crypt.exe False Positive

[Bob Gunn 0]

We have an internal program that uses crypt.exe to decrypt a downloaded access database file. This exe has hash 2E3B1CA1E54C7E3ADFD5D2205F6F54E93792B9CF and has just recently been flagged by the detection engine with the following Win32/Codeode.A. This file is essential for functioning of our tools. VirusTotal notes that this is only reported as malicious by ESET's detection engine at this time.

[Marcos 5,070]

The tool is detected as a potentially unsafe application. It's not detected with default settings. Pot. unsafe applications cover legit tools that can be misused in the wrong hands. We recommend creating a detection exclusion.

[itman 1,659]

1 hour ago, Bob Gunn said:

VirusTotal notes that this is only reported as malicious by ESET's detection engine at this time.

Nano Antivirus is also detecting it at VT when I just checked. Also VT detections are static ones for the most part. As such, other security solutions might also detect it via dynamic means.

Edited January 29, 2021 by itman

[Bob Gunn 0]

17 hours ago, Marcos said:

The tool is detected as a potentially unsafe application. It's not detected with default settings. Pot. unsafe applications cover legit tools that can be misused in the wrong hands. We recommend creating a detection exclusion.

I have created exceptions for the path and file hash within the remote management center. I can also see these exceptions on affected endpoints, however when I restore the file or reinstall the program, ESET ES still cleans the file by deletion.

[Marcos 5,070]

Please provide logs collected with ESET Log Collector from the client where the tool is detected despite exclusions set.

[Bob Gunn 0]

Marcos, I have sent you logs in a message.

Edited January 29, 2021 by Bob Gunn

[itman 1,659]

Also depending on the parent used to run crypt.exe, its malicious detection rate dramatically increases as noted here: https://www.virustotal.com/gui/file/5f46ba46f76623fcf4facd8fa2acecec1fa985651dd4c3982da7784310c47a90/relations

[Bob Gunn 0]

19 minutes ago, Marcos said:

Please provide logs collected with ESET Log Collector from the client where the tool is detected despite exclusions set.

Apologies, logs are attached now.

ees_logs.zip

[Marcos 5,070]

I would recommend to :

1, Remove all detection exclusions:

Win32/Codeode.A potentially unsafe application  @ C:\Priceforce\crypt.exe
Win32/Codeode.A potentially unsafe application  @ C:\PriceForce\crypt.exe
Win32/Codeode.A potentially unsafe application  @ C:\Priceforce\crypt.exe
Win32/Codeode.A  @ C:\PriceForce\crypt.exe.n$t
Win32/Codeode.A  @ AB4044F356521BD103C68948DB96D9484E8772E4
Win32/Codeode.A  @ https://ne.......ps.com/pf/PFsetup2.exe
Win32/Codeode.A  @ 00B82FC518E720649682A2511946F250CE917377
Win32/Codeode.A  @ C:\Priceforce\crypt.exe

2, In the ESET PROTECT console exclude it everywhere by detection name:

3, Remove all process exclusions. If there's a reason to keep them, we'd like you to elaborate it since process exclusions create potential security holes and should be used with care.

4, Enable LiveGrid feedback system for maximum protection.

5, Consider upgrade to Endpoint v8.

[itman 1,659]

Here's an interesting tidbit.

When I tried to download crypt.exe in FireFox:

the download showed 0 bytes and was indeed empty. Scratching my head a bit, I then noticed that the download icon had a red dot I had never seen before. Opening it showed that Firefox blocked the download since it contained a virus. No alert from FireFox on this one however.

Interestingly, I could download the .zip package w/o issue that contained crypt.exe.

Thanks but no thanks on use of this puppy for anything.

[Bob Gunn 0]

8 minutes ago, itman said:

Thanks but no thanks on use of this puppy for anything.

Were I in control of the policy of its use internally, sure. But the team that has been using this tool for a decade is requiring its use for the time being.