hellosky11 3 Posted September 11 Share Posted September 11 (edited) One of my friends is using eScan antivirus, and ESET is making it hard for him to install it. I know using two antimalware programs is not a good idea, but he still wants to do it. That being said, ESET is detecting the sys file of the eScan installation as a PUP, and due to this, the eScan installation fails. Even if I add the eScan setup to the exclusion list by disabling system protection during installation, ESET detects it again after re-enabling protection. It makes no sense that ESET is detecting components of another antimalware program as PUPs. This detection should be removed; it's really a false positive flagging files of other antimalware programs. No other vendor on VirusTotal detects it except ESET, which clearly indicates it's a false positive. This detection should be removed, as it is incorrectly flagging files of another antimalware program. b591e20101e858d2f1ebc8ac5a59c725693f141b80381d3b1e79f9f5504b0277 https://www.virustotal.com/gui/file/b591e20101e858d2f1ebc8ac5a59c725693f141b80381d3b1e79f9f5504b0277 Edited September 11 by hellosky11 Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,293 Posted September 11 Administrators Share Posted September 11 The detection / classification as a potentially unsafe application is correct. The file is not detected with default settings. If you want to use the application deliberately, you can create a detection exclusion. Windows Packet Divert (WinDivert) is a user-mode packet interception library for Windows 7, Windows 8 and Windows 10. WinDivert enables user-mode capturing/modifying/dropping of network packets sent to/from the Windows network stack. In summary, WinDivert can: - capture network packets - filter/drop network packets - sniff network packets - (re)inject network packets - modify network packets WinDivert can be used to implement user-mode packet filters, sniffers, firewalls, NATs, VPNs, IDSs, tunneling applications, etc.. WinDivert supports the following features: - packet interception, sniffing, or dropping modes - support for loopback (localhost) traffic - full IPv6 support - network layer - simple yet powerful API - high-level filtering language - filter priorities Quote Link to comment Share on other sites More sharing options...
hellosky11 3 Posted September 11 Author Share Posted September 11 now, it does not even gets restored, wow! Quote Link to comment Share on other sites More sharing options...
hellosky11 3 Posted September 11 Author Share Posted September 11 are you telling that antimalware escan has made a pup in there setup! Quote Link to comment Share on other sites More sharing options...
itman 1,756 Posted September 11 Share Posted September 11 (edited) Fortinet also detects WinDivert driver: https://help.fortinet.com/fsiem/Public_Resource_Access/7_2_1/rules/PH_RULE_WinDivert_Driver_Load.htm ; Quote MITRE ATT&CK® Techniques T1599.001 Network Boundary Bridging: Network Address Translation Traversal Adversaries may bridge network boundaries by modifying a network device's Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. When an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. Adversaries may use Patch System Image to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities. https://attack.mitre.org/techniques/T1599/00 Again, take what VT is showing detection-wise with a "grain of salt." Edited September 11 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,756 Posted September 11 Share Posted September 11 Also, a bit of common security-sense here. Do you want a Win user mode driver that can manipulate data in the network stack installed on your device? I certainly don't. Quote Link to comment Share on other sites More sharing options...
itman 1,756 Posted September 11 Share Posted September 11 (edited) As to use of eScan; Quote GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining Key Points Avast discovered and analyzed a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers Avast disclosed the vulnerability to both eScan antivirus and India CERT. On 2023-07-31, eScan confirmed that the issue was fixed and successfully resolved The campaign was orchestrated by a threat actor with possible ties to Kimsuky Two different types of backdoors have been discovered, targeting large corporate networks The final payload distributed by GuptiMiner was also XMRig https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/ Edited September 11 by itman Quote Link to comment Share on other sites More sharing options...
hellosky11 3 Posted September 16 Author Share Posted September 16 so does that means escan antimalware contains the windivert as malicious stuff, and escan is totally relied on bitdefender signatures, so if bitdefender also releases detection for this, that means escan will trigger its own file as malicious, weird Quote Link to comment Share on other sites More sharing options...
hellosky11 3 Posted September 16 Author Share Posted September 16 i contacted escan, here is what they replied, https://www.escanav.com/en/about-us/eScan-update-advisory.asp Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,293 Posted September 16 Administrators Share Posted September 16 The detection is correct. Moreover, they say we detect it as a virus which is not true. WinDivert is detected as a potentially unsafe application and it detection is disabled by default. The description of WinDivert fulfills the criteria for potentially unsafe applications and is likely to be unwanted by administrator in their networks. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.