How dangerous is EFI/computrace.A?

[chileverde 2]

I ran my usual weekly scan of my laptop, and ESET detected the following:

Log

\\Uefi Partition » UEFI » uefi:\\Volume 6\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {25247A74-9440-47D5-BF0A-ED92A4D6EBA4} - a variant of EFI/CompuTrace.A potentially unsafe application - retained

This is way beyond my knowledge of computers. I wrote to ESET support, and they responded quickly with 3 links:

For more information about UEFI detections and protecting your computer, visit https://support.eset.com/kb6567.

For additional information about UEFI rootkits available through ESET blogs, visit:
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
https://www.eset.com/us/about/newsroom/corporate-blog/what-is-uefi-scanning-and-why-do-you-need-it-1/
 

The first link actually included "my" malware, EFI/CompuTrace.A, as an example of a potential threat which the user can tell ESET to ignore. Why would I do this if it is dangerous? I found little about EFI/CompuTrace.A on the Web. One page, https://www.malware-killers.com/delete-efi-computrace-a/, supposedly tells how to get rid of it, but can it be trusted? Other discussions say Computrace is installed by some manufacturers to find a computer if it is stolen.

Does the finding by the ESET scan mean my laptop is definitely infected by malware? It is a Dell under warranty, so should I insist they reflash the firmware or replace the main board? Can use it in the meantime? Should I transfer files to another laptop and use it instead, or will that transfer the infection?

I backed up all my partitions about a week ago.

 

 

 

 

[Marcos 5,074]

CompuTrace by Absolute Software is legitimate. However, it uses a small agent rpcnetp.exe that contains a vulnerability allowing communication with any CC server that was exploited by malware.

The fact that CompuTrace is detected on your machine does not mean that you are infected and that malware is running on your machine. Also the fact that CompuTrace is stored in UEFI prevents deletion and the only thing you can do is upgrade UEFI to a version that does not contain it. It depends on your motherboard's manufactured if such UEFI upgrade is available. Therefore all you can do is to exclude UEFI CompuTrace from detection.

[chileverde 2]

Thanks very much, Marcos.

I have had this computer for 4 years and have been running an ESET scan weekly all that time. Is there a reason that this is the first time CompuTrace is detected?

If I understand you correctly, ESET only detects that my laptop has CompuTrace on it, not whether the CompuTrace I have is infected. Thus ESET is just telling me that I have a program on my computer that has a vulnerability. The reason I might ask Dell if they can remove CompuTrace would be to eliminate this vulnerability. Is am correct?

Any particular reason to configure ESET to not detect CompuTrace, now that I have the information you have provided?

[Marcos 5,074]

4 hours ago, chileverde said:

I have had this computer for 4 years and have been running an ESET scan weekly all that time. Is there a reason that this is the first time CompuTrace is detected?

CompuTrace is detected as a potentially unsafe application. This detection is disabled by default. Also Boot sectors/UEFI must be selected as a target in the on-demand scanner profile setup in order to scan UEFI.

 

4 hours ago, chileverde said:

If I understand you correctly, ESET only detects that my laptop has CompuTrace on it, not whether the CompuTrace I have is infected. Thus ESET is just telling me that I have a program on my computer that has a vulnerability. The reason I might ask Dell if they can remove CompuTrace would be to eliminate this vulnerability. Is am correct?

Correct.

4 hours ago, chileverde said:

Any particular reason to configure ESET to not detect CompuTrace, now that I have the information you have provided?

We recommend excluding it from detection to prevent the application from being continually detected.

[itman 1,659]

8 hours ago, chileverde said:

I have had this computer for 4 years and have been running an ESET scan weekly all that time. Is there a reason that this is the first time CompuTrace is detected?

Is this a Lenovo laptop?

If so, Eset is probably now more thoroughly scanning the UEFI due to new vulnerabilities Eset recently discovered: https://www.bleepingcomputer.com/news/security/new-uefi-firmware-flaws-impact-over-70-lenovo-laptop-models/ .

[chileverde 2]

No, it is a Dell laptop.

[Nightowl 202]

On 7/16/2022 at 5:43 AM, chileverde said:

No, it is a Dell laptop.

If there is no BIOS version without it from the manufacturer website, then your best bet would be is disabling CompuTrace from BIOS , but that won't prevent ESET from detecting it , but atleast it's disabled/not running.

[itman 1,659]

Reviewing Dell documentation, it only installed CompuTrace on older laptop models. Later laptop versions use Absolute software.

In regards to CompuTrace installed models:

1. It can only be disabled in the BIOS if it was never activated which is the default setting.

2. If CompuTrace has been activated, it can not be disabled which is by design for security reasons.

Edited July 17, 2022 by itman

[peteyt 393]

15 hours ago, itman said:

Reviewing Dell documentation, it only installed CompuTrace on older laptop models. Later laptop versions use Absolute software.

In regards to CompuTrace installed models:

1. It can only be disabled in the BIOS if it was never activated which is the default setting.

2. If CompuTrace has been activated, it can not be disabled which is by design for security reasons.

Isn't Absolute Software the company behind CompuTrace?

[itman 1,659]

7 hours ago, peteyt said:

Isn't Absolute Software the company behind CompuTrace?

It's a bit complicated.

Computrace; i.e. LoJack, dates to 2005. Absolute originally developed the firmware and licensed it to BIOS manufacturers to embed it into the BIOS chip on motherboards. The firmware by itself does nothing. Software had to be developed to interface with it. Absolute also developed the software to interface with the Computrace firmware. Note in 2005, UEFI based motherboards were a rare occurance; if they existed at all.

As I see it, the problem with Computrace lies with UEFI based motherboards; not BIOS based ones. This is because UEFI contains both a BIOS firmware and disk based hardware component that is accessed by Windows system software.

Ref.: https://nsfocusglobal.com/tracking-and-analysis-of-the-lojackcomputrace-incident/ . This article also gives mitigations for Computrace.

Additional reference:

Quote

In other words, the way Computrace interacts with Absolute could expose users to man-in-the-middle attacks. Back in February, Kamluk described Computrace’s exploitability as follows:

“The software is extremely flexible. It’s a tiny piece of code which is a part of the BIOS. As far as it is a piece of the BIOS, it is not very easy to update the software as often. So they made it very extensible. It can do nearly anything. It can run every type of code. You can do to the system whatever you want. Considering that the software is running on these local system privileges, you have full access to the machine. You can wipe the machine, you can monitor it, you can look through the webcam, you can actually copy any files, you can start new processes. You can do absolutely anything.”

https://threatpost.com/millions-of-pcs-affected-by-mysterious-computrace-backdoor-2/107700/

As far as later manufactured Dell PC's go, it appears Dell has developed its own firmware interface to the Absolute software and is no longer using BIOS chips with the Computrace firmware embedded within.

Edited July 18, 2022 by itman

[chileverde 2]

Thanks to all who have posted additional information on this issue. I thought I was following this topic, but it turned out I was not (or following got canceled), so I didn't receive email notification of the new posts.

I just received this article from the technician at Dell who is handling my case:

https://www.dell.com/support/kbdoc/en-us/000142862/computrace-replaced-by-absolute-module-in-newest-bios-revisions#New_Module

Note the the article is dated 21 Feb 2021.

My Dell laptop was manufactured in 2018, which explains why it has Computrace, rather than a similar product with the Absolute name.

After reading the article from Dell, I looked in my BIOS (which I just updated), and, sure enough, there is a Computrace page. It shows the current state of Computrace on my laptop is "Deactivate". The other available options are Activate and Disable. The explanation for Disable is "Permanently block the Computrace® module interface." The page in the BIOS also says: "Note that the Activate or Disable option will permanently Activate or Disable the feature and no further changes will be allowed."

Here are my questions at this point:

(1) In its current state with Computrace deactivated, is my laptop vulnerable to Computrace rootkits or other Computrace malware (if it exists)?

(2) Would my laptop be vulnerable to Computrace rootkits or other Computrace malware if I permanently disabled Computrace? Would permanently disabling Computrace provide more protection than leaving it "deactivated"?

ESET does not detect Computrace on the other laptops in my family, but, depending on the answers I receive to the questions above, I am considering permanently disabling it.

Edited July 25, 2022 by chileverde
formatting

[itman 1,659]

16 hours ago, chileverde said:

Here are my questions at this point:

(1) In its current state with Computrace deactivated, is my laptop vulnerable to Computrace rootkits or other Computrace malware (if it exists)?

(2) Would my laptop be vulnerable to Computrace rootkits or other Computrace malware if I permanently disabled Computrace? Would permanently disabling Computrace provide more protection than leaving it "deactivated"?

My understanding is once CompuTrace is disabled in the BIOS, you cannot be infected by any known like based malware.

Note that once CompuTrace is disabled, it cannot be reactivated short of a BIOS re-flash firmware update.

[itman 1,659]

Speaking of UEFI based malware, here's the latest find: https://www.bleepingcomputer.com/news/security/cosmicstrand-uefi-malware-found-in-gigabyte-asus-motherboards/ .

[chileverde 2]

9 hours ago, itman said:

My understanding is once CompuTrace is disabled in the BIOS, you cannot be infected by any known like based malware.

Note that once CompuTrace is disabled, it cannot be reactivated short of a BIOS re-flash firmware update.

Thanks for your comments. That was my guess—that disabling Computrace in the BIOS would protect me—but wanted confirmation from someone more knowledgeable. Will go ahead and do that in all family computers.

I have absolutely no plans to use Computrace or its successor product in the future, so there is no downside for me to permanently disable it.

Then I will configure ESET to stop showing the detection on my laptop. But I wanted to remove the possibility of a threat before making that last change.

Edited July 27, 2022 by chileverde
clarification

[chileverde 2]

On 7/14/2022 at 9:41 PM, Marcos said:

The fact that CompuTrace is detected on your machine does not mean that you are infected and that malware is running on your machine. Also the fact that CompuTrace is stored in UEFI prevents deletion and the only thing you can do is upgrade UEFI to a version that does not contain it. It depends on your motherboard's manufactured if such UEFI upgrade is available. Therefore all you can do is to exclude UEFI CompuTrace from detection.

I am glad that as a result of the discussion here, I learned that I could easily disable Computrace or, in the case of my newer computer, Absolute in the BIOS and eliminate the possibility of malware exploiting Computrace or Absolute. However, I am disappointed that I did not receive that help from ESET. Support sent me links that told me more than I wanted to know about the technical details of the threats and left me thinking that the only way to deal with a possible threat was to send the laptop back to the manufacturer. I unmarked Marcos's post as a solution, as I do not consider it a solution to stop ESET from detecting Computrace without actually removing the potential threat. I appreciate learning that the detection simply tells me I have Computrace on the system—I may or may not have malware. (Still no explanation as to why ESET detects Computrace/Absolute only on this one computer in my family or why it started after 4 years.) I have used ESET products on my family's computers for 17 years and expect more help than this. This is would I have regarded as a solution:

ESET has detected the presence of Computrace, a product which can be used to find your computer if it is stolen, but which is vulnerable to attacks by malware such as rootkits. You can permanently disable Computrace or its successor product, Absolute, yourself by going into the BIOS, where you will find Computrace or Absolute under Security. If you disable Computrace or Absolute, that is a permanent action which cannot be reversed.

A concise answer like that would have saved me hours posting in the Forum, reading articles, and contacting Dell. As far as I can tell, the additional information that led me to the above solution came from other users, not from ESET staff.

I had trouble finding instructions for preventing ESET from continuing to detect this, so here is where they are for other's benefit: https://support.eset.com/en/kb6519-exclude-an-application-by-name-from-scanning-in-eset-windows-home-products

[chileverde 2]

I must have entered the data incorrectly, because ESET still detects the object. Here is what appears in the log after today's scan (which I think is the same information as in my first post in this topic):

\\Uefi Partition » UEFI » uefi:\\Volume 6\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {25247A74-9440-47D5-BF0A-ED92A4D6EBA4} - a variant of EFI/CompuTrace.A potentially unsafe application - retained

When I set up the detection exception, I entered this in the path field:

\\Uefi Partition » UEFI » uefi:\\Volume 6\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\*

 I entered this in detection name field:

25247A74-9440-47D5-BF0A-ED92A4D6EBA4

Will appreciate any suggestions as to what to enter to avoid detections in the future.

 

[itman 1,659]

Exclude the CompuTrace detection by detection name as shown in the below screen shot:

Ref: https://support.eset.com/en/kb6567-you-receive-an-eset-uefi-detection?ref=esf

[chileverde 2]

itman,

Thank you very much for directing me to those specific instructions.