bbuffington 0 Posted December 2, 2022 Share Posted December 2, 2022 Hello After updating the endpoint agent to 10.0.2034.0 (detection engine 26353(20221202)) ESET has begun quarantining a few .msi files that are found in C:/Windows/Installer as well as some installer files for the drafting program that we use, Cabinet Vision. ESET is ruling them all as ML/Auger type Trojans. The Cabinet Vision install files were obtained directly from the developer of the software Hexagon and has been kept up to date with releases. I attempted to restore and run a full scan on the computer through the ESET web portal and the scan returned those files back to quarantine. I am unsure if there is actually an issue with these files, or the update to the agent has stricter policies and is throwing these as a false positive. If you need more information on the files themselves, please let me know and I will do my best to provide that information. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted December 2, 2022 Administrators Share Posted December 2, 2022 Please provide logs collected with ESET Log Collector. Prior to collecting logs, make sure to select also bigger quarantined files to collect in the ELC menu. Link to comment Share on other sites More sharing options...
bbuffington 0 Posted December 2, 2022 Author Share Posted December 2, 2022 15 minutes ago, Marcos said: Please provide logs collected with ESET Log Collector. Prior to collecting logs, make sure to select also bigger quarantined files to collect in the ESET Log Collector menu. I ran a diagnostic scan through the web interface as it is a remote machine. I attached the entire .zip in hopes includes the part you need. 3024e87b-010d-46cd-ad8e-3c6ea6a58af3_era-diagnostic-logs_2022-12-02_09-37-28.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted December 2, 2022 Administrators Share Posted December 2, 2022 The detection log is empty and there is no quarantined file either. Please make sure that the logs were taken from the machine where the detection occurred. I'd also check the detection log locally to make sure the detection was actually logged. Link to comment Share on other sites More sharing options...
bbuffington 0 Posted December 2, 2022 Author Share Posted December 2, 2022 1 hour ago, Marcos said: The detection log is empty and there is no quarantined file either. Please make sure that the logs were taken from the machine where the detection occurred. I'd also check the detection log locally to make sure the detection was actually logged. I was able to get the logs of the machine locally using the ESET Log Collector tool you linked earlier. The files are much larger, so I had to break them down a bit in order to fit under the 100MB file limit. Attached here is specifically the "Logs" folder that un-compressed is over 1GB. If you need other parts of the "EEE_Logs" folder let me know. Thank you Logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted December 3, 2022 Administrators Share Posted December 3, 2022 I couldn't find any records related to detection of installers: Basically you've had these detections on the machine and all of them seem to be correct: What I've noticed is that you have this setting in the advanced HIPS setup enabled which caused the HIPS log to grow enormously (1,2 GB). Please disable it and delete "C:\ProgramData\ESET\ESET Security\logs\hipslog.dat" in safe mode. Link to comment Share on other sites More sharing options...
Solution itman 1,659 Posted December 4, 2022 Solution Share Posted December 4, 2022 On 12/2/2022 at 9:18 AM, bbuffington said: ESET is ruling them all as ML/Auger type Trojans. Here's a earlier discussion on ML/Augur detections: https://forum.eset.com/topic/21243-mlaugur-found-by-eset-nod32-inside-an-application-exe-i-use-often/ . Appears Eset classified PUA software can trigger a ML/Augur detection. You might have to create Eset exclusions for the files. Link to comment Share on other sites More sharing options...
bbuffington 0 Posted December 5, 2022 Author Share Posted December 5, 2022 23 hours ago, itman said: Here's a earlier discussion on ML/Augur detections: https://forum.eset.com/topic/21243-mlaugur-found-by-eset-nod32-inside-an-application-exe-i-use-often/ . Appears Eset classified PUA software can trigger a ML/Augur detection. You might have to create Eset exclusions for the files. Thanks for your reply. I had stumbled across that older posting prior to submitting my inquiry. Based on that previous thread and Marcos' reply, it confirms my suspicion of a false positive. ESET recognized the files as .exe/installers and flagged it as a PUA. I am having a similar issue with it this morning flagging Intel's memory integrity driver as a PUA, I am scanning that as it has a history of being replaced with malicious software. This release seems to just be a touch stricter when it comes to its settings. Thanks again. Link to comment Share on other sites More sharing options...
itman 1,659 Posted December 5, 2022 Share Posted December 5, 2022 2 minutes ago, bbuffington said: I am having a similar issue with it this morning flagging Intel's memory integrity driver as a PUA, I am scanning that as it has a history of being replaced with malicious software. In this case, I would submit the driver to VirusTotal and see if other security vendors flag it. bbuffington 1 Link to comment Share on other sites More sharing options...
Recommended Posts