Chas4 10 Posted May 2 Posted May 2 The error was made about a month ago, and a strange bug in ESET has the ignore not working (last 2 stable versions same bug), get about 5 to 6 notifications a day NirLauncher is a package of more than 200 portable freeware utilities for Windows, all of them developed for NirSoft Web site during the last few years. https://launcher.nirsoft.net AOMEI Partition Assistant Professional https://www.diskpart.com/download.html In the above code are the download sites for the 2 false positives, the 2nd one the last 2 versions have both had the same false positive
Administrators Marcos 5,442 Posted May 2 Administrators Posted May 2 The detection / classification is correct. Detection of potentially unwanted applications is optional and is not enabled without user's consent. For more information about what PUAs are, please read https://support.eset.com/en/kb2629 .
Chas4 10 Posted May 2 Author Posted May 2 No it is not correct it is a false positive for the PUA as the 2nd one is a recent add, as it was not flagged for over a year, and removing the flagged item could break the legit program. I have the PUA setting at default and it is being tagged in the same as other programs
Chas4 10 Posted May 2 Author Posted May 2 I had to use the 2nd tool for WIndows 10 since Microsoft's built in tool is broken and will block updates for the recovery partition due to a bug in WIndows 10 (the entire world has that bug in WIndows 10), the built in partition assistant can't update the recovery partition unless it is in a certain order of where the 😄 drive is
Chas4 10 Posted May 2 Author Posted May 2 Also what about the a strange bug in ESET has the ignore not working (last 2 stable versions same bug), I have it set to exclude the files but that is getting ignored
Administrators Marcos 5,442 Posted May 2 Administrators Posted May 2 13 minutes ago, Chas4 said: Also what about the a strange bug in ESET has the ignore not working (last 2 stable versions same bug), I have it set to exclude the files but that is getting ignored Please provide logs collected with ESET Log Collector for us to check how the exclusion was created.
Chas4 10 Posted May 2 Author Posted May 2 3 hours ago, Marcos said: Please provide logs collected with ESET Log Collector for us to check how the exclusion was created. The exclusion was originally made via the dialog that popped up and other times I went and added it manually. I know some of the items that have been in quarantine are ones I reported to ESET, have submitted the 3 files to ESET that are false positives Will send the ESET log collect files in a DM
Administrators Marcos 5,442 Posted May 2 Administrators Posted May 2 What exclusion you think does not work? There are 3 recent detections which are now excluded and were detected just once, not repeatedly so to me it looks like the exclusions work: \Device\HarddiskVolumeShadowCopy3\Users\charl\Downloads\nirsoft_package_enc_1.30.10\NirSoft\lsasecretsview.exe a variant of Win32/Agent_AGen.I potentially unsafe application \Device\HarddiskVolumeShadowCopy3\Program Files (x86)\AOMEI Partition Assistant\ADR.exe a variant of Win32/MyRecover.A potentially unwanted application C:\Program Files (x86)\AOMEI Partition Assistant\is-6HVI7.tmp a variant of Win32/MyRecover.A potentially unwanted application
Chas4 10 Posted May 2 Author Posted May 2 5 minutes ago, Marcos said: What exclusion you think does not work? There are 3 recent detections which are now excluded and were detected just once, not repeatedly so to me it looks like the exclusions work: \Device\HarddiskVolumeShadowCopy3\Users\charl\Downloads\nirsoft_package_enc_1.30.10\NirSoft\lsasecretsview.exe a variant of Win32/Agent_AGen.I potentially unsafe application \Device\HarddiskVolumeShadowCopy3\Program Files (x86)\AOMEI Partition Assistant\ADR.exe a variant of Win32/MyRecover.A potentially unwanted application C:\Program Files (x86)\AOMEI Partition Assistant\is-6HVI7.tmp a variant of Win32/MyRecover.A potentially unwanted application Nope the shadowcopy is only created when doing a backup using the Win 7 classic backup program built into Windows w/ the back up over USB 2.0 to a drive I plug in, and the exclusions are not working as I get about 5 to 8 per day of the same 3 items, there are the same 3 over and over (2 are 2 different versions of the installer for AOMEI Partition Assistant, the 3rd is part of the NirSoft Launcher)
Administrators Marcos 5,442 Posted May 2 Administrators Posted May 2 Still it is unclear to me so please provide: 1, The detection exclusion that you created to exclude a specific file / detection 2, The appropriate record from the Detections log related to the detection that occurred with the exclusion in place.
Chas4 10 Posted May 2 Author Posted May 2 6 minutes ago, Marcos said: Still it is unclear to me so please provide: 1, The detection exclusion that you created to exclude a specific file / detection 2, The appropriate record from the Detections log related to the detection that occurred with the exclusion in place. The 2 installers for AOMEI Partition Assistant are in the downloads folder and the older one in the recycle bin, and the 3rd one NIrsoft launcher is in the downloads folder and they have exclusions but I still get notifications that real time scanner picked them up ignoring the exclusion. Also can you report the bug to the developers as the detections that show in the notifications are not showing in the logs correctly at all, as I see about 20 missing (I have not change the logs and they are set to the default log cleaning)
Administrators Marcos 5,442 Posted May 2 Administrators Posted May 2 Let's put Nirsoft tools aside, there are many of them with various detection names and paths which brings a lot confusion into this. The following exclusions exist for "AOMEI": <NODE NAME="Path" TYPE="string" VALUE="C:\Program Files (x86)\AOMEI Partition Assistant\ADR.exe" /> <NODE NAME="ThreatName" TYPE="string" VALUE="@NAME=Win32/MyRecover.A@TYPE=ApplicUnwnt" /> <NODE NAME="Path" TYPE="string" VALUE="https://www2.aomeisoftware.com/download/pa/full/PAssist_Setup.exe?cfv=20240501.8059208" /> <NODE NAME="ThreatName" TYPE="string" VALUE="@NAME=Win32/MyRecover.A@TYPE=ApplicUnwnt" /> <NODE NAME="Path" TYPE="string" VALUE="C:\Program Files (x86)\AOMEI Partition Assistant\is-6HVI7.tmp" /> <NODE NAME="ThreatName" TYPE="string" VALUE="@NAME=Win32/MyRecover.A@TYPE=ApplicUnwnt" /> <NODE NAME="Path" TYPE="string" VALUE="\Device\HarddiskVolumeShadowCopy3\Program Files (x86)\AOMEI Partition Assistant\ADR.exe" /> <NODE NAME="ThreatName" TYPE="string" VALUE="@NAME=Win32/MyRecover.A@TYPE=ApplicUnwnt" /> The following AOMEI detections occured, each detected just once. The same files were not detected repeatedly, ie. the exclusions worked as expected: 1. 5. 2024 4:37:44 Real-time file system protection file \Device\HarddiskVolumeShadowCopy3\Program Files (x86)\AOMEI Partition Assistant\ADR.exe a variant of Win32/MyRecover.A potentially unwanted application retained NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\svchost.exe (3F64C98F22DA277A07CAB248C44C56EEDB796A81). 1. 5. 2024 2:00:32 Real-time file system protection file C:\Program Files (x86)\AOMEI Partition Assistant\is-6HVI7.tmp a variant of Win32/MyRecover.A potentially unwanted application retained CSIDEAPADFLEX5\charl Event occurred on a new file created by the application: C:\Users\charl\AppData\Local\Temp\is-KG75T.tmp\PAssist_Setup_20240501.8059208.tmp (4BE412E572EE9F01F60FE63CA6CF40BEA393DAEA). 9. 4. 2024 17:32:37 Real-time file system protection file C:\Program Files (x86)\AOMEI Partition Assistant\ADR.exe a variant of Win32/MyRecover.A potentially unwanted application retained NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\CompatTelRunner.exe (9DC56755AD4B1529041610E307F4DE6A37459885).
Chas4 10 Posted May 2 Author Posted May 2 The exclusions seem to be getting ignored, and NirSoft should not be as I added an exclusion to the launcher and it is still picked up (listed the launcher in code)
Chas4 10 Posted May 8 Author Posted May 8 This should be moved back to where it was as it is not malware but false positives and one was added recently
Administrators Marcos 5,442 Posted May 8 Administrators Posted May 8 13 minutes ago, Chas4 said: This should be moved back to where it was as it is not malware but false positives and one was added recently I don't understand what you mean by "move back". If you are referring to this topic location, it's correct. This forum is about both malware and false positives. Anyways, none of the files detected on your machine was a false positive and all were correct detections and classifications.
Chas4 10 Posted May 8 Author Posted May 8 42 minutes ago, Marcos said: I don't understand what you mean by "move back". If you are referring to this topic location, it's correct. This forum is about both malware and false positives. Anyways, none of the files detected on your machine was a false positive and all were correct detections and classifications. This form was moved to the wrong form, and 100% of them are false positives, the free version of the software that I know of does not have that detected part and it is a single 1 time purchase. The software has to be used since Microsoft's built in tool for disk partition has a bug where it can't resize the recovery environment in some configurations which blocks a security update released earlier this year from being install that blocks a bitlocker bypass. The other detection would break the launcher that a person made for easier use of Nirsoft free tools (many even Microsoft recommend) . It took about 4 times of telling and adding it to the ignored for it to be ignored (the pop ups started missing the add to ignore list since they already were but that was being ignored due to a bug in real time scanner) <- that would make it need to go back to the correct forum section as this one is not labeled for false positives. I have the PUA detection at the default settings not high, due to the ESET bug I had to have duplicates of the same few paths path.
Administrators Marcos 5,442 Posted May 8 Administrators Posted May 8 This "Malware finding and cleaning" is the right forum to report problems with malware or false positives which is why have moved your topic here. Many Nirsoft tools can be exploited for malicious purpose in the wrong hands which is why they may be detected as potentially unsafe applications which are not detected by default. The application detected as potentially unwanted meets the criteria for PUA detection (https://support.eset.com/en/kb2629) which is optional and enabled only with user's consent. Our experts on detection analyze applications deeply prior to categorizing them as PUA/PUsA so there was a good reason for the PUA detection. Also exclusions work as supposed. However, when creating an exclusion to a junction (e.g. c:\documents and settings), we recommend creating also another one for the actual folder under c:\users.
Chas4 10 Posted May 9 Author Posted May 9 8 hours ago, Marcos said: This "Malware finding and cleaning" is the right forum to report problems with malware or false positives which is why have moved your topic here. Many Nirsoft tools can be exploited for malicious purpose in the wrong hands which is why they may be detected as potentially unsafe applications which are not detected by default. The application detected as potentially unwanted meets the criteria for PUA detection (https://support.eset.com/en/kb2629) which is optional and enabled only with user's consent. Our experts on detection analyze applications deeply prior to categorizing them as PUA/PUsA so there was a good reason for the PUA detection. Also exclusions work as supposed. However, when creating an exclusion to a junction (e.g. c:\documents and settings), we recommend creating also another one for the actual folder under c:\users. Nope exclusions are buggy and just had some ignored for a 8th time and added 2 via the dialog that were already in the excluded. THey were created via the ESET dialog and via manually adding them. The disk partition software is 100% a false positive as the part it is picking up is part of the paid for one and I had it just fine on the machine for over a year with not being flagged by ESET to 15+ messages a day about the same file even after telling it to ignore it and exclude it. Again I have the default PUA detection not set it to high at all. Also based on your PUA definition WIndows the OS itself itself is a PUA since it can be exploited for malicious purpose. alan1476 1
alan1476 0 Posted July 5 Posted July 5 Has this topic ever been resolved? Eset is still picking it up, and I don't know if it stops the application from working correctly. Thank you for any information you can give me.
Administrators Marcos 5,442 Posted July 5 Administrators Posted July 5 18 minutes ago, alan1476 said: Has this topic ever been resolved? Eset is still picking it up, and I don't know if it stops the application from working correctly. Thank you for any information you can give me. What detection are you referring to? If it's a PUA/PUsA detection, did you create the appropriate detection exclusions?
Recommended Posts