qwerty 0 Posted July 16, 2021 Share Posted July 16, 2021 Today I've noticed a lot of detections of PUAs, in relation to a 7zip package we deployed via Chocolatey, It is being detected as Win32/DealPly.VO. However as far as I'm aware this package does not actually contain adware. Detection screenshot attached. Not a big deal, I will do a remote scan and resolve the threat. However I wanted to highlight this here, as a potential false positive. Link to comment Share on other sites More sharing options...
Thatwasfun1 0 Posted July 16, 2021 Share Posted July 16, 2021 We are observing the same behavior. Link to comment Share on other sites More sharing options...
Jeffry 0 Posted July 16, 2021 Share Posted July 16, 2021 We are also seeing a lot of Win32/DealPly.VO detections all of a sudden for MSI's that are part of our managed application delivery system (Liquit Software) and seem to be false positives. Link to comment Share on other sites More sharing options...
Jamil-soc 4 Posted July 16, 2021 Share Posted July 16, 2021 (edited) Which specific version of 7zip is it? The versions from the official website does not seem to have this issue. Update: could you provide the hashes of the objects being detected? Edited July 16, 2021 by Jamil-soc Link to comment Share on other sites More sharing options...
Fernandoo 0 Posted July 16, 2021 Share Posted July 16, 2021 We are also seeing a lot of Win32/DealPly.VO detections These are some of the hashes: 5801F56A22AC5452663AC199BF92429F4A050BFD D0DC016DF5F9F9BF1A57B57DB0E9E82F097B02B6 Link to comment Share on other sites More sharing options...
Jeffry 0 Posted July 16, 2021 Share Posted July 16, 2021 The hash that hits for us is D0DC016DF5F9F9BF1A57B57DB0E9E82F097B02B6 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,281 Posted July 16, 2021 Administrators Share Posted July 16, 2021 Are you still getting the detection? If so, please post the information about installed ESET modules. Do you have LiveGrid enabled? Link to comment Share on other sites More sharing options...
Jeffry 0 Posted July 16, 2021 Share Posted July 16, 2021 Looks like it is related to 7zip:https://www.virustotal.com/gui/file/a7803233eedb6a4b59b3024ccf9292a6fffb94507dc998aa67c5b745d197a5dc/community Link to comment Share on other sites More sharing options...
TheESETer 0 Posted July 16, 2021 Share Posted July 16, 2021 (edited) I'm seeing the same on the 7-Zip installers. 7z1900.exe SHA1: 2F23A6389470DB5D0DD2095D64939657D8D3EA9D 7z1900-x64.exe SHA1: 9FA11A63B43F83980E0B48DC9BA2CB59D545A4E8 Module info: Detection Engine: 23636 (20210716) Rapid Response module: 18607 (20210716) Update module: 1023 (20200701) Antivirus and antispyware scanner module: 1576 (20210616) Advanced heuristics module: 1207.1 (20210421) Archive support module: 1320 (20210629) Cleaner module: 1220.1 (20210702) Anti-Stealth support module: 1174.1 (20210712) Firewall module: 1424.1 (20210630) ESET SysInspector module: 1281.1 (20210407) Translation support module: 1867 (20210625) HIPS support module: 1417.4 (20210624) Internet protection module: 1425 (20210416) Database module: 1113 (20210624) Configuration module (39): 1958.3 (20210525) LiveGrid communication module: 1111 (20210527) Specialized cleaner module: 1014 (20200129) Rootkit detection and cleaning module: 1031.1 (20210401) Network protection module: 1689.1 (20210517) Script scanner module: 1098 (20210601) Connected Home Network module: 1042 (20210608) Cryptographic protocol support module: 1061 (20210510) Deep behavioral inspection support module: 1115 (20210618) Advanced Machine Learning module: 1107 (20210601) Edited July 16, 2021 by TheESETer Link to comment Share on other sites More sharing options...
Jeffry 0 Posted July 16, 2021 Share Posted July 16, 2021 (edited) ESET Endpoint Antivirus 8.0.2028.0 with LiveGrid enabled ESET Enterprise Inspector Agent 1.6.1716 ESET Management Agent 8.1.1223.0 Module info: Detection Engine: 23636 (20210716) Rapid Response module: 18607 (20210716) Update module: 1023 (20200701) Antivirus and antispyware scanner module: 1576 (20210616) Advanced heuristics module: 1207.1 (20210421) Archive support module: 1320 (20210629) Cleaner module: 1220.1 (20210702) Anti-Stealth support module: 1174.1 (20210712) Firewall module: 1424.1 (20210630) ESET SysInspector module: 1281.1 (20210407) Translation support module: 1867 (20210625) HIPS support module: 1417.4 (20210624) Internet protection module: 1425 (20210416) Database module: 1113 (20210624) Configuration module (39): 1958.3 (20210525) LiveGrid communication module: 1111 (20210527) Specialized cleaner module: 1014 (20200129) Rootkit detection and cleaning module: 1031.1 (20210401) Network protection module: 1689.1 (20210517) Script scanner module: 1098 (20210601) Connected Home Network module: 1042 (20210608) Cryptographic protocol support module: 1061 (20210510) Deep behavioral inspection support module: 1115 (20210618) Advanced Machine Learning module: 1107 (20210601) Telemetry module: 1063 (20210602) Security Center integration module: 1031 (20210510) Edited July 16, 2021 by Jeffry Link to comment Share on other sites More sharing options...
Jamil-soc 4 Posted July 16, 2021 Share Posted July 16, 2021 Was the Detection engine version 23635 (20210716) at the time of detection? you can check this under detection details in ESET Protect. Link to comment Share on other sites More sharing options...
Jeffry 0 Posted July 16, 2021 Share Posted July 16, 2021 Yes, detection engine was at 23635 (20210716) at the time of detection. Link to comment Share on other sites More sharing options...
qwerty 0 Posted July 16, 2021 Author Share Posted July 16, 2021 (edited) Hi there Detection engine at time of scan/detection: 23635 (20210716) Hashes of objects 7zip related, detected as PUA: DD1CB1163C5572951C9CD27F5A8DD550B33C58A4 5801F56A22AC5452663AC199BF92429F4A050BFD D0DC016DF5F9F9BF1A57B57DB0E9E82F097B02B6 The PUAs were originally detected during idle state scanning of some machines. We are now using an update detection engine 23637. Unsure if the problem still persists. I marked the issues as resolved and have initiated a re-scan of the machines. I have not added any exception for these objects. Edited July 16, 2021 by qwerty Link to comment Share on other sites More sharing options...
Administrators Marcos 5,281 Posted July 16, 2021 Administrators Share Posted July 16, 2021 You can restore the files from quarantine. It was 7z.sfx which was detected incorrectly as as a PUA as a result of refactoring the DealPly PUA detection. The detection was actually temporarily disabled in 23636 buta it seems that pico updates have re-enabled it until 23637 was released. Jeffry 1 Link to comment Share on other sites More sharing options...
Jeffry 0 Posted July 17, 2021 Share Posted July 17, 2021 Thank you for the quick update and fix! There was quite a panic when a few thousand of our workstations and laptops reported this detection 🙂 Thank god it was a false positive. Link to comment Share on other sites More sharing options...
Recommended Posts