Jump to content

Missing efavdrv.sys

NewbyUser
 Share
Go to solution Solved by Marcos,

Recommended Posts

  • Administrators
  • Solution
Marcos

Marcos 4,915

Posted
  • Administrators
  • Solution
Posted

I'm not 100% sure but I recollect that this driver was a part of some ESET stand-alone cleaners. It's not included in ESET security products.

Link to comment
Share on other sites
  • ESET Insiders
NewbyUser

NewbyUser 72

Posted
  • Author
  • ESET Insiders
Posted (edited)

Been using Eset for quite awhile, but I don't recall using any stand alone cleaners, I may have used the Online scanner once or twice. Like itman said I found that it's supposedly tied to ESSP, but since joining Insiders the last few months is the first time I've used this product, I've always used EIS previously.

2021-10-19 (1).png

Edited by NewbyUser
Link to comment
Share on other sites
itman

itman 1,627

Posted
Posted (edited)

What I posted in regards to this driver being used by ESSP was in error.

Referring to your screen shot, you will observe that the reference is to Win XP. Appears that efavdrv.sys was used by Eset Smart Security which was the predecessor version to Eset Internet Security.

Did you download this Eset Cleaner by chance: https://support.eset.com/en/kb3035-how-do-i-use-the-eset-rogue-application-remover-erar ? It may install efavdrv.sys .

However, there appears to be possible malicious versions of this cleaner. Refer to this detailed analysis of one: https://www.hybrid-analysis.com/sample/9842097cea0ecf59dbfdc0f9e020049c52bd4ab8c591559b0c9bebf63de3fc10?environmentId=100 which also installs this driver.

Edited by itman
Link to comment
Share on other sites
itman

itman 1,627

Posted
Posted (edited)

Now this is very interesting.

I downloaded the x(86) Eset Rogue Cleaner app from the Eset web site. I then submitted to Hybrid-Analysis for a scan. The result was a 100/100 malicious verdict: https://www.hybrid-analysis.com/sample/9842097cea0ecf59dbfdc0f9e020049c52bd4ab8c591559b0c9bebf63de3fc10

Eset_Driver.thumb.png.7ee27c453c5f2805da24710830b8f541.png

Edited by itman
Link to comment
Share on other sites
  • ESET Insiders
NewbyUser

NewbyUser 72

Posted
  • Author
  • ESET Insiders
Posted
36 minutes ago, itman said:

Now this is very interesting.

I downloaded the x(86) Eset Rogue Cleaner app from the Eset web site. I then submitted to Hybrid-Analysis for a scan. The result was a 100/100 malicious verdict: https://www.hybrid-analysis.com/sample/9842097cea0ecf59dbfdc0f9e020049c52bd4ab8c591559b0c9bebf63de3fc10

It is explained way it is hitting markers to classify it as malicious, it does a lot of things malware would do.

https://www.hybrid-analysis.com/sample/9842097cea0ecf59dbfdc0f9e020049c52bd4ab8c591559b0c9bebf63de3fc10/58ebda38aac2ed8e4881f64f

Link to comment
Share on other sites
  • ESET Insiders
NewbyUser

NewbyUser 72

Posted
  • Author
  • ESET Insiders
Posted
1 hour ago, itman said:

What I posted in regards to this driver being used by ESSP was in error.

Referring to your screen shot, you will observe that the reference is to Win XP. Appears that efavdrv.sys was used by Eset Smart Security which was the predecessor version to Eset Internet Security.

Did you download this Eset Cleaner by chance: https://support.eset.com/en/kb3035-how-do-i-use-the-eset-rogue-application-remover-erar ? It may install efavdrv.sys .

However, there appears to be possible malicious versions of this cleaner. Refer to this detailed analysis of one: https://www.hybrid-analysis.com/sample/9842097cea0ecf59dbfdc0f9e020049c52bd4ab8c591559b0c9bebf63de3fc10?environmentId=100 which also installs this driver.

Not sure where this file reference comes from then. This laptop was made in 2016, way after WinXP obviously, I don't recall using Rogue App cleaner, I did use Eset online scanner once last year I believe while using Emsisoft, which is the only other AV/AM that's ever been on this laptop once I removed the McCrappy that it came with preinstalled.

Link to comment
Share on other sites
  • ESET Insiders
NewbyUser

NewbyUser 72

Posted
  • Author
  • ESET Insiders
Posted (edited)
4 minutes ago, itman said:

My question is how the hell did Win 10 allow this driver to be installed?

Eset_Cert.thumb.png.6adf24709d7982367f615b810c82b8ee.png

This is ehdrv, which while it is an Eset helper, is not the same file.

https://www.file.net/process/ehdrv.sys.html

Edited by NewbyUser
Link to comment
Share on other sites
itman

itman 1,627

Posted
Posted
2 minutes ago, NewbyUser said:

This is ehdrv, which while it is an Eset helper, is not the same file.

It's the same file. It's listed under different names per VT analysis.

Link to comment
Share on other sites
itman

itman 1,627

Posted
Posted
9 minutes ago, NewbyUser said:

I have ehdrv, it's efavdrv that's missing according to autoruns.

Yikes!

Go to this VT analysis: https://www.virustotal.com/gui/file/f016dbcd2271b28c36240b392987fb80595cdcb82439aa5477a4350a497549e6/details . Mouse click on Details. Scroll down to the Names section.

Link to comment
Share on other sites
  • ESET Insiders
NewbyUser

NewbyUser 72

Posted
  • Author
  • ESET Insiders
Posted
8 minutes ago, itman said:

Yikes!

Go to this VT analysis: https://www.virustotal.com/gui/file/f016dbcd2271b28c36240b392987fb80595cdcb82439aa5477a4350a497549e6/details . Mouse click on Details. Scroll down to the Names section.

Not the same version, I have 10.24.5,  dated 10/17/21, that file analyzed was a year ago and the file was from 11 years ago

Link to comment
Share on other sites
  • ESET Insiders
NewbyUser

NewbyUser 72

Posted
  • Author
  • ESET Insiders
Posted

At any rate, everything works as far as I can tell, so I marked @Marcos post as solving it, so unless he comes up with something else, thanks for everyone's time.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...