Process Explorer detected

[Gregecslo 8]

Hello.

Would this be FP?

E52B94DF2AF81D5DF3FB1CFB141EDBA3CC41D8B8

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

I`m unable to download, detected as:

Uniform Resource Identifier (URI)
file:///C:/Windows/system32/drivers/PROCEXP152.SYS

Name
Win64/ProcessExplorer.A

Detection Type
Potentially unsafe application

This is new for me...

[Marcos 5,074]

If you use Process Explorer deliberately, you can create a detection exclusion for the driver.

[itman 1,659]

5 hours ago, Gregecslo said:

Would this be FP?

E52B94DF2AF81D5DF3FB1CFB141EDBA3CC41D8B8

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

I downloaded this archive and it scanned as clean by Eset:

After archive extraction, I ran procexp64.exe w/o any Eset issues with it.

Submit your PE download to https://www.virustotal.com/gui/home/upload and see if anything there detects it as malicious/PUA/etc..

Edited March 2, 2022 by itman

[Gregecslo 8]

Detected sys was: https://www.virustotal.com/gui/file/de8c232652527045b3c9e1ea719d4981bd919e5e4624720d2f8448c908d337e2

It wasn`t detected 5 hours ago on VT and so it`s not now.

But eset on my server is still detecting it... It`s not malware...

[Gregecslo 8]

Also detected: https://www.virustotal.com/gui/file/cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc

But funny thing.

Latest server V8 detects it.

Latest Endpoint does not.

Both have same settings applied in regard of PUA.

 

[Gregecslo 8]

Found out that I copied from my PC desktop to my server desktop (via RDP) this file: https://www.virustotal.com/gui/file/cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc

EEA is quiet while Server security deletes it.

I haven`t seen such behavior till today.

[Gregecslo 8]

OK only my pc is not detecting it, tried on 10 different ones and all detect it.

Now I`m confused, I have same policy applied, no exclusions and it fails to detect...

[Gregecslo 8]

So I tried:

1. Same folder eicar = got detected and deleted
2. Same folder real malware = got detected and deleted
3. Same folder procexe sys = NOT detected

So I suppose real-time protectrion IS working, but not detecting sys file at all.

Then I uninstalled EEA, rebooted and reinstalled. PC was in te same group, so same config was applied.

After modules updated, I again tried with sys file and:

Threat type: Potentially unsafe application
Threat name: Win64/ProcessExplorer.A
Scanner: Real‑time file system protection
Action performed: Cleaned by deleting

Can someone explain me this?

I`m unable to

[Gregecslo 8]

This one is to blame: https://www.virustotal.com/gui/file/0e76203802a524becd00392518a1b9cea5e6cddb8a6cf1b43dca4290f67c0305/details

It`s original process explorer but earlier version and it`s detected by ESET (even if VT show it`s not).

This one creates the SYS driver and puts it into system32\drivers folder.

Newer versions don`t do this...

Edited March 2, 2022 by Gregecslo

[itman 1,659]

3 hours ago, Gregecslo said:

Newer versions don`t do this...

Open the latest version with Admin privileges. It will then create C:/Windows/system32/drivers/PROCEXP152.SYS.

[Gregecslo 8]

13 minutes ago, itman said:

Open the latest version with Admin privileges. It will then create C:/Windows/system32/drivers/PROCEXP152.SYS.

True. But it`s not detected.
Do the same thing with older version = detected and deleted

I think that detection was made for older versions or sth like that.

Maybe correlated to HermeticWiper (like using legit driver to do bad stuff).

I don`t know, only ESET can confirm this.

[itman 1,659]

2 hours ago, Gregecslo said:

Do the same thing with older version = detected and deleted

I was previously using PE ver. 16.31 dating to 2/10/2020 w/o a peep from Eset.