Jump to content

Process Explorer detected


Recommended Posts

Hello.

Would this be FP?

E52B94DF2AF81D5DF3FB1CFB141EDBA3CC41D8B8

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

I`m unable to download, detected as:

Uniform Resource Identifier (URI)
file:///C:/Windows/system32/drivers/PROCEXP152.SYS

Name
Win64/ProcessExplorer.A

Detection Type
Potentially unsafe application

This is new for me...

Link to comment
Share on other sites

  • Administrators

If you use Process Explorer deliberately, you can create a detection exclusion for the driver.

Link to comment
Share on other sites

5 hours ago, Gregecslo said:

Would this be FP?

E52B94DF2AF81D5DF3FB1CFB141EDBA3CC41D8B8

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

I downloaded this archive and it scanned as clean by Eset:

Eset_PE.png.99403569d4f84caeecefe9d2bcc3118b.png

After archive extraction, I ran procexp64.exe w/o any Eset issues with it.

Submit your PE download to https://www.virustotal.com/gui/home/upload and see if anything there detects it as malicious/PUA/etc..

Edited by itman
Link to comment
Share on other sites

OK only my pc is not detecting it, tried on 10 different ones and all detect it.

Now I`m confused, I have same policy applied, no exclusions and it fails to detect...

Link to comment
Share on other sites

So I tried:

1. Same folder eicar = got detected and deleted
2. Same folder real malware = got detected and deleted
3. Same folder procexe sys = NOT detected

So I suppose real-time protectrion IS working, but not detecting sys file at all.

Then I uninstalled EEA, rebooted and reinstalled. PC was in te same group, so same config was applied.

After modules updated, I again tried with sys file and:

Threat type: Potentially unsafe application
Threat name: Win64/ProcessExplorer.A
Scanner: Real‑time file system protection
Action performed: Cleaned by deleting

Can someone explain me this?

I`m unable to :)

Link to comment
Share on other sites

Posted (edited)

This one is to blame: https://www.virustotal.com/gui/file/0e76203802a524becd00392518a1b9cea5e6cddb8a6cf1b43dca4290f67c0305/details

It`s original process explorer but earlier version and it`s detected by ESET (even if VT show it`s not).

This one creates the SYS driver and puts it into system32\drivers folder.

Newer versions don`t do this...

Edited by Gregecslo
Link to comment
Share on other sites

3 hours ago, Gregecslo said:

Newer versions don`t do this...

Open the latest version with Admin privileges. It will then create C:/Windows/system32/drivers/PROCEXP152.SYS.

Link to comment
Share on other sites

13 minutes ago, itman said:

Open the latest version with Admin privileges. It will then create C:/Windows/system32/drivers/PROCEXP152.SYS.

True. But it`s not detected.
Do the same thing with older version = detected and deleted

I think that detection was made for older versions or sth like that.

Maybe correlated to HermeticWiper (like using legit driver to do bad stuff).

I don`t know, only ESET can confirm this.

Link to comment
Share on other sites

2 hours ago, Gregecslo said:

Do the same thing with older version = detected and deleted

I was previously using PE ver. 16.31 dating to 2/10/2020 w/o a peep from Eset.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...