Chocolatey / 7zip package detected as PUA after recent update Win32/DealPly.VO

[qwerty 0]

Today I've noticed a lot of detections of PUAs, in relation to a 7zip package we deployed via Chocolatey, It is being detected as Win32/DealPly.VO. However as far as I'm aware this package does not actually contain adware.

Detection screenshot attached.

Not a big deal, I will do a remote scan and resolve the threat. However I wanted to highlight this here, as a potential false positive.

 

[Thatwasfun1 0]

We are observing the same behavior.

[Jeffry 0]

We are also seeing a lot of Win32/DealPly.VO detections all of a sudden for MSI's that are part of our managed application delivery system (Liquit Software) and seem to be false positives.

[Jamil-soc 4]

Which specific version of 7zip is it? The versions from the official website does not seem to have this issue. 

Update: could you provide the hashes of the objects being detected?

Edited July 16, 2021 by Jamil-soc

[Fernandoo 0]

We are also seeing a lot of  Win32/DealPly.VO detections

These are some of the hashes: 

5801F56A22AC5452663AC199BF92429F4A050BFD

D0DC016DF5F9F9BF1A57B57DB0E9E82F097B02B6

 

[Jeffry 0]

The hash that hits for us is D0DC016DF5F9F9BF1A57B57DB0E9E82F097B02B6

[Marcos 5,074]

Are you still getting the detection? If so, please post the information about installed ESET modules.

Do you have LiveGrid enabled?

[Jeffry 0]

Looks like it is related to 7zip:
https://www.virustotal.com/gui/file/a7803233eedb6a4b59b3024ccf9292a6fffb94507dc998aa67c5b745d197a5dc/community

[TheESETer 0]

I'm seeing the same on the 7-Zip installers.

7z1900.exe SHA1: 2F23A6389470DB5D0DD2095D64939657D8D3EA9D

7z1900-x64.exe SHA1: 9FA11A63B43F83980E0B48DC9BA2CB59D545A4E8

Module info:

Detection Engine: 23636 (20210716)
Rapid Response module: 18607 (20210716)
Update module: 1023 (20200701)
Antivirus and antispyware scanner module: 1576 (20210616)
Advanced heuristics module: 1207.1 (20210421)
Archive support module: 1320 (20210629)
Cleaner module: 1220.1 (20210702)
Anti-Stealth support module: 1174.1 (20210712)
Firewall module: 1424.1 (20210630)
ESET SysInspector module: 1281.1 (20210407)
Translation support module: 1867 (20210625)
HIPS support module: 1417.4 (20210624)
Internet protection module: 1425 (20210416)
Database module: 1113 (20210624)
Configuration module (39): 1958.3 (20210525)
LiveGrid communication module: 1111 (20210527)
Specialized cleaner module: 1014 (20200129)
Rootkit detection and cleaning module: 1031.1 (20210401)
Network protection module: 1689.1 (20210517)
Script scanner module: 1098 (20210601)
Connected Home Network module: 1042 (20210608)
Cryptographic protocol support module: 1061 (20210510)
Deep behavioral inspection support module: 1115 (20210618)
Advanced Machine Learning module: 1107 (20210601)

 

Edited July 16, 2021 by TheESETer

[Jeffry 0]

ESET Endpoint Antivirus 8.0.2028.0  with LiveGrid enabled
ESET Enterprise Inspector Agent 1.6.1716
ESET Management Agent 8.1.1223.0

 

Module info:
Detection Engine: 23636 (20210716)
Rapid Response module: 18607 (20210716)
Update module: 1023 (20200701)
Antivirus and antispyware scanner module: 1576 (20210616)
Advanced heuristics module: 1207.1 (20210421)
Archive support module: 1320 (20210629)
Cleaner module: 1220.1 (20210702)
Anti-Stealth support module: 1174.1 (20210712)
Firewall module: 1424.1 (20210630)
ESET SysInspector module: 1281.1 (20210407)
Translation support module: 1867 (20210625)
HIPS support module: 1417.4 (20210624)
Internet protection module: 1425 (20210416)
Database module: 1113 (20210624)
Configuration module (39): 1958.3 (20210525)
LiveGrid communication module: 1111 (20210527)
Specialized cleaner module: 1014 (20200129)
Rootkit detection and cleaning module: 1031.1 (20210401)
Network protection module: 1689.1 (20210517)
Script scanner module: 1098 (20210601)
Connected Home Network module: 1042 (20210608)
Cryptographic protocol support module: 1061 (20210510)
Deep behavioral inspection support module: 1115 (20210618)
Advanced Machine Learning module: 1107 (20210601)
Telemetry module: 1063 (20210602)
Security Center integration module: 1031 (20210510)

Edited July 16, 2021 by Jeffry

[Jamil-soc 4]

Was the Detection engine version 23635 (20210716) at the time of detection? you can check this under detection details in ESET Protect.

[Jeffry 0]

Yes, detection engine was at 23635 (20210716) at the time of detection.

[qwerty 0]

Hi there

Detection engine at time of scan/detection: 23635 (20210716)

 

Hashes of objects 7zip related, detected as PUA: 

DD1CB1163C5572951C9CD27F5A8DD550B33C58A4

5801F56A22AC5452663AC199BF92429F4A050BFD

D0DC016DF5F9F9BF1A57B57DB0E9E82F097B02B6

The PUAs were originally detected during idle state scanning of some machines.

We are now using an update detection engine 23637. Unsure if the problem still persists. I marked the issues as resolved and have initiated a re-scan of the machines. I have not added any exception for these objects. 

 

 

Edited July 16, 2021 by qwerty

[Marcos 5,074]

You can restore the files from quarantine. It was 7z.sfx which was detected incorrectly as as a PUA as a result of refactoring the DealPly PUA detection. The detection was actually temporarily disabled in 23636 buta it seems that pico updates have re-enabled it until 23637 was released.

[Jeffry 0]

Thank you for the quick update and fix! There was quite a panic when a few thousand of our workstations and laptops reported this detection 🙂 Thank god it was a false positive.