Jump to content

ESET placing Windows\Installer files into quarantine post Agent update


bbuffington
 Share

Go to solution Solved by itman,

Recommended Posts

Hello

After updating the endpoint agent to 10.0.2034.0 (detection engine 26353(20221202)) ESET has begun quarantining a few .msi files that are found in C:/Windows/Installer as well as some installer files for the drafting program that we use, Cabinet Vision. ESET is ruling them all as ML/Auger type Trojans. The Cabinet Vision install files were obtained directly from the developer of the software Hexagon and has been kept up to date with releases.  I attempted to restore and run a full scan on the computer through the ESET web portal and the scan returned those files back to quarantine.

I am unsure if there is actually an issue with these files, or the update to the agent has stricter policies and is throwing these as a false positive. If you need more information on the files themselves, please let me know and I will do my best to provide that information.

Link to comment
Share on other sites

15 minutes ago, Marcos said:

Please provide logs collected with ESET Log Collector. Prior to collecting logs, make sure to select also bigger quarantined files to collect in the ESET Log Collector menu.

I ran a diagnostic scan through the web interface as it is a remote machine. I attached the entire .zip in hopes includes the part you need.

3024e87b-010d-46cd-ad8e-3c6ea6a58af3_era-diagnostic-logs_2022-12-02_09-37-28.zip

Link to comment
Share on other sites

  • Administrators

The detection log is empty and there is no quarantined file either. Please make sure that the logs were taken from the machine where the detection occurred. I'd also check the detection log locally to make sure the detection was actually logged.

Link to comment
Share on other sites

1 hour ago, Marcos said:

The detection log is empty and there is no quarantined file either. Please make sure that the logs were taken from the machine where the detection occurred. I'd also check the detection log locally to make sure the detection was actually logged.

I was able to get the logs of the machine locally using the ESET Log Collector tool you linked earlier. The files are much larger, so I had to break them down a bit in order to fit under the 100MB file limit. Attached here is specifically the "Logs" folder that un-compressed is over 1GB. If you need other parts of the "EEE_Logs" folder let me know. Thank you

Logs.zip

Link to comment
Share on other sites

  • Administrators

I couldn't find any records related to detection of installers:

Basically you've had these detections on the machine and all of them seem to be correct:

image.png

What I've noticed is that you have this setting in the advanced HIPS setup enabled which caused the HIPS log to grow enormously (1,2 GB). Please disable it and delete "C:\ProgramData\ESET\ESET Security\logs\hipslog.dat"  in safe mode.

image.png

Link to comment
Share on other sites

  • Solution
On 12/2/2022 at 9:18 AM, bbuffington said:

ESET is ruling them all as ML/Auger type Trojans.

Here's a earlier discussion on ML/Augur detections: https://forum.eset.com/topic/21243-mlaugur-found-by-eset-nod32-inside-an-application-exe-i-use-often/ . Appears Eset classified PUA software can trigger a ML/Augur detection. You might have to create Eset exclusions for the files.

Link to comment
Share on other sites

23 hours ago, itman said:

Here's a earlier discussion on ML/Augur detections: https://forum.eset.com/topic/21243-mlaugur-found-by-eset-nod32-inside-an-application-exe-i-use-often/ . Appears Eset classified PUA software can trigger a ML/Augur detection. You might have to create Eset exclusions for the files.

Thanks for your reply. I had stumbled across that older posting prior to submitting my inquiry. Based on that previous thread and Marcos' reply, it confirms my suspicion of a false positive. ESET recognized the files as .exe/installers and flagged it as a PUA. 

I am having a similar issue with it this morning flagging Intel's memory integrity driver as a PUA, I am scanning that as it has a history of being replaced with malicious software. This release seems to just be a touch stricter when it comes to its settings.

 

Thanks again.

Link to comment
Share on other sites

2 minutes ago, bbuffington said:

I am having a similar issue with it this morning flagging Intel's memory integrity driver as a PUA, I am scanning that as it has a history of being replaced with malicious software.

In this case, I would submit the driver to VirusTotal and see if other security vendors flag it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...