Jump to content
ForceRecon

Uploaded but still always a false positive

Recommended Posts

I have submitted these items a 100 times from within the eset program. This has been a false positive since 2017.  Is there any chance to get these items allowed by the program so I don't have to look at it any more?nod32.png

Share this post


Link to post
Share on other sites

The only way to get rid of this detection is to get an UEFI/BIOS version from Lenovo that doesn't include the Computrace components and re-flash the UEFI/BIOS.

Share this post


Link to post
Share on other sites

The above files were detected on the C drive according to the screen shot. However, it's unlikely to be FP and it's most likely Lojack by Absolute Software that Lenovo used to install to laptops.

Share this post


Link to post
Share on other sites
Posted (edited)

I understand now.. I can get it removed remotely from computrace themselves. I read some place that there is a number in the bios you can call.. have them remove it and when it dials home it will remove the software and put it back to the original non computrace bios version.

Or should I leave it on there and just deal with eset.  If eset does know this is normal then why inform people of its existence if you have told it to not do anything hundreds of times.  I think if I say to don't do anything then it should be intelligent enough to not report it any further but I should in the event I said do not report by accident be able to allow it to be shown again.

Just a thought.  Thanks again for all the responses.. Great to get a quick reply.. 

Edited by ForceRecon

Share this post


Link to post
Share on other sites
3 minutes ago, ForceRecon said:

I can get it removed remotely from computrace themselves. I read some place that there is a number in the bios you can call.. have them remove it and when it dials home it will remove the software and put it back to the original non computrace bios version.

Unless Computrace has revised their policies, I wish you luck on this one. By design once Computrace is activated, it cannot be deactivated by anyone including Computrace.

Share this post


Link to post
Share on other sites

Hello,

As my colleagues @Marcos and @itman noted, the detection of EFI/CompuTrace is a legitimate one and not a false positive.  It looks like the Lenovo ThinkPad P70 has a vulnerable version of that module present, which is what is being detected.

I found a few discussions which might be of use:

I would suggest that you contact Lenovo directly and see if (1) there is a BIOS (UEFI) firmware update that contains a newer version of CompuTrace that isn't vulnerable and install that; or (2) see if there is an option in the BIOS (UEFI) firmware to permanently disable and remove CompuTrace.  Alternately, you can try contacting Absolute Software Corporation, the developer of CompuTrace, and see if they can disable it for you.  If you purchased the Lenovo ThinkPad P70 second-hand, you may have to show them proof of ownership (e.g., a receipt from the seller, eBay and so forth).

Regards,

Aryeh Goretsky

 

Share this post


Link to post
Share on other sites
Posted (edited)
12 hours ago, Aryeh Goretsky said:

Bill Morrow's ThinkPads.com Open Forum - What to do if CompuTrace is activated in your TP BIOS

I strongly recommend reading the Kaspersky article referenced in the above: https://securelist.com/absolute-computrace-revisited/58278/ . Note this section: 4. Cases of Unauthorized Activations.

If Computrace/Absolute does not have a record of the device in their database, there is nothing they can do about helping you deactivate it. Hopefully, that is not the case here.

Finally, the article by Bill Morrow notes this:

Quote

No, you can't get rid of Computrace by flashing the BIOS.

This is the first I have heard of this and certainly hope it is not true. It might also only apply to Lenovo ThinkPad products.

Edited by itman

Share this post


Link to post
Share on other sites
16 hours ago, itman said:
Quote

No, you can't get rid of Computrace by flashing the BIOS.

This is the first I have heard of this and certainly hope it is not true. It might also only apply to Lenovo ThinkPad products.

I have tried that with Dell BIOS , I have flashed another BIOS by DELL , and still ESET detected CompuTrace , even though it is disabled on the motherboard.

Share this post


Link to post
Share on other sites
6 hours ago, Nightowl said:

I have tried that with Dell BIOS , I have flashed another BIOS by DELL , and still ESET detected CompuTrace , even though it is disabled on the motherboard.

Based on what Aryeh posted above, Eset will continue to show the detection as long as Computrace still exists in the UEFI/BIOS. Whether its disabled or not appears to be immaterial to the detection.

Share this post


Link to post
Share on other sites
14 minutes ago, itman said:

Based on what Aryeh posted above, Eset will continue to show the detection as long as Computrace still exists in the UEFI/BIOS. Whether its disabled or not appears to be immaterial to the detection.

Yeah that computrace is a legal malware :D

Share this post


Link to post
Share on other sites
Posted (edited)

Based on what is shown below and applicable to Dell devices, getting rid of Computrace in the UEFI/BIOS requires "specialized knowledge":

Quote

I got a government auction Dell Optiplex 755 desktop with the Computrace BIOS setting locked "on", and tried several ways to wipe or glitch this. Like laptop passwords, the setting is stored in serial EEPROM, the same chip as the BIOS, but the BIOS settings memory blocks are not part of the firmware image. However I did find the solution on this machine:

  • Get BIOS A01, filename O755-A01.EXE, which can be found searching the Dell site (but is not presented as one of the download options on the Optiplex main support page),
  • Make a DOS-bootable USB stick and put this firmware file on it,
  • Open the computer, take the password jumper off and put it on the service mode jumper pins (near ATX power connector)
  • Boot of the USB stick (F12 boot options)
  • run the command: O755-A01 -wipeall -wipeclean
  • Instead of the normal reboot procedure to install BIOS, EEPROM is immediately erased and the new BIOS loaded,
  • Put the jumper back in its original position,
  • Boot into BIOS and set Computrace to permanent disable,
  • Retype the erased service tag using the BIOS option to do so,
  • Reboot and reload the newest BIOS of your choice (some, like mods from this forum, are Windows-only)

https://forums.mydigitallife.net/threads/computrace-causing-problems-need-help-to-remove-from-bios-phoenix-bios-f-2e.16042/page-3#post-1128698

What I have gleaned from the above is Computrace must be set to "Disabled" in the BIOS. Note this can only be done if was never activated. Hence the above "gyration" to get the UEFI/BIOS to the point where it can be set to disabled.

Once Computrace is disabled, I believe a UEFI/BIOS version not containing Computrace update via off-line media flashing or in-Windows updating, if available, will succeed. Finally, a UEFI/BIOS version not containing Computrace must be available and provided by the device manufacturer.

Also if Computrace is "permanently" disabled in the UEFI/BIOS as noted in the above procedure:

Quote

Retype the erased service tag using the BIOS option to do so,

I suspect Eset will longer detect its presense. If it does, then its a bug on Eset's part. Once Computrace is permanently disabled, it can never again be re-activated; excluding above hacking method.

Also noteworthy is that government grade anti-theft mechanisms can be hacked. 🙄

Edited by itman

Share this post


Link to post
Share on other sites

It's just a useless feature embedded into the BIOS.

I'm happy that ESET detects it , and should be classified as MALWARE even though it's legal and used by the these companies.

Share this post


Link to post
Share on other sites
Posted (edited)

Applicable to Dell users is the following from the above linked mydigitallife.net thread:

Quote

Use DSTCD (dell service tech CD). Change service tag, remove computrace, change service tag back to original.

More info on service tag changing here: https://community.spiceworks.com/how_to/1532-how-to-change-dell-service-tag-on-latitude-and-inspirion-laptop  and here: https://forums.mydigitallife.net/threads/dell-bios-editing-removing-bios-lock-changing-service-asset-tag-software-here.19369/

Edited by itman

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...