Jump to content

ESET is detecting file from C:\OEM folder

IggyAl

By IggyAl
in Malware Finding and Cleaning

 Share

Recommended Posts

IggyAl

IggyAl 0

Posted
Posted

Hello, today I am receiving mails, telling me that "file:///C:/OEM/Factory/amifldrv64.sys" has been detected as a potentially insecure application and ESET has deleted it.

Is it a false positive? I think that OEM folder is related about recovering system.

Thanks, regards.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,090

Posted
  • Administrators
Posted

Please provide the appropriate record from the Detections log. Most likely it's a detection of a vulnerable driver.

Link to comment
Share on other sites
rotaru

rotaru 10

Posted
Posted
49 minutes ago, Marcos said:

As expected, it's a correct detection of a vulnerable AMI driver:

The driver may be vulnerable, but is OK for ESET to delete a driver????  What if , by deleting a drive the PC is not bootable anymore????

Link to comment
Share on other sites
itman

itman 1,668

Posted
Posted
4 hours ago, rotaru said:

The driver may be vulnerable, but is OK for ESET to delete a driver????  What if , by deleting a drive the PC is not bootable anymore????

If Win 10 Pro+ is installed and HVCI - Memory Integrity - enabled, Windows would have blocked the driver from loading: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules .

Additional ref. article here: https://www.dell.com/community/Alienware/m17-R2-BIOS-installer-blocked-vulnerable-driver-amifldrv64-sys/td-p/8293332

5 hours ago, IggyAl said:

I think that OEM folder is related about recovering system.

Appears the vulnerable driver Eset is detecting is the one used by PC vendor restore provided processing; not the the same driver currently present in C:\Windows\System32\drivers. Appears the solution is to contact PC manufacture about an update of their recovery software.

Link to comment
Share on other sites
SeriousHoax

SeriousHoax 83

Posted
Posted

ESET also detected an AMD Driver on my system. 

This one as: "Win64/AMD.C potentially unsafe application" 

https://www.virustotal.com/gui/file/77955af8a8bcea8998f4046c2f8534f6fb1959c71de049ca2f4298ba47d8f23a/detection

I see that it's present here: 

https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/?query=amdryzenmasterdriver.sys#:~:text=cec887f20ab468caa1c99fcbe7fbdfab25fadf39

Link to comment
Share on other sites
itman

itman 1,668

Posted
Posted
6 hours ago, SeriousHoax said:

ESET also detected an AMD Driver on my system. 

This one as: "Win64/AMD.C potentially unsafe application" 

https://www.virustotal.com/gui/file/77955af8a8bcea8998f4046c2f8534f6fb1959c71de049ca2f4298ba47d8f23a/detection

Looks like driver is related to AMD Master Utility used for over-clocking Radeon graphics: https://www.amd.com/system/files/documents/ryzen-master-quick-reference-guide.pdf . Since one "can live" w/o over-clocked graphics, appears the best solution is to uninstall the utility. Since this vulnerable driver ver. dates to 5/2023, doubt that AMD has an update for it.

Link to comment
Share on other sites
SeriousHoax

SeriousHoax 83

Posted
Posted
9 hours ago, itman said:

Looks like driver is related to AMD Master Utility used for over-clocking Radeon graphics: https://www.amd.com/system/files/documents/ryzen-master-quick-reference-guide.pdf . Since one "can live" w/o over-clocked graphics, appears the best solution is to uninstall the utility. Since this vulnerable driver ver. dates to 5/2023, doubt that AMD has an update for it.

Yeah, but it's not easy to uninstall it because it comes with AMD's display driver by default. 

I use this tool to pre-remove stuff that I don't need when a new driver comes out. But the last time I forgot to uncheck Ryzen Master. 

https://github.com/GSDragoon/RadeonSoftwareSlimmer

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...