ESET Insiders NewbyUser 71 Posted October 19, 2021 ESET Insiders Share Posted October 19, 2021 Was this file removed? Seems Autotuns can't find it. Link to comment Share on other sites More sharing options...
itman 1,538 Posted October 19, 2021 Share Posted October 19, 2021 Do you currently have ESSP installed? That driver only exists in that Eset version. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 71 Posted October 19, 2021 Author ESET Insiders Share Posted October 19, 2021 8 minutes ago, itman said: Do you currently have ESSP installed? That driver only exists in that Eset version. yes Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 4,704 Posted October 19, 2021 Administrators Solution Share Posted October 19, 2021 I'm not 100% sure but I recollect that this driver was a part of some ESET stand-alone cleaners. It's not included in ESET security products. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 71 Posted October 19, 2021 Author ESET Insiders Share Posted October 19, 2021 (edited) Been using Eset for quite awhile, but I don't recall using any stand alone cleaners, I may have used the Online scanner once or twice. Like itman said I found that it's supposedly tied to ESSP, but since joining Insiders the last few months is the first time I've used this product, I've always used EIS previously. Edited October 19, 2021 by NewbyUser Link to comment Share on other sites More sharing options...
itman 1,538 Posted October 19, 2021 Share Posted October 19, 2021 (edited) What I posted in regards to this driver being used by ESSP was in error. Referring to your screen shot, you will observe that the reference is to Win XP. Appears that efavdrv.sys was used by Eset Smart Security which was the predecessor version to Eset Internet Security. Did you download this Eset Cleaner by chance: https://support.eset.com/en/kb3035-how-do-i-use-the-eset-rogue-application-remover-erar ? It may install efavdrv.sys . However, there appears to be possible malicious versions of this cleaner. Refer to this detailed analysis of one: https://www.hybrid-analysis.com/sample/9842097cea0ecf59dbfdc0f9e020049c52bd4ab8c591559b0c9bebf63de3fc10?environmentId=100 which also installs this driver. Edited October 19, 2021 by itman Link to comment Share on other sites More sharing options...
itman 1,538 Posted October 19, 2021 Share Posted October 19, 2021 (edited) Now this is very interesting. I downloaded the x(86) Eset Rogue Cleaner app from the Eset web site. I then submitted to Hybrid-Analysis for a scan. The result was a 100/100 malicious verdict: https://www.hybrid-analysis.com/sample/9842097cea0ecf59dbfdc0f9e020049c52bd4ab8c591559b0c9bebf63de3fc10 Edited October 19, 2021 by itman Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 71 Posted October 19, 2021 Author ESET Insiders Share Posted October 19, 2021 36 minutes ago, itman said: Now this is very interesting. I downloaded the x(86) Eset Rogue Cleaner app from the Eset web site. I then submitted to Hybrid-Analysis for a scan. The result was a 100/100 malicious verdict: https://www.hybrid-analysis.com/sample/9842097cea0ecf59dbfdc0f9e020049c52bd4ab8c591559b0c9bebf63de3fc10 It is explained way it is hitting markers to classify it as malicious, it does a lot of things malware would do. https://www.hybrid-analysis.com/sample/9842097cea0ecf59dbfdc0f9e020049c52bd4ab8c591559b0c9bebf63de3fc10/58ebda38aac2ed8e4881f64f Link to comment Share on other sites More sharing options...
itman 1,538 Posted October 19, 2021 Share Posted October 19, 2021 My question is how the hell did Win 10 allow this driver to be installed? Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 71 Posted October 19, 2021 Author ESET Insiders Share Posted October 19, 2021 1 hour ago, itman said: What I posted in regards to this driver being used by ESSP was in error. Referring to your screen shot, you will observe that the reference is to Win XP. Appears that efavdrv.sys was used by Eset Smart Security which was the predecessor version to Eset Internet Security. Did you download this Eset Cleaner by chance: https://support.eset.com/en/kb3035-how-do-i-use-the-eset-rogue-application-remover-erar ? It may install efavdrv.sys . However, there appears to be possible malicious versions of this cleaner. Refer to this detailed analysis of one: https://www.hybrid-analysis.com/sample/9842097cea0ecf59dbfdc0f9e020049c52bd4ab8c591559b0c9bebf63de3fc10?environmentId=100 which also installs this driver. Not sure where this file reference comes from then. This laptop was made in 2016, way after WinXP obviously, I don't recall using Rogue App cleaner, I did use Eset online scanner once last year I believe while using Emsisoft, which is the only other AV/AM that's ever been on this laptop once I removed the McCrappy that it came with preinstalled. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 71 Posted October 19, 2021 Author ESET Insiders Share Posted October 19, 2021 (edited) 4 minutes ago, itman said: My question is how the hell did Win 10 allow this driver to be installed? This is ehdrv, which while it is an Eset helper, is not the same file. https://www.file.net/process/ehdrv.sys.html Edited October 19, 2021 by NewbyUser Link to comment Share on other sites More sharing options...
itman 1,538 Posted October 19, 2021 Share Posted October 19, 2021 2 minutes ago, NewbyUser said: This is ehdrv, which while it is an Eset helper, is not the same file. It's the same file. It's listed under different names per VT analysis. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 71 Posted October 19, 2021 Author ESET Insiders Share Posted October 19, 2021 I have ehdrv, it's efavdrv that's missing according to autoruns. Link to comment Share on other sites More sharing options...
itman 1,538 Posted October 19, 2021 Share Posted October 19, 2021 9 minutes ago, NewbyUser said: I have ehdrv, it's efavdrv that's missing according to autoruns. Yikes! Go to this VT analysis: https://www.virustotal.com/gui/file/f016dbcd2271b28c36240b392987fb80595cdcb82439aa5477a4350a497549e6/details . Mouse click on Details. Scroll down to the Names section. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 71 Posted October 19, 2021 Author ESET Insiders Share Posted October 19, 2021 8 minutes ago, itman said: Yikes! Go to this VT analysis: https://www.virustotal.com/gui/file/f016dbcd2271b28c36240b392987fb80595cdcb82439aa5477a4350a497549e6/details . Mouse click on Details. Scroll down to the Names section. Not the same version, I have 10.24.5, dated 10/17/21, that file analyzed was a year ago and the file was from 11 years ago Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 71 Posted October 19, 2021 Author ESET Insiders Share Posted October 19, 2021 At any rate, everything works as far as I can tell, so I marked @Marcos post as solving it, so unless he comes up with something else, thanks for everyone's time. Link to comment Share on other sites More sharing options...
Recommended Posts