false positive

[hellosky11 1]

One of my friends is using eScan antivirus, and ESET is making it hard for him to install it. I know using two antimalware programs is not a good idea, but he still wants to do it. That being said, ESET is detecting the sys file of the eScan installation as a PUP, and due to this, the eScan installation fails. Even if I add the eScan setup to the exclusion list by disabling system protection during installation, ESET detects it again after re-enabling protection. It makes no sense that ESET is detecting components of another antimalware program as PUPs. This detection should be removed; it's really a false positive flagging files of other antimalware programs.

No other vendor on VirusTotal detects it except ESET, which clearly indicates it's a false positive. This detection should be removed, as it is incorrectly flagging files of another antimalware program.

b591e20101e858d2f1ebc8ac5a59c725693f141b80381d3b1e79f9f5504b0277

https://www.virustotal.com/gui/file/b591e20101e858d2f1ebc8ac5a59c725693f141b80381d3b1e79f9f5504b0277

Edited September 11 by hellosky11

[Marcos 5,250]

The detection  / classification as a potentially unsafe application is correct. The file is not detected with default settings. If you want to use the application deliberately, you can create a detection exclusion.

Windows Packet Divert (WinDivert) is a user-mode packet interception library
for Windows 7, Windows 8 and Windows 10.

WinDivert enables user-mode capturing/modifying/dropping of network packets
sent to/from the Windows network stack.  In summary, WinDivert can:
    - capture network packets
    - filter/drop network packets
    - sniff network packets
    - (re)inject network packets
    - modify network packets
WinDivert can be used to implement user-mode packet filters, sniffers,
firewalls, NATs, VPNs, IDSs, tunneling applications, etc..

WinDivert supports the following features:
    - packet interception, sniffing, or dropping modes
    - support for loopback (localhost) traffic
    - full IPv6 support
    - network layer
    - simple yet powerful API
    - high-level filtering language
    - filter priorities

[hellosky11 1]

now, it does not even gets restored, wow!

[hellosky11 1]

are you telling that antimalware escan has made a pup in there setup!

[itman 1,746]

Fortinet also detects WinDivert driver: https://help.fortinet.com/fsiem/Public_Resource_Access/7_2_1/rules/PH_RULE_WinDivert_Driver_Load.htm ;

Quote

MITRE ATT&CK® Techniques

T1599.001

Network Boundary Bridging: Network Address Translation Traversal

Adversaries may bridge network boundaries by modifying a network device's Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. When an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. Adversaries may use Patch System Image to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities.

https://attack.mitre.org/techniques/T1599/00

Again, take what VT is showing detection-wise with a "grain of salt."

Edited September 11 by itman

[itman 1,746]

Also, a bit of common security-sense here.

Do you want a Win user mode driver that can manipulate data in the network stack installed on your device? I certainly don't.

[itman 1,746]

As to use of eScan;

Quote

GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining

Key Points

• Avast discovered and analyzed a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers
• Avast disclosed the vulnerability to both eScan antivirus and India CERT. On 2023-07-31, eScan confirmed that the issue was fixed and successfully resolved
• The campaign was orchestrated by a threat actor with possible ties to Kimsuky
• Two different types of backdoors have been discovered, targeting large corporate networks
• The final payload distributed by GuptiMiner was also XMRig

https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/

Edited Wednesday at 09:07 PM by itman

[hellosky11 1]

so does that means escan antimalware contains the windivert as malicious stuff, and escan is totally relied on bitdefender signatures, so if bitdefender also releases detection for this, that means escan will trigger its own file as malicious, weird

[hellosky11 1]

i contacted escan, here is what they replied, https://www.escanav.com/en/about-us/eScan-update-advisory.asp

[Marcos 5,250]

The detection is correct. Moreover, they say we detect it as a virus which is not true. WinDivert is detected as a potentially unsafe application and it detection is disabled by default. The description of WinDivert fulfills the criteria for potentially unsafe applications and is likely to be unwanted by administrator in their networks.