Jump to content

False positives of Windows system file detection


Recommended Posts

When I use ESET(16.0.26.0 and the latest virus library ) to scan C:/Windows, he appeared the following report:

扫描日志
检测引擎的版本: 26846P (20230304)
日期: 2023/3/4  时间: 19:30:18
已扫描的磁盘、文件夹和文件: C:\Windows
C:\Windows\SysWOW64\KernelBase.dll - Suspicious Object - 已保留
C:\Windows\SysWOW64\fundisc.dll - Suspicious Object - 已保留
C:\Windows\SysWOW64\printui.dll - Suspicious Object - 已保留
C:\Windows\WinSxS\wow64_fundisc_31bf3856ad364e35_10.0.25309.1000_none_6295fde85cbafff1\fundisc.dll - Suspicious Object - 已保留
C:\Windows\WinSxS\wow64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.25309.1000_none_0db40763d66c8036\KernelBase.dll - Suspicious Object - 已保留
C:\Windows\WinSxS\wow64_microsoft-windows-p..randprintui-printui_31bf3856ad364e35_10.0.25309.1000_none_c2e6df7a95d2f158\printui.dll - Suspicious Object - 已保留
已扫描的对象数: 123038
检测数: 6
已清除的对象数: 0
完成时间: 19:36:09  总扫描时间: 351 秒 (00:05:51)

 

Kernelbase.dll Fundisc.dll Printui.dll is listed as a suspicious object.

If ESET is wrongly deleted these files, I think it will cause the system to collapse.

Link to comment
Share on other sites

I am on the dev version (alpha) if Windows 11 and the exact same thing is happening to me too, It just started about an hour ago. Only been on twitter/facebook and reddit today.

Link to comment
Share on other sites

10 hours ago, Marcos said:

Couldn't it be that you are using a developer version of Windows 11? Are the files still detected when you re-scan them? If so, please provide logs collected with ESET Log Collector.

windows:

22H2 25306.1000 (dev channel)

eset:

16.0.26.0

检测引擎;26849P;2023/3/4
快速响应模块;21888P;2023/3/4
更新模块;1027;2022/7/7
病毒和间谍软件防护扫描程序模块;1595.2;2023/3/3
高级启发式扫描模块;1219;2023/2/3
压缩文件支持模块;1338;2023/2/10
清除器模块;1233;2023/2/6
反隐藏支持模块;1184;2022/11/30
防火墙模块;1428.3;2023/2/13
翻译支持模块;1961;2023/2/27
HIPS 支持模块;1454;2023/2/15
Internet 防护模块;1451;2023/1/31
高级反垃圾邮件模块;7947.1;2023/2/22
数据库模块;1120;2023/1/30
配置模块;2050.3;2023/1/18
直接云通信模块;1131.4;2023/2/1
银行和付款保护模块;1297;2023/2/23
Rootkit 删除和清除模块;1033;2022/9/16
网络防护模块;1692;2022/7/15
脚本扫描程序模块;1145;2023/2/20
网络检查器模块;1048;2022/1/20
加密协议支持模块;1074;2023/2/16
高级垃圾邮件防护模块数据库;9078P;2023/3/4
深度行为检测支持模块;1124;2022/11/28
高级机器学习模块;1130;2023/2/15
遥测模块;1066.1;2022/5/24
安全中心集成模块;1038;2022/7/28

 

At the same time as this problem occurs, ESET Log Collector cannot be used, as this program also depends on KernelBase.dll, which eventually leads to the error.

Even selecting Ignore has no effect.

image.thumb.png.e4f7e59e33a1d1bf3e440abbf78d6587.png

image.thumb.png.275836b0308bc846bc4a0a6d44421858.png

Link to comment
Share on other sites

Not the first time that ESET LiveGrid incorrectly marks system files of Win 11 Dev version as suspicious objects. Simply whitelisting these files is not enough, the relevant team should find out the root cause of this false positive problem that happens again and again.

Link to comment
Share on other sites

On 3/4/2023 at 7:42 PM, pedoc said:

When I use ESET(16.0.26.0 and the latest virus library ) to scan C:/Windows, he appeared the following report:

扫描日志
检测引擎的版本: 26846P (20230304)
日期: 2023/3/4  时间: 19:30:18
已扫描的磁盘、文件夹和文件: C:\Windows
C:\Windows\SysWOW64\KernelBase.dll - Suspicious Object - 已保留
C:\Windows\SysWOW64\fundisc.dll - Suspicious Object - 已保留
C:\Windows\SysWOW64\printui.dll - Suspicious Object - 已保留
C:\Windows\WinSxS\wow64_fundisc_31bf3856ad364e35_10.0.25309.1000_none_6295fde85cbafff1\fundisc.dll - Suspicious Object - 已保留
C:\Windows\WinSxS\wow64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.25309.1000_none_0db40763d66c8036\KernelBase.dll - Suspicious Object - 已保留
C:\Windows\WinSxS\wow64_microsoft-windows-p..randprintui-printui_31bf3856ad364e35_10.0.25309.1000_none_c2e6df7a95d2f158\printui.dll - Suspicious Object - 已保留
已扫描的对象数: 123038
检测数: 6
已清除的对象数: 0
完成时间: 19:36:09  总扫描时间: 351 秒 (00:05:51)

 

Kernelbase.dll Fundisc.dll Printui.dll is listed as a suspicious object.

If ESET is wrongly deleted these files, I think it will cause the system to collapse.

did you check for rootkits?

Link to comment
Share on other sites

1 hour ago, el el amiril said:

did you check for rootkits?

After updating to the following versions, the problem seems to have gone away.

 

检测引擎;26851P;2023/3/5
快速响应模块;21890P;2023/3/5
更新模块;1027;2022/7/7
病毒和间谍软件防护扫描程序模块;1595.2;2023/3/3
高级启发式扫描模块;1219;2023/2/3
压缩文件支持模块;1338;2023/2/10
清除器模块;1233;2023/2/6
反隐藏支持模块;1184;2022/11/30
防火墙模块;1428.3;2023/2/13
翻译支持模块;1961;2023/2/27
HIPS 支持模块;1454;2023/2/15
Internet 防护模块;1451;2023/1/31
高级反垃圾邮件模块;7947.1;2023/2/22
数据库模块;1120;2023/1/30
配置模块;2050.3;2023/1/18
直接云通信模块;1131.4;2023/2/1
银行和付款保护模块;1297;2023/2/23
Rootkit 删除和清除模块;1033;2022/9/16
网络防护模块;1692;2022/7/15
脚本扫描程序模块;1145;2023/2/20
网络检查器模块;1048;2022/1/20
加密协议支持模块;1074;2023/2/16
高级垃圾邮件防护模块数据库;9080P;2023/3/5
深度行为检测支持模块;1124;2022/11/28
高级机器学习模块;1130;2023/2/15
遥测模块;1066.1;2022/5/24
安全中心集成模块;1038;2022/7/28

Link to comment
Share on other sites

  • Administrators
1 hour ago, qpel said:

these files are still marked as suspicious

Please provide logs collected with ESET Log Collector. A screenshot won't help, we need the hashes of the detected files at least.

Link to comment
Share on other sites

4 hours ago, Marcos said:

Please provide logs collected with ESET Log Collector. A screenshot won't help, we need the hashes of the detected files at least.

This problem has been mentioned in the previous reply, and the false positives make the ESET Log Collector tool not work properly. In addition, other netizens have provided logs.
Also, the screenshot below contains the SHA-1 hash of the false positive file, but I can't copy it

 

image.thumb.png.1caf828d272dc4630fc4b725e1ca2383.png

image.thumb.png.32a9b0c6a246d6af8658fa86189d6d4c.png

image.thumb.png.c21ad857b16012443a5c1f23a890f2ee.png

Link to comment
Share on other sites

  • Administrators
1 hour ago, pedoc said:

This problem has been mentioned in the previous reply, and the false positives make the ESET Log Collector tool not work properly. In addition, other netizens have provided logs.
Also, the screenshot below contains the SHA-1 hash of the false positive file, but I can't copy it

None of the above hashes is blocked. 2 of them were removed from blacklist about 18 hours before you posted.
Hashes can be copied from the Detections log by right-clicking the appropriate cell and selecting the appropriate option.

Link to comment
Share on other sites

On 3/4/2023 at 9:51 AM, Marcos said:

Couldn't it be that you are using a developer version of Windows 11? Are the files still detected when you re-scan them? If so, please provide logs collected with ESET Log Collector.

Resolutions not use developer version of Windows 11. 

Link to comment
Share on other sites

  • Administrators

More AVs detected those files initially, some were detected by Microsoft as well. We hope that Microsoft will start to sign their files or take other measures in cooperation with AV vendors to prevent false positives on non-prevalent files.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...