Jump to content

crypt.exe False Positive


Go to solution Solved by Marcos,

Recommended Posts

We have an internal program that uses crypt.exe to decrypt a downloaded access database file. This exe has hash 2E3B1CA1E54C7E3ADFD5D2205F6F54E93792B9CF and has just recently been flagged by the detection engine with the following Win32/Codeode.A. This file is essential for functioning of our tools. VirusTotal notes that this is only reported as malicious by ESET's detection engine at this time.

Link to post
Share on other sites
  • Administrators

The tool is detected as a potentially unsafe application. It's not detected with default settings. Pot. unsafe applications cover legit tools that can be misused in the wrong hands. We recommend creating a detection exclusion.

Link to post
Share on other sites
1 hour ago, Bob Gunn said:

VirusTotal notes that this is only reported as malicious by ESET's detection engine at this time.

Nano Antivirus is also detecting it at VT when I just checked. Also VT detections are static ones for the most part. As such, other security solutions might also detect it via dynamic means.

Edited by itman
Link to post
Share on other sites
17 hours ago, Marcos said:

The tool is detected as a potentially unsafe application. It's not detected with default settings. Pot. unsafe applications cover legit tools that can be misused in the wrong hands. We recommend creating a detection exclusion.

I have created exceptions for the path and file hash within the remote management center. I can also see these exceptions on affected endpoints, however when I restore the file or reinstall the program, ESET ES still cleans the file by deletion.

Link to post
Share on other sites
  • Administrators
  • Solution

I would recommend to :

1, Remove all detection exclusions:

Win32/Codeode.A potentially unsafe application  @ C:\Priceforce\crypt.exe
Win32/Codeode.A potentially unsafe application  @ C:\PriceForce\crypt.exe
Win32/Codeode.A potentially unsafe application  @ C:\Priceforce\crypt.exe
Win32/Codeode.A  @ C:\PriceForce\crypt.exe.n$t
Win32/Codeode.A  @ AB4044F356521BD103C68948DB96D9484E8772E4
Win32/Codeode.A  @ https://ne.......ps.com/pf/PFsetup2.exe
Win32/Codeode.A  @ 00B82FC518E720649682A2511946F250CE917377
Win32/Codeode.A  @ C:\Priceforce\crypt.exe

2, In the ESET PROTECT console exclude it everywhere by detection name:

image.png

3, Remove all process exclusions. If there's a reason to keep them, we'd like you to elaborate it since process exclusions create potential security holes and should be used with care.

4, Enable LiveGrid feedback system for maximum protection.

5, Consider upgrade to Endpoint v8.

Link to post
Share on other sites

Here's an interesting tidbit.

When I tried to download crypt.exe in FireFox:

Eset_Crypt.thumb.png.b145d756542be72467eea5bd669f74ee.png

the download showed 0 bytes and was indeed empty. Scratching my head a bit, I then noticed that the download icon had a red dot I had never seen before. Opening it showed that Firefox blocked the download since it contained a virus. No alert from FireFox on this one however.

Interestingly, I could download the .zip package w/o issue that contained crypt.exe.

Thanks but no thanks on use of this puppy for anything.

Link to post
Share on other sites
8 minutes ago, itman said:

Thanks but no thanks on use of this puppy for anything.

Were I in control of the policy of its use internally, sure. But the team that has been using this tool for a decade is requiring its use for the time being.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...