Jump to content

Threat removed popup

jlhatsfs

By jlhatsfs
in Malware Finding and Cleaning

 Share

Recommended Posts

jlhatsfs

jlhatsfs 0

Posted
Posted

I am running ESET Internet Security v13.2.18.0. I have developed a C# application that makes calls to a Fortran DLL that I also developed. Each time I start the C# application, a ESET popup message appears as follows:

Threat removed

A threat (Suspicious) was found in a file that MSBuild.exe tried to access.

The file has been deleted.

When I click on file, it points to the DLL file in a directory in which the indicated file does not exist. I do have in in other directories and when I run a ESET scan on it, no problems are reported. Can you tell me what might be going on here? Thanks for your help.

Jerry Horsewood

Link to comment
Share on other sites
jlhatsfs

jlhatsfs 0

Posted
  • Author
Posted

I believe I know what is happening, but not why. I'm running my application in debug mode with Visual Studio 2017. That automatically compiles the application in the debug folder and collects the resources (including the DLL file) into that folder before running. ESET then checks the folder before execution and deletes the DLL file, even though a scan detects no problems. I hope you can help. Thanks.

eis_logs.zip

Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted (edited)
1 hour ago, jlhatsfs said:

Here is the Eset Detection log report.

eis_threat_logs.zipUnavailable

I need you to copy the Detection log entry; not the entire log, and post it into a forum reply. Only Eset moderators can read forum attachments.

Edited by itman
Link to comment
Share on other sites
jlhatsfs

jlhatsfs 0

Posted
  • Author
Posted

That is correct. I just ran the application and there was no detection. The file now appears in the directory from which it was previously deleted. I then ran a scan on that file and it reported no detections as expected. The one thing different is that it said it used Detection Engine 21941. Previous scans used Detection Engine 21940. Was there a problem with the previous engine that caused the problem?

Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted (edited)
1 hour ago, jlhatsfs said:

@itman - I don't know what the Detection Log entry is that you refer to. Is it the report from the scan? A text file on my computer?

Open Eset GUI. Select Tools -> More Tools -> Log Files -> Detections. In that log should be an entry related to this MSBuild.exe file access detection. Right mouse click on the entry and select "Copy." The paste it into your next forum reply.

Edited by itman
Link to comment
Share on other sites
jlhatsfs

jlhatsfs 0

Posted
  • Author
Posted

OK, here it is.

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
9/4/2020 7:30:55 PM;Real-time file system protection;file;C:\Users\Jerry\Documents\Visual Studio 2017\Projects\MAnE\Exec\Mission Analysis Environment\bin\x86\debug\OrbitRel.dll;Suspicious Object;cleaned by deleting;SFS-HOME\Jerry;Event occurred on a new file created by the application: C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\MSBuild.exe (4547B24DB7A512B1F9A6E2ED0DCB7E7FEE0A9E24).;907C4C27F2F3110781DE9D2DF901C0826238FFA2;8/4/2020 11:27:20 PM
 

Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted (edited)

Interesting.

The issue I see here and of question is why your Visual Studio projects are being stored in C:\Users\Jerry\Documents? That is certainly not a place where executable's; note a .dll is an executable, should be stored.

Note that MSBuild.exe is one of the trusted Win processes abused by hackers. For more details on how this is being done, read this article: https://www.hackingarticles.in/bypass-application-whitelisting-using-msbuild-exe-multiple-methods/ . It seems more than reasonable to me that Eset would detect a .dll created by MSBuild.exe being dropped to the Documents folder as suspicious activity. Also, it is uplifting to see that MSBuild.exe is being actively monitored by Eset.👍

Edited by itman
Link to comment
Share on other sites
jlhatsfs

jlhatsfs 0

Posted
  • Author
Posted

This is the default structure for Visual Studio projects. A project is developed in the User's Documents folder to keep them separate from other users on the computer. Debugging is done from the folder that was causing the problem. Once the application is finalized, the application .exe is built in a Release folder and the installer installs the release version on a target computer in a structure defined by the developer. I routinely install in a subfolder of the Program Files folder. User specific input and output data from the application is stored back in a subfolder of the user's Documents folder to keep them separate from the data of other user's and to assure that they are backed up by normal backups.

BTW, the problem has stopped occurring. I suspect that the change of Detection Engine corrected the problem. @Marcos has not verified this, though.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...