device were targeted.

You might want to run Asus's diagnostic tool to see if it finds anything:

Quote

If you are still feeling paranoid, ASUS has released a diagnostic tool to check if your system is compromised by the malware. As we have previously reported, the number of systems that are affected may be huge but the hackers were allegedly only targeting a small number of systems. Still, if you want to be sure, you can download the diagnostic tool here.

 

[moeetee 0]

1 minute ago, itman said:

There was a fairly recent Asus vulnerability noted here: https://pokde.net/system/security/asus-releases-update-to-patch-asus-live-update-vunerability-also-created-a-new-diagnostic-tool-to-check-if-you-are-affected/ . Of note was that initially and at the time of discovery, only 600 device were targeted.

You might want to run Asus's diagnostic tool to see if it finds anything:

 

I just did and I got this. I have this motherboard as a desktop PC and the remaining parts of this PC Desktop is custom built - its not a notebook.

[itman 1,630]

Oops. Forgot to check on the Asus web site which clearly states the Live Update tool is only used on laptops/notebooks.

[moeetee 0]

13 minutes ago, itman said:

Oops. Forgot to check on the Asus web site which clearly states the Live Update tool is only used on laptops/notebooks.

Its okay.

 

I just read this:

[itman 1,630]

Looks like this previous Asus ME noted vulnerability is much more serious that I originally thought:

Quote

Extreme Privilege Escalation UEFI Security Vulnerability

Researchers at the MITRE discovered several vulnerabilities in Intel's EDK2 UEFI reference implementation. Since this reference implementation is used by numerous manufacturers as the basis for their UEFI firmware, many systems (not only those by Intel) are affected. If an attacker gains Admin rights on a Windows system (because of other vulnerabilities), the attacker can inject rootkits into the UEFI firmware on the motherboard due to the vulnerability described here.

If you never updated your motherboard UEFI/BIOS against this, I most definitely would do so ASAP. Appears this is a UEFI/BIOS update and if any rootkits do exist there, this update will eliminate them. The update is hard to find. Go to Asus web site here: https://www.asus.com/us/Motherboards/ROG-STRIX-B250I-GAMING/HelpDesk_Download/ . Select "Driver& Tools" and then your OS version. Scroll down to the BIOS section and select "All Downloads." Or alternatively, just update your UEFI/BIOS to the latest version available.

Note: I take no personally responsibility in regards to the impact as to any ASUS provided software/firmware might have on your current device.

Edited April 24, 2020 by itman

[moeetee 0]

7 minutes ago, itman said:

Looks like this previous Asus ME noted vulnerability is much more serious that I originally thought:

If you never updated your motherboard UEFI/BIOS against this, I most definitely would do so ASAP. Appears this is a UEFI/BIOS update and if any rootkits do exist there, this update will eliminate them. The update is hard to find. Go to Asus web site here: https://www.asus.com/us/Motherboards/ROG-STRIX-B250I-GAMING/HelpDesk_Download/ . Select "Driver& Tools" and then your OS version. Scroll down to the BIOS section and select "All Downloads." Or alternatively, just update your UEFI/BIOS to the latest version available.

Note: I take no personally responsibility in regards to the impact as to any ASUS provided software/firmware might have on your current device.

I dont think I have.

 

Is this what you mean?

 

[itman 1,630]

4 minutes ago, moeetee said:

Is this what you mean?

First, check in your UEFI/BIOS settings as to what version is currently installed. Asus might have some auto update utility for this running on your system but doubt that is the case.

That is the latest UEFI/BIOS available for your motherboard. Appling that will include all currently available UEFI/BIOS updates from ASUS.

The specific update I was referring to is shown later in that same section;

Again if you don't know what you are doing here, get some professional help.