ForceRecon 1 Posted July 10, 2020 Share Posted July 10, 2020 I have submitted these items a 100 times from within the eset program. This has been a false positive since 2017. Is there any chance to get these items allowed by the program so I don't have to look at it any more? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted July 10, 2020 Administrators Share Posted July 10, 2020 EFI/Computrace detection is correct, it's not a false positive. Aryeh Goretsky 1 Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 10, 2020 Share Posted July 10, 2020 The only way to get rid of this detection is to get an UEFI/BIOS version from Lenovo that doesn't include the Computrace components and re-flash the UEFI/BIOS. Aryeh Goretsky 1 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted July 10, 2020 Administrators Share Posted July 10, 2020 The above files were detected on the C drive according to the screen shot. However, it's unlikely to be FP and it's most likely Lojack by Absolute Software that Lenovo used to install to laptops. Aryeh Goretsky 1 Link to comment Share on other sites More sharing options...
ForceRecon 1 Posted July 10, 2020 Author Share Posted July 10, 2020 (edited) I understand now.. I can get it removed remotely from computrace themselves. I read some place that there is a number in the bios you can call.. have them remove it and when it dials home it will remove the software and put it back to the original non computrace bios version. Or should I leave it on there and just deal with eset. If eset does know this is normal then why inform people of its existence if you have told it to not do anything hundreds of times. I think if I say to don't do anything then it should be intelligent enough to not report it any further but I should in the event I said do not report by accident be able to allow it to be shown again. Just a thought. Thanks again for all the responses.. Great to get a quick reply.. Edited July 10, 2020 by ForceRecon Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 10, 2020 Share Posted July 10, 2020 3 minutes ago, ForceRecon said: I can get it removed remotely from computrace themselves. I read some place that there is a number in the bios you can call.. have them remove it and when it dials home it will remove the software and put it back to the original non computrace bios version. Unless Computrace has revised their policies, I wish you luck on this one. By design once Computrace is activated, it cannot be deactivated by anyone including Computrace. Link to comment Share on other sites More sharing options...
ESET Moderators Aryeh Goretsky 386 Posted July 11, 2020 ESET Moderators Share Posted July 11, 2020 Hello, As my colleagues @Marcos and @itman noted, the detection of EFI/CompuTrace is a legitimate one and not a false positive. It looks like the Lenovo ThinkPad P70 has a vulnerable version of that module present, which is what is being detected. I found a few discussions which might be of use: Lenovo Support Forum - ThinkCentre - How to disable CompuTrace Lenovo Support Forum - Absolute CompuTrace Agent Lenovo Support Forum - UEFI, Win 10 v1903 and Anti Virus Lenovo Support Forum - Lenovo Yoga 920 does not meet Microsoft's standard hardware security requirements Bill Morrow's ThinkPads.com Open Forum - What to do if CompuTrace is activated in your TP BIOS I would suggest that you contact Lenovo directly and see if (1) there is a BIOS (UEFI) firmware update that contains a newer version of CompuTrace that isn't vulnerable and install that; or (2) see if there is an option in the BIOS (UEFI) firmware to permanently disable and remove CompuTrace. Alternately, you can try contacting Absolute Software Corporation, the developer of CompuTrace, and see if they can disable it for you. If you purchased the Lenovo ThinkPad P70 second-hand, you may have to show them proof of ownership (e.g., a receipt from the seller, eBay and so forth). Regards, Aryeh Goretsky Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 11, 2020 Share Posted July 11, 2020 (edited) 12 hours ago, Aryeh Goretsky said: Bill Morrow's ThinkPads.com Open Forum - What to do if CompuTrace is activated in your TP BIOS I strongly recommend reading the Kaspersky article referenced in the above: https://securelist.com/absolute-computrace-revisited/58278/ . Note this section: 4. Cases of Unauthorized Activations. If Computrace/Absolute does not have a record of the device in their database, there is nothing they can do about helping you deactivate it. Hopefully, that is not the case here. Finally, the article by Bill Morrow notes this: Quote No, you can't get rid of Computrace by flashing the BIOS. This is the first I have heard of this and certainly hope it is not true. It might also only apply to Lenovo ThinkPad products. Edited July 11, 2020 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted July 12, 2020 Most Valued Members Share Posted July 12, 2020 16 hours ago, itman said: Quote No, you can't get rid of Computrace by flashing the BIOS. This is the first I have heard of this and certainly hope it is not true. It might also only apply to Lenovo ThinkPad products. I have tried that with Dell BIOS , I have flashed another BIOS by DELL , and still ESET detected CompuTrace , even though it is disabled on the motherboard. Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 12, 2020 Share Posted July 12, 2020 6 hours ago, Nightowl said: I have tried that with Dell BIOS , I have flashed another BIOS by DELL , and still ESET detected CompuTrace , even though it is disabled on the motherboard. Based on what Aryeh posted above, Eset will continue to show the detection as long as Computrace still exists in the UEFI/BIOS. Whether its disabled or not appears to be immaterial to the detection. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted July 12, 2020 Most Valued Members Share Posted July 12, 2020 14 minutes ago, itman said: Based on what Aryeh posted above, Eset will continue to show the detection as long as Computrace still exists in the UEFI/BIOS. Whether its disabled or not appears to be immaterial to the detection. Yeah that computrace is a legal malware Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 12, 2020 Share Posted July 12, 2020 (edited) Based on what is shown below and applicable to Dell devices, getting rid of Computrace in the UEFI/BIOS requires "specialized knowledge": Quote I got a government auction Dell Optiplex 755 desktop with the Computrace BIOS setting locked "on", and tried several ways to wipe or glitch this. Like laptop passwords, the setting is stored in serial EEPROM, the same chip as the BIOS, but the BIOS settings memory blocks are not part of the firmware image. However I did find the solution on this machine: Get BIOS A01, filename O755-A01.EXE, which can be found searching the Dell site (but is not presented as one of the download options on the Optiplex main support page), Make a DOS-bootable USB stick and put this firmware file on it, Open the computer, take the password jumper off and put it on the service mode jumper pins (near ATX power connector) Boot of the USB stick (F12 boot options) run the command: O755-A01 -wipeall -wipeclean Instead of the normal reboot procedure to install BIOS, EEPROM is immediately erased and the new BIOS loaded, Put the jumper back in its original position, Boot into BIOS and set Computrace to permanent disable, Retype the erased service tag using the BIOS option to do so, Reboot and reload the newest BIOS of your choice (some, like mods from this forum, are Windows-only) https://forums.mydigitallife.net/threads/computrace-causing-problems-need-help-to-remove-from-bios-phoenix-bios-f-2e.16042/page-3#post-1128698 What I have gleaned from the above is Computrace must be set to "Disabled" in the BIOS. Note this can only be done if was never activated. Hence the above "gyration" to get the UEFI/BIOS to the point where it can be set to disabled. Once Computrace is disabled, I believe a UEFI/BIOS version not containing Computrace update via off-line media flashing or in-Windows updating, if available, will succeed. Finally, a UEFI/BIOS version not containing Computrace must be available and provided by the device manufacturer. Also if Computrace is "permanently" disabled in the UEFI/BIOS as noted in the above procedure: Quote Retype the erased service tag using the BIOS option to do so, I suspect Eset will longer detect its presense. If it does, then its a bug on Eset's part. Once Computrace is permanently disabled, it can never again be re-activated; excluding above hacking method. Also noteworthy is that government grade anti-theft mechanisms can be hacked. 🙄 Edited July 12, 2020 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted July 12, 2020 Most Valued Members Share Posted July 12, 2020 It's just a useless feature embedded into the BIOS. I'm happy that ESET detects it , and should be classified as MALWARE even though it's legal and used by the these companies. Link to comment Share on other sites More sharing options...
itman 1,746 Posted July 12, 2020 Share Posted July 12, 2020 (edited) Applicable to Dell users is the following from the above linked mydigitallife.net thread: Quote Use DSTCD (dell service tech CD). Change service tag, remove computrace, change service tag back to original. More info on service tag changing here: https://community.spiceworks.com/how_to/1532-how-to-change-dell-service-tag-on-latitude-and-inspirion-laptop and here: https://forums.mydigitallife.net/threads/dell-bios-editing-removing-bios-lock-changing-service-asset-tag-software-here.19369/ Edited July 12, 2020 by itman Link to comment Share on other sites More sharing options...
Recommended Posts