Jump to content

Win64/Rozena_AGen.CU


Recommended Posts

Hello everyone, I need your assistance as I've got this alert from ESET that there's a trojan file by the name Win64/Rozena_AGen.CU found in this path file:///C:/Windows/System32/odbc32.dll and when I checked this file it's related to MS database ODBC, may I know how would i know if its a false positive or not, and what should I do in this case?

 

Link to comment
Share on other sites

  • Administrators

The FP was fixed automatically and the file is not detected any more. If you can wait a few more hours, we would appreciate if you could let us restore the file from quarantine automatically with the next update which is planned in about 4 hours from now and then let us know if it was restored ok. If it can't wait, you can restore the file now, however, please provide logs collected with ESET Log Collector since ESET LiveGrid was supposed to prevent the detection and we would like to investigate if it failed on your machine for some reason.

Link to comment
Share on other sites

1 hour ago, Marcos said:

since ESET LiveGuard was supposed to prevent the detection and we would like to investigate if it failed on your machine for some reason.

Only applicable to ESSP since it is the only consumer version that has LiveGuard. Did you mean LiveGrid instead?

Link to comment
Share on other sites

  • Administrators
5 minutes ago, itman said:

Only applicable to ESSP since it is the only consumer version that has LiveGuard. Did you mean LiveGrid instead?

I'm sorry, made a typo. I meant ESET LiveGrid.

Link to comment
Share on other sites

Hello @Marcos, I have the same detection as topic starter and it also happened to me October 15th, at 5-6 am. But the problem is, that it's still showing up to me in ESET as detected. May you please help me somehow? As I think, that it's FalsePositive, but I find it out really strange that the file (URI: file:///C:/windows/SYSTEM32/ODBC32.dll ; Process name: C:\Windows\System32\dllhost.exe) is still showing up as detected...

Thank you.

Link to comment
Share on other sites

  • Administrators
37 minutes ago, amdrodiooon said:

May you please help me somehow? As I think, that it's FalsePositive, but I find it out really strange that the file (URI: file:///C:/windows/SYSTEM32/ODBC32.dll ;

Do you mean that the file C:\Windows\SYSTEM32\ODBC32.dll is not present on the machine in question?

Link to comment
Share on other sites

No, I mean that this file/process is present on PC (it's some Windows component) and is still showing up as Trojan: "Win64/Rozena_AGen.CU" in my ESET app. But you have written to topic starter, that the FP was fixed and file is not detected anymore.

So my question is, if its some error on your side and you can fix it somehow remote, or its Microsoft/ours error?
 

Link to comment
Share on other sites

  • Administrators

If the file was still detected, it would be also removed from C:\Windows\SYSTEM32\ODBC32.dll. However, you wrote that it was still on your pc so it's in accordance with what I replied to the OP above.

Link to comment
Share on other sites

  • Administrators

The above comes from logs. Logs are not automatically cleaned by ESET releasing a module update. If the file was detected and quarantined, it should be no longer in quarantine since it was restored to C:\Windows\SYSTEM32\ODBC32.dll.

Link to comment
Share on other sites

Its showing up as "Unresolved detection". Does it mean that it was quarantined?

And what Im supposed to do, so ESET would stop showing me this detection? I thought that it will be fixed automatically, but its still shows up.
Do I need now to Create Exclusion / Mark as Resolved?
What I can do to be sure that this detection was FalsePositive, besides VirusTotal check?

Sorry for so many questions, but Im just really confused by this situation... 🙂

Link to comment
Share on other sites

  • Administrators

Detections are supposed to be resolved by an administrator or by running an in-depth scan from ESET PROTECT as stated at https://help.eset.com/protect_admin/10.1/en-US/threats.html:

Resolved detections - These are detections that have been marked by a user as resolved, however they have not yet been scanned using In-Depth Scan. Devices with detections marked as resolved will still be displayed in the filtered results list until scanning is performed.

I assume that you didn't run an in-depth scan or manually resolved the detection which is why you see it unresolved.

The file is not detected so you don't need to create a detection exclusion. You can resolve the detection manually in the ESET PROTECT console.

Link to comment
Share on other sites

  • Administrators

I stand corrected. This was a system file so we even didn't attempt to clean it which is why it has "handled" set to 0 in your screenshot.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...