Bob Gunn 0 Posted January 28, 2021 Share Posted January 28, 2021 We have an internal program that uses crypt.exe to decrypt a downloaded access database file. This exe has hash 2E3B1CA1E54C7E3ADFD5D2205F6F54E93792B9CF and has just recently been flagged by the detection engine with the following Win32/Codeode.A. This file is essential for functioning of our tools. VirusTotal notes that this is only reported as malicious by ESET's detection engine at this time. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted January 28, 2021 Administrators Share Posted January 28, 2021 The tool is detected as a potentially unsafe application. It's not detected with default settings. Pot. unsafe applications cover legit tools that can be misused in the wrong hands. We recommend creating a detection exclusion. Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 29, 2021 Share Posted January 29, 2021 (edited) 1 hour ago, Bob Gunn said: VirusTotal notes that this is only reported as malicious by ESET's detection engine at this time. Nano Antivirus is also detecting it at VT when I just checked. Also VT detections are static ones for the most part. As such, other security solutions might also detect it via dynamic means. Edited January 29, 2021 by itman Link to comment Share on other sites More sharing options...
Bob Gunn 0 Posted January 29, 2021 Author Share Posted January 29, 2021 17 hours ago, Marcos said: The tool is detected as a potentially unsafe application. It's not detected with default settings. Pot. unsafe applications cover legit tools that can be misused in the wrong hands. We recommend creating a detection exclusion. I have created exceptions for the path and file hash within the remote management center. I can also see these exceptions on affected endpoints, however when I restore the file or reinstall the program, ESET ES still cleans the file by deletion. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted January 29, 2021 Administrators Share Posted January 29, 2021 Please provide logs collected with ESET Log Collector from the client where the tool is detected despite exclusions set. Link to comment Share on other sites More sharing options...
Bob Gunn 0 Posted January 29, 2021 Author Share Posted January 29, 2021 (edited) Marcos, I have sent you logs in a message. Edited January 29, 2021 by Bob Gunn Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 29, 2021 Share Posted January 29, 2021 Also depending on the parent used to run crypt.exe, its malicious detection rate dramatically increases as noted here: https://www.virustotal.com/gui/file/5f46ba46f76623fcf4facd8fa2acecec1fa985651dd4c3982da7784310c47a90/relations Link to comment Share on other sites More sharing options...
Bob Gunn 0 Posted January 29, 2021 Author Share Posted January 29, 2021 19 minutes ago, Marcos said: Please provide logs collected with ESET Log Collector from the client where the tool is detected despite exclusions set. Apologies, logs are attached now. ees_logs.zip Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,070 Posted January 29, 2021 Administrators Solution Share Posted January 29, 2021 I would recommend to : 1, Remove all detection exclusions: Win32/Codeode.A potentially unsafe application @ C:\Priceforce\crypt.exe Win32/Codeode.A potentially unsafe application @ C:\PriceForce\crypt.exe Win32/Codeode.A potentially unsafe application @ C:\Priceforce\crypt.exe Win32/Codeode.A @ C:\PriceForce\crypt.exe.n$t Win32/Codeode.A @ AB4044F356521BD103C68948DB96D9484E8772E4 Win32/Codeode.A @ https://ne.......ps.com/pf/PFsetup2.exe Win32/Codeode.A @ 00B82FC518E720649682A2511946F250CE917377 Win32/Codeode.A @ C:\Priceforce\crypt.exe 2, In the ESET PROTECT console exclude it everywhere by detection name: 3, Remove all process exclusions. If there's a reason to keep them, we'd like you to elaborate it since process exclusions create potential security holes and should be used with care. 4, Enable LiveGrid feedback system for maximum protection. 5, Consider upgrade to Endpoint v8. Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 29, 2021 Share Posted January 29, 2021 Here's an interesting tidbit. When I tried to download crypt.exe in FireFox: the download showed 0 bytes and was indeed empty. Scratching my head a bit, I then noticed that the download icon had a red dot I had never seen before. Opening it showed that Firefox blocked the download since it contained a virus. No alert from FireFox on this one however. Interestingly, I could download the .zip package w/o issue that contained crypt.exe. Thanks but no thanks on use of this puppy for anything. Link to comment Share on other sites More sharing options...
Bob Gunn 0 Posted January 29, 2021 Author Share Posted January 29, 2021 8 minutes ago, itman said: Thanks but no thanks on use of this puppy for anything. Were I in control of the policy of its use internally, sure. But the team that has been using this tool for a decade is requiring its use for the time being. Link to comment Share on other sites More sharing options...
Recommended Posts