Jump to content

Process Explorer detected


Recommended Posts

Hello.

Would this be FP?

E52B94DF2AF81D5DF3FB1CFB141EDBA3CC41D8B8

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

I`m unable to download, detected as:

Uniform Resource Identifier (URI)
file:///C:/Windows/system32/drivers/PROCEXP152.SYS

Name
Win64/ProcessExplorer.A

Detection Type
Potentially unsafe application

This is new for me...

Link to comment
Share on other sites

  • Administrators

If you use Process Explorer deliberately, you can create a detection exclusion for the driver.

Link to comment
Share on other sites

5 hours ago, Gregecslo said:

Would this be FP?

E52B94DF2AF81D5DF3FB1CFB141EDBA3CC41D8B8

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

I downloaded this archive and it scanned as clean by Eset:

Eset_PE.png.99403569d4f84caeecefe9d2bcc3118b.png

After archive extraction, I ran procexp64.exe w/o any Eset issues with it.

Submit your PE download to https://www.virustotal.com/gui/home/upload and see if anything there detects it as malicious/PUA/etc..

Edited by itman
Link to comment
Share on other sites

OK only my pc is not detecting it, tried on 10 different ones and all detect it.

Now I`m confused, I have same policy applied, no exclusions and it fails to detect...

Link to comment
Share on other sites

So I tried:

1. Same folder eicar = got detected and deleted
2. Same folder real malware = got detected and deleted
3. Same folder procexe sys = NOT detected

So I suppose real-time protectrion IS working, but not detecting sys file at all.

Then I uninstalled EEA, rebooted and reinstalled. PC was in te same group, so same config was applied.

After modules updated, I again tried with sys file and:

Threat type: Potentially unsafe application
Threat name: Win64/ProcessExplorer.A
Scanner: Real‑time file system protection
Action performed: Cleaned by deleting

Can someone explain me this?

I`m unable to :)

Link to comment
Share on other sites

Posted (edited)

This one is to blame: https://www.virustotal.com/gui/file/0e76203802a524becd00392518a1b9cea5e6cddb8a6cf1b43dca4290f67c0305/details

It`s original process explorer but earlier version and it`s detected by ESET (even if VT show it`s not).

This one creates the SYS driver and puts it into system32\drivers folder.

Newer versions don`t do this...

Edited by Gregecslo
Link to comment
Share on other sites

3 hours ago, Gregecslo said:

Newer versions don`t do this...

Open the latest version with Admin privileges. It will then create C:/Windows/system32/drivers/PROCEXP152.SYS.

Link to comment
Share on other sites

13 minutes ago, itman said:

Open the latest version with Admin privileges. It will then create C:/Windows/system32/drivers/PROCEXP152.SYS.

True. But it`s not detected.
Do the same thing with older version = detected and deleted

I think that detection was made for older versions or sth like that.

Maybe correlated to HermeticWiper (like using legit driver to do bad stuff).

I don`t know, only ESET can confirm this.

Link to comment
Share on other sites

2 hours ago, Gregecslo said:

Do the same thing with older version = detected and deleted

I was previously using PE ver. 16.31 dating to 2/10/2020 w/o a peep from Eset.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...