boromyr 0 Posted May 6, 2022 Share Posted May 6, 2022 Hi, I get this warning in which Nod32 finds an Exploit in the image files that are downloaded from the "Dynamic Theme" app, downloaded from the Microsoft Store. This app downloads daily Bing images and sets them as your desktop wallpaper, it does nothing else. Is this a false positive or should I worry? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted May 6, 2022 Administrators Share Posted May 6, 2022 It's possible that image files contain an exploit. This particular detection is from 2013 so the file should be analyzed in order to tell if it's clean or not. Please email the jpg file in an archive protected with the password "infected" to samples[at]eset.com. Link to comment Share on other sites More sharing options...
boromyr 0 Posted May 6, 2022 Author Share Posted May 6, 2022 OK thanks. Does the archive have to be in .zip format? The email would be samples[at]eset.com right? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted May 6, 2022 Administrators Share Posted May 6, 2022 2 minutes ago, boromyr said: OK thanks. Does the archive have to be in .zip format? The email would be samples[at]eset.com right? Correct. It can be also rar if not zip. Link to comment Share on other sites More sharing options...
boromyr 0 Posted May 6, 2022 Author Share Posted May 6, 2022 Done, I also inserted the xml file of the exported survey. The strange thing is that on virustotal or with the normal scan I don't get any detection, but only when wsearch accesses the file to index it. https://www.virustotal.com/gui/file-analysis/MjY5NWUxZjk1MDFkY2M0ODk5ZGY1MDg2YzZiZmYzMjA6MTY1MTgzOTE2MQ== Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted May 6, 2022 Administrators Share Posted May 6, 2022 The file is detected neither by ESET nor by other AVs. Please provide ELC logs to compare hashes. Link to comment Share on other sites More sharing options...
boromyr 0 Posted May 6, 2022 Author Share Posted May 6, 2022 I am creating the log file with ESET Log Collector with the profile "Threat detection, do I always have to email it to the previous address? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted May 6, 2022 Administrators Share Posted May 6, 2022 You can upload the logs here. Attachments are accessible only by the ESET staff and are deleted after some time. In this case we don't need the registry dump do standard logs with all quarantined will suffice. Link to comment Share on other sites More sharing options...
boromyr 0 Posted May 6, 2022 Author Share Posted May 6, 2022 Can anyone else see or download them? I would prefer to send them to you by private message or by email. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted May 6, 2022 Administrators Share Posted May 6, 2022 I've installed Dynamic theme from MS store without anything being detected. Link to comment Share on other sites More sharing options...
boromyr 0 Posted May 6, 2022 Author Share Posted May 6, 2022 You should have Windows indexing enabled and select the AppData \ Local folder among the paths to be indexed. Detection occurs when Windows search tries to access it. You should also have the wallpaper set for WinSpotlight and update. Link to comment Share on other sites More sharing options...
itman 1,746 Posted May 6, 2022 Share Posted May 6, 2022 As far as MS04-028, it's an "ancient" exploit only affecting Win XP and 2003 and like "ancient" software associated with those OSes: https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-028?redirectedfrom=MSDN . Assuming your not running Win XP, I am really questioning Eset's detection here. Link to comment Share on other sites More sharing options...
boromyr 0 Posted May 6, 2022 Author Share Posted May 6, 2022 Okay, I'm using Windows 11, so I could add it to the ignore list with confidence? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted May 7, 2022 Administrators Share Posted May 7, 2022 I'd suggest you choose to clean the detected file, then collect logs with ESET Log Collector and "Threat detection" template selected in the ELC menu and provide me with the generated file. After we've analyzed the file you could restore the file from quarantine if it turns out to be FP. Link to comment Share on other sites More sharing options...
boromyr 0 Posted May 7, 2022 Author Share Posted May 7, 2022 Ok thanks, then I'll wait for the problem to recur, and create the log file immediately after the event. Link to comment Share on other sites More sharing options...
Recommended Posts