Suspicious Files Flagged by ESET via Steam Game Autoupdater

[Tetranitrocubane 1]

Hello,

Today I performed a full system scan, and was shocked when ESET (version 13.2.15.0 on Windows 10 x64) reported three detections, where I usually have zero. I hadn't installed any new software recently, so this got me very worried.

Digging into the scan log, it seems that three files were flagged as being 'suspicious objects': 

PhotonUnityNetworking.dll

Unity.Timeline.dll  

UnityEngine.Monetization.dll

All three of these files are associated with the video game "Black Ice" sold through steam. This game has been on my computer for years, and never caused a problem - However, it seems that a recent update to the game occurred, and may be responsible for these files. 

The files were cleaned via deleting automatically when the full scan was executed. I went into the quarantine panel of ESET and submitted each file for analysis via the ESET GUI.

Are these files legitimately dangerous, and could they have done any harm in the time they were active? Or are these potentially false positives?

Thanks much.

[Marcos 5,074]

Please provide logs collected with ESET Log Collector.

[Tetranitrocubane 1]

No problem. Log files attached.

Hopefully these files are only accessible to forum admins and moderators!

eav_logs_Black_Ice.zip

[itman 1,659]

21 hours ago, Tetranitrocubane said:

All three of these files are associated with the video game "Black Ice" sold through steam. This game has been on my computer for years, and never caused a problem - However, it seems that a recent update to the game occurred, and may be responsible for these files. 

Determine if the three files Eset is flagging have been recently updated. If so, submit them to VirusTotal: https://www.virustotal.com/gui/home/upload and see if anyone else there is flagging them.

Edited July 18, 2020 by itman

[Tetranitrocubane 1]

24 minutes ago, itman said:

Determine if the three files Eset is flagging have been recently updated. If so, submit them to VirusTotal: https://www.virustotal.com/gui/home/upload and see if anyone else there is flagging them.

The files were auto-deleted by ESET.

The developer of the software in question did verify, however, that the files were legitimate. I reached out via email.

Edited July 18, 2020 by Tetranitrocubane

[itman 1,659]

28 minutes ago, Tetranitrocubane said:

The files were auto-deleted by ESET.

Actually, they should be in Eset Quarantine and could be restored from there once this is resolved.

Go to Eset Detection log. File hash will be shown for each file Eset detected. You can then search on VT using the file hash.

[Tetranitrocubane 1]

Thanks for the Detection log tip - Though for some reason, the detections aren't in there? I can find the detections in the Scan log, it clearly labels them as suspicious objects and says "Cleaned by deleting" - But there aren't any hashes there. And again, the detection log doesn't have them for some reason, which is odd.

[itman 1,659]

13 hours ago, Tetranitrocubane said:

I can find the detections in the Scan log, it clearly labels them as suspicious objects and says "Cleaned by deleting" - But there aren't any hashes there. And again, the detection log doesn't have them for some reason, which is odd.

You should have posted that the detection's were from off-line scanning and not real-time detection. Eset only logs real-time detection's since the detection details of off-line scans are included within the scan log.

Do this.

Since you feel the files are safe, restore them from Eset Quarrantine. Prior to doing so, note the directories where the files were located since you will have to access them from there. A safer method of restoring from Quarrantine would be to restore the files to your desktop. They can then be moved to their above noted source directories later if you decide to do so.

Now submit each file to VT for a scan. Since these are .dll files, I don't believe Eset real-time scanning will re-detect them again when they are submitted; i.e. copied to the VT web site. If it does, do not proceed further. -EDIT- However, do try to submit each .dll file to VT even if the first is redetected by Eset real-time scanning. This will result in entries in the Eset Detection log that will contain the file hashes needed for file exclusion purposes.

After each file is scanned on VT, open the "details" tab of the scan result. Copy the SHA1 file hash shown and save it in a file; e.g. notepad .txt file, for future use.

Post back results of VT scanning of the files.

Edited July 19, 2020 by itman

[Tetranitrocubane 1]

Thanks for the tips.

Here are the links to each file's VT profile. Each one came back with zero detections - that makes me wonder exactly why ESET flagged these files to begin with?

Could that be a signal of a deeper problem?

Unity.Timeline.dll

PhotonUnityNetworking.dll

UnityEngine.Monetization.dll

[itman 1,659]

The good sign is Eset real-time detection hasn't detected the .dlls so far. Also interesting that they are not detected on VT.

If the files still exist on the desktop (I assume?), run an Eset Context scan; i.e. via Win Explorer, and see if Eset still detects them via off-line scanning.

Edited July 19, 2020 by itman

[Tetranitrocubane 1]

ESET Context scan does not detect any of these files as suspicious or malicious. Though I wonder if definitions might've been updated between Friday when the on-demand scan picked them up, and now?

[itman 1,659]

Pondering Eset's non-detection of these .dlls on VT, I have a strong suspicion of what is going on.

To begin, note that ver. 13.2.15 introduced registry and WMI scanning. I do not believe that new feature is included in the Eset scanner used on VT.

You stated you ran a full system off-line scan which detected these .dlls as suspicious. That scan would have employed the new registry and WMI scanning. A suspicious detection by Eset is usually triggered from real-time behavior means. Check your Eset scan log where the .dll detection's exist and see if there is any reference to registry scanning as the source.

In any case, I believe we might have just observed the first false positive from this new registry scan feature.

16 minutes ago, Tetranitrocubane said:

ESET Context scan does not detect any of these files as suspicious or malicious. Though I wonder if definitions might've been updated between Friday when the on-demand scan picked them up, and now?

This is your call. I personally would just create Eset real-time scanning exclusions by SHA1 hash for the three .dlls in question. Below are the SHA1 hashes for each of the files:

Unity.Timeline.dll                              2cad5da4ef900fc6baab47d0f958ea0899705455

PhotonUnityNetworking.dll            ca4fb30f0dead2a1d9512995a841c86e48f09578

UnityEngine.Monetization.dll         6563b8583549e2e8d58d5c63df27557a0474688c

Then move the .dll files from the desktop to their original source directory locations.

This should prevent future Eset off-line scans which by default employ registry and WMI scanning from detecting them. However, no guaranty on that since it is unknown at this point how registry and WMI scanning actually works. 

 

 

Edited July 19, 2020 by itman

[Marcos 5,074]

It could be that the dlls have been updated in the mean time. Could you please provide current dlls?

[Tetranitrocubane 1]

53 minutes ago, Marcos said:

It could be that the dlls have been updated in the mean time. Could you please provide current dlls?

Hi Marcos. The only DLLs I have were ones that I pulled out of quarantine, so I don't believe they've been updated. I deleted the program after the DLLs were flagged.

The DLLs in question should be in the logs I attached above. I used the ESET log collector as you instructed. Thanks!

[itman 1,659]

48 minutes ago, Marcos said:

It could be that the dlls have been updated in the mean time.

"My money is on" the WMI scanner as the culprit.

We've ruled out signature detection which is the primary off-line detection method.

Games do all kinds of flaky stuff. My guess is the game set a registry startup entry with something like rundll32.exe Unity.Timeline.dll, etc.. A good one to throw a detect on is: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load\*

[Marcos 5,074]

The files were blocked by LiveGrid, we've already unblocked them. However, you wrote "ESET Context scan does not detect any of these files as suspicious or malicious" which would have happened only if the files had been updated, otherwise the statement wouldn't make much sense.

[itman 1,659]

1 minute ago, Marcos said:

However, you wrote "ESET Context scan does not detect any of these files as suspicious or malicious" which would have happened only if the files had been updated, otherwise the statement wouldn't make much sense.

Actually this is proof that the original Eset detection was not by signature or hueristics.

[Tetranitrocubane 1]

4 minutes ago, Marcos said:

The files were blocked by LiveGrid, we've already unblocked them. However, you wrote "ESET Context scan does not detect any of these files as suspicious or malicious" which would have happened only if the files had been updated, otherwise the statement wouldn't make much sense.

I don't know what to say - I restored the DLLs from Quarantine, scanned them via ESET Context scan, and the ESET Context scan did not flag them as malicious. I would presume because ESET's definitions have been updated to unblock the files?

[Marcos 5,074]

2 minutes ago, Tetranitrocubane said:

I don't know what to say - I restored the DLLs from Quarantine, scanned them via ESET Context scan, and the ESET Context scan did not flag them as malicious. I would presume because ESET's definitions have been updated to unblock the files?

It depends on when you scanned them. The hashes were removed from the LiveGrid blacklist about an hour ago, ie. 22:00 CEST.

[Tetranitrocubane 1]

2 minutes ago, Marcos said:

It depends on when you scanned them. The hashes were removed from the LiveGrid blacklist about an hour ago, ie. 22:00 CEST.

Huh. Well, I did scan them around 3 hours ago, I'll confess.

This might lend more credence to itman's theory?

[Marcos 5,074]

If you scanned the dlls before (on July 17 according to your logs) and the dlls hadn't been updated / changed and ESET had not been re-installed (ie. the local cache wasn't cleared), it doesn't make sense why they would not have been detected 3 hours ago.

[Tetranitrocubane 1]

14 minutes ago, Marcos said:

If you scanned the dlls before (on July 17 according to your logs) and the dlls hadn't been updated / changed and ESET had not been re-installed (ie. the local cache wasn't cleared), it doesn't make sense why they would not have been detected 3 hours ago.

I admit I'm out of my depth. 

On Friday the 17th, I returned to my computer to find this in the log file:

ESET auto-deleted and quarantined the files, and my own response was to delete the program entirely out of an abundance of caution. The files have not been altered since then.

Today, when I restored the files from quarantine and scanned them through the windows context menu, I got these outcomes (Scanned one file on it's own, then the other two together - Restored the file to a different folder, because the original location was deleted along with the program):

I don't think there's any possibility that the files themselves were updated at all between scans - The first thing I did upon noticing that the detection had flagged these files as suspicious was start this entire process. The last patch issued for the game would have been on July 15th.

 

I suppose the possibility exists that something foul is going on throughout the system, but unrelated to these files? Subsequent full-system in-depth scans have come back clean, I admit.

Edit: Though notably, the ESET portion of Virus Total didn't flag the files, either, earlier today?

Edited July 19, 2020 by Tetranitrocubane
Updated information - Further update

[Marcos 5,074]

VirusTotal doesn't leverage LiveGrid, hence the files won't be detected there. At this point we can only check your dlls to see if the SHA1 hashes match those you listed earlier. We won't be able to reproduce the detection any more since the files were already removed from the LG blacklist.

[itman 1,659]

14 hours ago, Marcos said:

It depends on when you scanned them. The hashes were removed from the LiveGrid blacklist about an hour ago, ie. 22:00 CEST.

The files were removed from LiveGrid blacklist at 6 PM EST. However, the OP did the context scan at 10:37 AM EST. Therefore at the time the files were context scan, the files were still blacklisted by LiveGrid.

This brings up the question if LiveGrid is employed in Eset off-line scanning excluding registry and WMI scanning. Per the above, it obviously does not. It does however appear that LiveGrid is employed when needed when registry and WMI is deployed via off-line scanning. This sounds reasonable to me in that registry scanning is checking file execution references; hopefully from areas known to be abused by malware. Therefore I am sticking with my contention that the originally .dll detections were the result of off-line scanning where registry scanning is invoked by default.

[Tetranitrocubane 1]

I admit I'm a touch confused and unsure of what's responsible for the detection/lack of detection based on time. 

However, I do want to thank you both for your insight and your explanations, as well as your analysis!

Just to be fairly sure about this, though: At any point were these DLLs malicious, or was this indeed a false positive?