Jump to content

ML/Augur detection during Steam Game Update "Portal With RTX"


Go to solution Solved by Marcos,

Recommended Posts

I awoke this morning and launched the Steam client on my PC, and began auto-downloading a number of patches, as the software is designed to do. In the midst of the download, ESET popped up to alert me of a malware detection originating from Steam.exe. The details are as follows:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 3/16/2024 6:31:54 AM;Real-time file system protection;file;D:\Steam\steamapps\downloading\2012840\bin\parsifal.dll;ML/Augur potentially unwanted application;cleaned by deleting;[COMPUTER NAME REDACTED];Event occurred on a new file created by the application: D:\Steam\steam.exe (558403043F0288ABA3D9A43E9DFA7E109BC0B31A).;F68ECA3E557C9D55DC254054822225016429A4A3;3/16/2024 6:31:19 AM

I responded by cleaning via deletion, and copied the file to Quarantine. 

I also submitted the file to ESET via the quarantine tab.

A cursory search of the Steam ID associated with this file (2012840) reveals that this was downloaded as an update to "Portal With RTX". Further investigation of the Steam Download panel lists that the "Portal With RTX" game is showing "Missing Downloaded Files" as an error during the download, indicating that this file (parsifal.dll) was expected, and is now regarded as missing. As Steam.exe is scanning clean, and is fully clear via VirusTotal, I don't believe Steam.exe has been infected, and it looks as if this file was an expected one.

Is this a legitimate detection, and if so, does this indicate a compromise of my system? Or is this a false positive?

Thanks in advance for any help.

 

Link to comment
Share on other sites

Posted (edited)

A bit of further investigation:

Digging into the Steam DB entry for the latest Portal With RTX update reveals that Depot 2012842 (you need to advance to tab 2) DOES contain the file parsifal.dll, at an expected file size of 116.50 kb, which matches what my machine downloaded (According to the file being held in Quarantine). 

image.png.549c36bcf0f9e0b8b0b70f511be32faa.png

If nothing else, this seems to indicate that the file was delivered intentionally as a part of this update, and not the result of a trojan or infected component of Steam. 

I'm still uncertain as to the legitimacy of this file, but malware or no, Steam pushed this file as designed. 

Edited by Tetranitrocubane
Link to comment
Share on other sites

Submit parsifal.dll to VirusTotal and see if anyone else has issues with the file.

Link to comment
Share on other sites

Unfortunately (or fortunately?) the file was deleted by ESET and I cannot upload it to VT. I did submit the file for analysis via the quarantine tab, though.

I've searched VirusTotal by the file hash listed in the log file, but this doesn't return any results.

The file was updated at a date of about two days ago. It seems no one has submitted it to VT since.

Link to comment
Share on other sites

16 minutes ago, Tetranitrocubane said:

Unfortunately (or fortunately?) the file was deleted by ESET and I cannot upload it to VT

File should be in Eset Quarantine.

Link to comment
Share on other sites

Just now, itman said:

File should be in Eset Quarantine.

It is, but that makes it currently inaccessible. 

Do you mean that I ought to restore the file? In the event that the file is truly malicious, won't that infect my system?

Link to comment
Share on other sites

  • Administrators
  • Solution

It was a false positive (Machine Learning) that has been fixed and the file is not detected any more.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...