Mark-Deo 0 Posted October 15, 2023 Share Posted October 15, 2023 Hello everyone, I need your assistance as I've got this alert from ESET that there's a trojan file by the name Win64/Rozena_AGen.CU found in this path file:///C:/Windows/System32/odbc32.dll and when I checked this file it's related to MS database ODBC, may I know how would i know if its a false positive or not, and what should I do in this case? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,400 Posted October 15, 2023 Administrators Share Posted October 15, 2023 The FP was fixed automatically and the file is not detected any more. If you can wait a few more hours, we would appreciate if you could let us restore the file from quarantine automatically with the next update which is planned in about 4 hours from now and then let us know if it was restored ok. If it can't wait, you can restore the file now, however, please provide logs collected with ESET Log Collector since ESET LiveGrid was supposed to prevent the detection and we would like to investigate if it failed on your machine for some reason. Link to comment Share on other sites More sharing options...
itman 1,786 Posted October 15, 2023 Share Posted October 15, 2023 1 hour ago, Marcos said: since ESET LiveGuard was supposed to prevent the detection and we would like to investigate if it failed on your machine for some reason. Only applicable to ESSP since it is the only consumer version that has LiveGuard. Did you mean LiveGrid instead? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,400 Posted October 15, 2023 Administrators Share Posted October 15, 2023 5 minutes ago, itman said: Only applicable to ESSP since it is the only consumer version that has LiveGuard. Did you mean LiveGrid instead? I'm sorry, made a typo. I meant ESET LiveGrid. Link to comment Share on other sites More sharing options...
amdrodiooon 0 Posted October 17, 2023 Share Posted October 17, 2023 Hello @Marcos, I have the same detection as topic starter and it also happened to me October 15th, at 5-6 am. But the problem is, that it's still showing up to me in ESET as detected. May you please help me somehow? As I think, that it's FalsePositive, but I find it out really strange that the file (URI: file:///C:/windows/SYSTEM32/ODBC32.dll ; Process name: C:\Windows\System32\dllhost.exe) is still showing up as detected... Thank you. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,400 Posted October 17, 2023 Administrators Share Posted October 17, 2023 37 minutes ago, amdrodiooon said: May you please help me somehow? As I think, that it's FalsePositive, but I find it out really strange that the file (URI: file:///C:/windows/SYSTEM32/ODBC32.dll ; Do you mean that the file C:\Windows\SYSTEM32\ODBC32.dll is not present on the machine in question? Link to comment Share on other sites More sharing options...
amdrodiooon 0 Posted October 17, 2023 Share Posted October 17, 2023 No, I mean that this file/process is present on PC (it's some Windows component) and is still showing up as Trojan: "Win64/Rozena_AGen.CU" in my ESET app. But you have written to topic starter, that the FP was fixed and file is not detected anymore. So my question is, if its some error on your side and you can fix it somehow remote, or its Microsoft/ours error? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,400 Posted October 17, 2023 Administrators Share Posted October 17, 2023 If the file was still detected, it would be also removed from C:\Windows\SYSTEM32\ODBC32.dll. However, you wrote that it was still on your pc so it's in accordance with what I replied to the OP above. Link to comment Share on other sites More sharing options...
amdrodiooon 0 Posted October 17, 2023 Share Posted October 17, 2023 Look, maybe we just didnt understand each other correctly... Its still showing up as Trojan. I checked the hash via VirusTotal and there is no single detection. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,400 Posted October 17, 2023 Administrators Share Posted October 17, 2023 The above comes from logs. Logs are not automatically cleaned by ESET releasing a module update. If the file was detected and quarantined, it should be no longer in quarantine since it was restored to C:\Windows\SYSTEM32\ODBC32.dll. Link to comment Share on other sites More sharing options...
amdrodiooon 0 Posted October 17, 2023 Share Posted October 17, 2023 Its showing up as "Unresolved detection". Does it mean that it was quarantined? And what Im supposed to do, so ESET would stop showing me this detection? I thought that it will be fixed automatically, but its still shows up. Do I need now to Create Exclusion / Mark as Resolved? What I can do to be sure that this detection was FalsePositive, besides VirusTotal check? Sorry for so many questions, but Im just really confused by this situation... 🙂 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,400 Posted October 17, 2023 Administrators Share Posted October 17, 2023 Detections are supposed to be resolved by an administrator or by running an in-depth scan from ESET PROTECT as stated at https://help.eset.com/protect_admin/10.1/en-US/threats.html: Resolved detections - These are detections that have been marked by a user as resolved, however they have not yet been scanned using In-Depth Scan. Devices with detections marked as resolved will still be displayed in the filtered results list until scanning is performed. I assume that you didn't run an in-depth scan or manually resolved the detection which is why you see it unresolved. The file is not detected so you don't need to create a detection exclusion. You can resolve the detection manually in the ESET PROTECT console. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,400 Posted October 17, 2023 Administrators Share Posted October 17, 2023 I stand corrected. This was a system file so we even didn't attempt to clean it which is why it has "handled" set to 0 in your screenshot. Link to comment Share on other sites More sharing options...
Recommended Posts