Threat found ML/Augur

[Mandy123 0]

A few days ago, when trying to install the latest version of the the Windows Malicious Software Removal Tool , ESET also sent a warning "Threat found. A threat ML/Augur was found in a file that Microsoft Windows Malicious Software Removal Tool tried to access. The link on file does not work. The link on Microsoft Windows Malicious Software Removal Tool only leads to Microsoft's genuine MRT.exe file (Windows Malicious Software Removal Tool), so once again, I have no idea where the problem is or how to find it.

Since then, ESET keeps sending me a warning "Threat found. A threat was found in a file that runs automatically. A threat ML/Augur

was found in a file on your computer.  The link on file does not work, so I have no idea where the problem is or how to find it, or even how to get any help on it from ESET.

ESET also sent me a warning "Threat found. A threat ML/Augur was found in a file that Microsoft Compatability Telemetry tried to access.   The link on file does not work. The link on Microsoft Compatability Telemetry file leads to Microsoft's genuine  CompatTelRunner.exe,  so agian I have no idea where the problem is or how to find it.

SmartSecurity Premium (v 16.0.26.0). Windows 7 Machine.

Can anyone help?

 

[Marcos 5,074]

Please provide logs collected with ESET Log Collector.

[Mandy123 0]

Thanks Marcos

Your suggestion led me to check the ESET logs. There were no threats being reported, which is why I posted in the forum in the first place.

However, I then realised the ESET log filter was turned on (or was it off?), so the ESET Threat logs were not appearing. As soon as I changed the filter, the logs appeared and now the offending file/program is clearly identified as "NetStation Terminal.exe".  
Therefore I don't need to send you the logs after all.  But the attached screenshot is an example of the many warnings in the logs, which all point to the same file "NetStation Terminal.exe". 

However, this is a commercial program, that has been installed for months already, so I don't understand why it is suddenly producing threat warnings.

Secondly, if a search on ESET does not turn up any explanation of what "ML/Augur" threat is, I am still in the dark as to how dangerous this is. ESET has not "cleaned" the program, but left it in place, so it can’t be too serious.

Do you (or anyone else) know what the "ML/Augur" threat is?  There is nothing on Google or ESET about it.

Thanks in advance

 

 

[Mandy123 0]

I had a thought - is the problem because the file is in the C:\ProgramData\NetStation directory instead of
C:\Program Files\NetStation?

 

[Marcos 5,074]

Please submit NetStation Terminal.exe to ESET, e.g. via the built-in submission form under Tools -> Submit sample for analysis and let me know when done.

If you have ESET LiveGrid Feedback system disabled, we strongly recommend enabling it. Doing so will improve protection, cleaning and prevention from false positives.

[Mandy123 0]

Thanks Marcus

File submitted

(NB Please also refer case #00531506 through the portal)

[itman 1,659]

5 hours ago, Mandy123 said:

I had a thought - is the problem because the file is in the C:\ProgramData\NetStation directory instead of
C:\Program Files\NetStation?

Check if a copy of NetStation Terminal.exe exists in C:\Program Files\NetStation directory or sub-directory.

It is not normal to find .exe files in C:\ProgramData\* directory although Microsoft drops Windows Defender binaries there.

[itman 1,659]

I also noticed in the Eset detection alert;

that Eset didn't delete the file. This would indicate to me it was a suspicious activity detection.

Also of note is the parent process attempting to access the file is a legit Win system executable; although a somewhat bogus one (telemetry.)

[Mandy123 0]

Many thanks, itman

You said " This would indicate to me it was a suspicious activity detection."

Presumably that is why the warning flashed up in the first place. Could you clarify what the other implications are that you mean, please?

Yes, it is worrying that Windows has a telemetry file checking this, but it might be connected with the fact that the Windows Malicious Software Removal Tool tried to access the file previously.

[Mandy123 0]

Hi itman

Re your previous comment, no the program is not in C:\Program Files\NetStation directory or sub-directory. However, that is possibly my fault, as I installed it and may have made a mistake,

Regards

 

[Marcos 5,074]

We haven't got the file yet. If it's in ESET quarantine, right-click the file and select Submit for analysis.

[Mandy123 0]

Hi Marcos

That is weird, because I received confirmation that the samples were submitted yesterday.

I dont have the exact time, but it was an hour or two after you asked for it.

Please see attached screenshots of my file notes

Mandy

 

Log submitted 20230514.pdf

[Marcos 5,074]

Please provide logs collected with ESET Log Collector. It's likely that the file is still in your local cache, e..g if there was a problem connecting to ESET LiveGrid servers.

[Mandy123 0]

Hi Marcos

I don't think I need to send you the logs, but here is the zip file from the log collector.
The real issues as I see them are:

1. What is the "ML/Augur" threat? I am still in the dark as to how dangerous this is.

2. I submitted the offending file/program,  "NetStation Terminal.exe".  Can ESET see anything wrong with it?

3. Do you think it will fix the problem if I uninstal "NetStation Terminal.exe" and reinstall in the C:\Program Files\NetStation directory?

Thanks again for your help

Mandy

 

essp_logs.zip

[itman 1,659]

1 hour ago, Mandy123 said:

1. What is the "ML/Augur" threat? I am still in the dark as to how dangerous this is.

Here's Eset's write up on its Augur protection: https://www.welivesecurity.com/2017/06/20/machine-learning-eset-road-augur/.

Basically, Augur detections are probability based behavior determination that a process is malicious.

[itman 1,659]

3 hours ago, Mandy123 said:

I submitted the offending file/program,  "NetStation Terminal.exe".  Can ESET see anything wrong with it?

Since the .exe appears to still exist in its installation directory, just create a copy of it in a zipped folder by left button mouse clicking on it and selecting compressed folder option per below screen shot. Then post zipped file as an attachment.

 

 

Edited May 15, 2023 by itman

[Mandy123 0]

Many thanks Itman

Very intersting article.  It is the reason I like ESET - great research and at the forefront.
I do think, however, that the ESET warning should make clear that ML/Augur is, as you say, a "probability based behavior determination that a process is malicious", and the ESET help function should also make that clear. There is nothing about that particular warning on the ESET website, and it is presented in almost the same way a dangerous virus hit appears.

I have attached the whole directory containing the suspicious files and would be very grateful if it could be checked out.
But I suspect this must be a false positive because of the directory it is in.

Thanks again

Mandy

NetStation.zip

[itman 1,659]

On 5/14/2023 at 4:39 AM, Mandy123 said:

However, this is a commercial program, that has been installed for months already, so I don't understand why it is suddenly producing threat warnings.

Did you check to determine if NetStation Terminal.exe has been updated recently? If you examine its file properties, check its Created and Modified dates.

[Marcos 5,074]

The detection has been removed. Please remove d:\ from performance exclusions as it is dangerous to exclude whole drives

[Mandy123 0]

Hi ITman

Thank you for that suggestion. NetStation Terminal.exe has been in the same directory since it was installed.  It's update date is the same as its installation date - November 2022. So there is nothing new there to trigger the warning.

 

Hi Marcos

Thank you for that recommendation. Well spotted. D driive has now been removed from performance exclusions. It was put in there temprarily some time back, and then never removed afterwards.

However, what do you mean "The detection has been removed"?  Do you mean a modification to the Augur detections algorithm?  I have stopped getting the warnings, though.

 

Kind regards

Mandy

[itman 1,659]

35 minutes ago, Mandy123 said:

Do you mean a modification to the Augur detections algorithm?  I have stopped getting the warnings, though.

Correct. The app was being detected erroneously which is referred to as a false positive detection.

-EDIT- Actually, the problem wasn't NetStation Terminal.exe per se. Augur was detecting any process that was trying to access it as malicious activity. A strange one here.

Edited May 17, 2023 by itman

[Marcos 5,074]

Also I was wondering why you have automatic submission of detected and suspicious files disabled. If possible, please re-enable these settings:

Also if you haven't run into false positives while using aggressive detection, it'd be good to consider changing also protection to aggressive. Otherwise malware detected with the aggressive level would be allowed to run.

[Mandy123 0]

Many thanks ITman

Thanks also, Marcos
I had automatic submission turned off, because I am very wary of any telemetry, but ESET has proved itself worthy, so I'll turn it on!
And thanks for the suggestion about agressive protection, also turned on.

The help from both of you was awesome!

Cheers

Mandy

[BrianMorris 15]

We manage about 350 endpoints and this ML/Augur detections has been creating all these tickets for us on many computers for files that have been resident for years. Virustotal has shown no other vendor agreeing so far. 
 

Seems like a false positive wild fire to me. 

[Marcos 5,074]

Please submit the file to ESET as per the instructions at https://support.eset.com/en/kb141.

You can also try switching to the pre-release update channel to see if it resolves the detection.