False positives of Windows system file detection

pedoc · March 4, 2023

When I use ESET(16.0.26.0 and the latest virus library ) to scan C:/Windows, he appeared the following report:

扫描日志
检测引擎的版本: 26846P (20230304)
日期: 2023/3/4 时间: 19:30:18
已扫描的磁盘、文件夹和文件: C:\Windows
C:\Windows\SysWOW64\KernelBase.dll - Suspicious Object - 已保留
C:\Windows\SysWOW64\fundisc.dll - Suspicious Object - 已保留
C:\Windows\SysWOW64\printui.dll - Suspicious Object - 已保留
C:\Windows\WinSxS\wow64_fundisc_31bf3856ad364e35_10.0.25309.1000_none_6295fde85cbafff1\fundisc.dll - Suspicious Object - 已保留
C:\Windows\WinSxS\wow64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.25309.1000_none_0db40763d66c8036\KernelBase.dll - Suspicious Object - 已保留
C:\Windows\WinSxS\wow64_microsoft-windows-p..randprintui-printui_31bf3856ad364e35_10.0.25309.1000_none_c2e6df7a95d2f158\printui.dll - Suspicious Object - 已保留
已扫描的对象数: 123038
检测数: 6
已清除的对象数: 0
完成时间: 19:36:09 总扫描时间: 351 秒 (00:05:51)

Kernelbase.dll Fundisc.dll Printui.dll is listed as a suspicious object.

If ESET is wrongly deleted these files, I think it will cause the system to collapse.

Marcos · March 4, 2023

Couldn't it be that you are using a developer version of Windows 11? Are the files still detected when you re-scan them? If so, please provide logs collected with ESET Log Collector.

vanroy · March 4, 2023

+1 is false positive or what? ?

Edited March 5, 2023 by vanroy

hekkyUK · March 4, 2023

I have the same problem with files in syswow64 being detected - In my case kernelbase.dll, devrt.dll and printui.dll

I'm running the latest Windows 11 developer build 22H2 build 25309.1000

ESET log collector file is here - https://www.dropbox.com/s/9z0lkaa8xf83coh/eav_logs.zip?dl=0

YOLO_SWAGGINS · March 4, 2023

I am on the dev version (alpha) if Windows 11 and the exact same thing is happening to me too, It just started about an hour ago. Only been on twitter/facebook and reddit today.

pedoc · March 5, 2023

10 hours ago, Marcos said:

Couldn't it be that you are using a developer version of Windows 11? Are the files still detected when you re-scan them? If so, please provide logs collected with ESET Log Collector.

windows:

22H2 25306.1000 (dev channel)

eset:

16.0.26.0

检测引擎;26849P;2023/3/4
快速响应模块;21888P;2023/3/4
更新模块;1027;2022/7/7
病毒和间谍软件防护扫描程序模块;1595.2;2023/3/3
高级启发式扫描模块;1219;2023/2/3
压缩文件支持模块;1338;2023/2/10
清除器模块;1233;2023/2/6
反隐藏支持模块;1184;2022/11/30
防火墙模块;1428.3;2023/2/13
翻译支持模块;1961;2023/2/27
HIPS 支持模块;1454;2023/2/15
Internet 防护模块;1451;2023/1/31
高级反垃圾邮件模块;7947.1;2023/2/22
数据库模块;1120;2023/1/30
配置模块;2050.3;2023/1/18
直接云通信模块;1131.4;2023/2/1
银行和付款保护模块;1297;2023/2/23
Rootkit 删除和清除模块;1033;2022/9/16
网络防护模块;1692;2022/7/15
脚本扫描程序模块;1145;2023/2/20
网络检查器模块;1048;2022/1/20
加密协议支持模块;1074;2023/2/16
高级垃圾邮件防护模块数据库;9078P;2023/3/4
深度行为检测支持模块;1124;2022/11/28
高级机器学习模块;1130;2023/2/15
遥测模块;1066.1;2022/5/24
安全中心集成模块;1038;2022/7/28

At the same time as this problem occurs, ESET Log Collector cannot be used, as this program also depends on KernelBase.dll, which eventually leads to the error.

Even selecting Ignore has no effect.

AnthonyQ · March 5, 2023

Not the first time that ESET LiveGrid incorrectly marks system files of Win 11 Dev version as suspicious objects. Simply whitelisting these files is not enough, the relevant team should find out the root cause of this false positive problem that happens again and again.

el el amiril · March 5, 2023

On 3/4/2023 at 7:42 PM, pedoc said:

When I use ESET(16.0.26.0 and the latest virus library ) to scan C:/Windows, he appeared the following report:

扫描日志
检测引擎的版本: 26846P (20230304)
日期: 2023/3/4 时间: 19:30:18
已扫描的磁盘、文件夹和文件: C:\Windows
C:\Windows\SysWOW64\KernelBase.dll - Suspicious Object - 已保留
C:\Windows\SysWOW64\fundisc.dll - Suspicious Object - 已保留
C:\Windows\SysWOW64\printui.dll - Suspicious Object - 已保留
C:\Windows\WinSxS\wow64_fundisc_31bf3856ad364e35_10.0.25309.1000_none_6295fde85cbafff1\fundisc.dll - Suspicious Object - 已保留
C:\Windows\WinSxS\wow64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.25309.1000_none_0db40763d66c8036\KernelBase.dll - Suspicious Object - 已保留
C:\Windows\WinSxS\wow64_microsoft-windows-p..randprintui-printui_31bf3856ad364e35_10.0.25309.1000_none_c2e6df7a95d2f158\printui.dll - Suspicious Object - 已保留
已扫描的对象数: 123038
检测数: 6
已清除的对象数: 0
完成时间: 19:36:09 总扫描时间: 351 秒 (00:05:51)

Kernelbase.dll Fundisc.dll Printui.dll is listed as a suspicious object.

If ESET is wrongly deleted these files, I think it will cause the system to collapse.

did you check for rootkits?

pedoc · March 5, 2023

1 hour ago, el el amiril said:

did you check for rootkits?

After updating to the following versions, the problem seems to have gone away.

检测引擎;26851P;2023/3/5
快速响应模块;21890P;2023/3/5
更新模块;1027;2022/7/7
病毒和间谍软件防护扫描程序模块;1595.2;2023/3/3
高级启发式扫描模块;1219;2023/2/3
压缩文件支持模块;1338;2023/2/10
清除器模块;1233;2023/2/6
反隐藏支持模块;1184;2022/11/30
防火墙模块;1428.3;2023/2/13
翻译支持模块;1961;2023/2/27
HIPS 支持模块;1454;2023/2/15
Internet 防护模块;1451;2023/1/31
高级反垃圾邮件模块;7947.1;2023/2/22
数据库模块;1120;2023/1/30
配置模块;2050.3;2023/1/18
直接云通信模块;1131.4;2023/2/1
银行和付款保护模块;1297;2023/2/23
Rootkit 删除和清除模块;1033;2022/9/16
网络防护模块;1692;2022/7/15
脚本扫描程序模块;1145;2023/2/20
网络检查器模块;1048;2022/1/20
加密协议支持模块;1074;2023/2/16
高级垃圾邮件防护模块数据库;9080P;2023/3/5
深度行为检测支持模块;1124;2022/11/28
高级机器学习模块;1130;2023/2/15
遥测模块;1066.1;2022/5/24
安全中心集成模块;1038;2022/7/28

qpel · March 5, 2023

these files are still marked as suspicious

Marcos · March 5, 2023

1 hour ago, qpel said:

these files are still marked as suspicious

Please provide logs collected with ESET Log Collector. A screenshot won't help, we need the hashes of the detected files at least.

pedoc · March 6, 2023

4 hours ago, Marcos said:

Please provide logs collected with ESET Log Collector. A screenshot won't help, we need the hashes of the detected files at least.

This problem has been mentioned in the previous reply, and the false positives make the ESET Log Collector tool not work properly. In addition, other netizens have provided logs.
Also, the screenshot below contains the SHA-1 hash of the false positive file, but I can't copy it

Marcos · March 6, 2023

1 hour ago, pedoc said:

This problem has been mentioned in the previous reply, and the false positives make the ESET Log Collector tool not work properly. In addition, other netizens have provided logs.
Also, the screenshot below contains the SHA-1 hash of the false positive file, but I can't copy it

None of the above hashes is blocked. 2 of them were removed from blacklist about 18 hours before you posted.
Hashes can be copied from the Detections log by right-clicking the appropriate cell and selecting the appropriate option.

vanroy · March 11, 2023

On 3/4/2023 at 9:51 AM, Marcos said:

Couldn't it be that you are using a developer version of Windows 11? Are the files still detected when you re-scan them? If so, please provide logs collected with ESET Log Collector.

Resolutions not use developer version of Windows 11.

Marcos · March 11, 2023

More AVs detected those files initially, some were detected by Microsoft as well. We hope that Microsoft will start to sign their files or take other measures in cooperation with AV vendors to prevent false positives on non-prevalent files.

Sign In

False positives of Windows system file detection

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics