Tetranitrocubane 1 Posted March 16 Share Posted March 16 I awoke this morning and launched the Steam client on my PC, and began auto-downloading a number of patches, as the software is designed to do. In the midst of the download, ESET popped up to alert me of a malware detection originating from Steam.exe. The details are as follows: Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 3/16/2024 6:31:54 AM;Real-time file system protection;file;D:\Steam\steamapps\downloading\2012840\bin\parsifal.dll;ML/Augur potentially unwanted application;cleaned by deleting;[COMPUTER NAME REDACTED];Event occurred on a new file created by the application: D:\Steam\steam.exe (558403043F0288ABA3D9A43E9DFA7E109BC0B31A).;F68ECA3E557C9D55DC254054822225016429A4A3;3/16/2024 6:31:19 AM I responded by cleaning via deletion, and copied the file to Quarantine. I also submitted the file to ESET via the quarantine tab. A cursory search of the Steam ID associated with this file (2012840) reveals that this was downloaded as an update to "Portal With RTX". Further investigation of the Steam Download panel lists that the "Portal With RTX" game is showing "Missing Downloaded Files" as an error during the download, indicating that this file (parsifal.dll) was expected, and is now regarded as missing. As Steam.exe is scanning clean, and is fully clear via VirusTotal, I don't believe Steam.exe has been infected, and it looks as if this file was an expected one. Is this a legitimate detection, and if so, does this indicate a compromise of my system? Or is this a false positive? Thanks in advance for any help. Quote Link to comment Share on other sites More sharing options...
Tetranitrocubane 1 Posted March 16 Author Share Posted March 16 (edited) A bit of further investigation: Digging into the Steam DB entry for the latest Portal With RTX update reveals that Depot 2012842 (you need to advance to tab 2) DOES contain the file parsifal.dll, at an expected file size of 116.50 kb, which matches what my machine downloaded (According to the file being held in Quarantine). If nothing else, this seems to indicate that the file was delivered intentionally as a part of this update, and not the result of a trojan or infected component of Steam. I'm still uncertain as to the legitimacy of this file, but malware or no, Steam pushed this file as designed. Edited March 16 by Tetranitrocubane Quote Link to comment Share on other sites More sharing options...
itman 1,664 Posted March 16 Share Posted March 16 Submit parsifal.dll to VirusTotal and see if anyone else has issues with the file. Quote Link to comment Share on other sites More sharing options...
Tetranitrocubane 1 Posted March 16 Author Share Posted March 16 Unfortunately (or fortunately?) the file was deleted by ESET and I cannot upload it to VT. I did submit the file for analysis via the quarantine tab, though. I've searched VirusTotal by the file hash listed in the log file, but this doesn't return any results. The file was updated at a date of about two days ago. It seems no one has submitted it to VT since. Quote Link to comment Share on other sites More sharing options...
itman 1,664 Posted March 16 Share Posted March 16 16 minutes ago, Tetranitrocubane said: Unfortunately (or fortunately?) the file was deleted by ESET and I cannot upload it to VT File should be in Eset Quarantine. Quote Link to comment Share on other sites More sharing options...
Tetranitrocubane 1 Posted March 16 Author Share Posted March 16 Just now, itman said: File should be in Eset Quarantine. It is, but that makes it currently inaccessible. Do you mean that I ought to restore the file? In the event that the file is truly malicious, won't that infect my system? Quote Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,085 Posted March 16 Administrators Solution Share Posted March 16 It was a false positive (Machine Learning) that has been fixed and the file is not detected any more. Quote Link to comment Share on other sites More sharing options...
Tetranitrocubane 1 Posted March 16 Author Share Posted March 16 Thank you Marcos for confirming that it was a false positive! I very much appreciate it! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.