Gregecslo 4 Posted March 2, 2022 Share Posted March 2, 2022 Hello. Would this be FP? E52B94DF2AF81D5DF3FB1CFB141EDBA3CC41D8B8 https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer I`m unable to download, detected as: Uniform Resource Identifier (URI) file:///C:/Windows/system32/drivers/PROCEXP152.SYS Name Win64/ProcessExplorer.A Detection Type Potentially unsafe application This is new for me... Link to comment Share on other sites More sharing options...
Administrators Marcos 4,718 Posted March 2, 2022 Administrators Share Posted March 2, 2022 If you use Process Explorer deliberately, you can create a detection exclusion for the driver. Link to comment Share on other sites More sharing options...
itman 1,543 Posted March 2, 2022 Share Posted March 2, 2022 (edited) 5 hours ago, Gregecslo said: Would this be FP? E52B94DF2AF81D5DF3FB1CFB141EDBA3CC41D8B8 https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer I downloaded this archive and it scanned as clean by Eset: After archive extraction, I ran procexp64.exe w/o any Eset issues with it. Submit your PE download to https://www.virustotal.com/gui/home/upload and see if anything there detects it as malicious/PUA/etc.. Edited March 2, 2022 by itman Link to comment Share on other sites More sharing options...
Gregecslo 4 Posted March 2, 2022 Author Share Posted March 2, 2022 Detected sys was: https://www.virustotal.com/gui/file/de8c232652527045b3c9e1ea719d4981bd919e5e4624720d2f8448c908d337e2 It wasn`t detected 5 hours ago on VT and so it`s not now. But eset on my server is still detecting it... It`s not malware... Link to comment Share on other sites More sharing options...
Gregecslo 4 Posted March 2, 2022 Author Share Posted March 2, 2022 Also detected: https://www.virustotal.com/gui/file/cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc But funny thing. Latest server V8 detects it. Latest Endpoint does not. Both have same settings applied in regard of PUA. Link to comment Share on other sites More sharing options...
Gregecslo 4 Posted March 2, 2022 Author Share Posted March 2, 2022 Found out that I copied from my PC desktop to my server desktop (via RDP) this file: https://www.virustotal.com/gui/file/cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc EEA is quiet while Server security deletes it. I haven`t seen such behavior till today. Link to comment Share on other sites More sharing options...
Gregecslo 4 Posted March 2, 2022 Author Share Posted March 2, 2022 OK only my pc is not detecting it, tried on 10 different ones and all detect it. Now I`m confused, I have same policy applied, no exclusions and it fails to detect... Link to comment Share on other sites More sharing options...
Gregecslo 4 Posted March 2, 2022 Author Share Posted March 2, 2022 So I tried: 1. Same folder eicar = got detected and deleted 2. Same folder real malware = got detected and deleted 3. Same folder procexe sys = NOT detected So I suppose real-time protectrion IS working, but not detecting sys file at all. Then I uninstalled EEA, rebooted and reinstalled. PC was in te same group, so same config was applied. After modules updated, I again tried with sys file and: Threat type: Potentially unsafe application Threat name: Win64/ProcessExplorer.A Scanner: Real‑time file system protection Action performed: Cleaned by deleting Can someone explain me this? I`m unable to Link to comment Share on other sites More sharing options...
Gregecslo 4 Posted March 2, 2022 Author Share Posted March 2, 2022 (edited) This one is to blame: https://www.virustotal.com/gui/file/0e76203802a524becd00392518a1b9cea5e6cddb8a6cf1b43dca4290f67c0305/details It`s original process explorer but earlier version and it`s detected by ESET (even if VT show it`s not). This one creates the SYS driver and puts it into system32\drivers folder. Newer versions don`t do this... Edited March 2, 2022 by Gregecslo Link to comment Share on other sites More sharing options...
itman 1,543 Posted March 2, 2022 Share Posted March 2, 2022 3 hours ago, Gregecslo said: Newer versions don`t do this... Open the latest version with Admin privileges. It will then create C:/Windows/system32/drivers/PROCEXP152.SYS. Link to comment Share on other sites More sharing options...
Gregecslo 4 Posted March 2, 2022 Author Share Posted March 2, 2022 13 minutes ago, itman said: Open the latest version with Admin privileges. It will then create C:/Windows/system32/drivers/PROCEXP152.SYS. True. But it`s not detected. Do the same thing with older version = detected and deleted I think that detection was made for older versions or sth like that. Maybe correlated to HermeticWiper (like using legit driver to do bad stuff). I don`t know, only ESET can confirm this. Link to comment Share on other sites More sharing options...
itman 1,543 Posted March 2, 2022 Share Posted March 2, 2022 2 hours ago, Gregecslo said: Do the same thing with older version = detected and deleted I was previously using PE ver. 16.31 dating to 2/10/2020 w/o a peep from Eset. Link to comment Share on other sites More sharing options...
Recommended Posts