jimwillsher 65 Posted March 2, 2015 Posted March 2, 2015 (edited) Hi One of my clients has reported back to ERA a number of Potentially Unwanted Applications, e.g.: potentially unwanted application Win32/Toolbar.Conduit.B Jim Desktop 192.168.1.64 fe80::316b:2a6d:17d2:3cd5 2015 Mar 2 15:57:58 Antivirus potentially unwanted application Win32/Toolbar.Conduit.X Jim Desktop 192.168.1.64 fe80::316b:2a6d:17d2:3cd5 2015 Mar 2 15:58:42 Antivirus potentially unwanted application Win32/InstallCore.CH Jim Desktop 192.168.1.64 fe80::316b:2a6d:17d2:3cd5 2015 Mar 2 15:59:00 Antivirus potentially unwanted application Win32/Wajam.F Jim Desktop 192.168.1.64 fe80::316b:2a6d:17d2:3cd5 2015 Mar 2 16:00:49 Antivirus potentially unwanted application Win32/KoyoteLab.A Jim Desktop 192.168.1.64 fe80::316b:2a6d:17d2:3cd5 2015 Mar 2 16:05:27 Antivirus potentially unwanted application Win32/Toolbar.Conduit.X Jim Desktop 192.168.1.64 fe80::316b:2a6d:17d2:3cd5 2015 Mar 2 18:02:39 Antivirus potentially unwanted application Win32/Toolbar.Conduit.B Jim Desktop 192.168.1.64 fe80::316b:2a6d:17d2:3cd5 2015 Mar 2 18:02:48 Antivirus potentially unwanted application Win32/Wajam.F Jim Desktop 192.168.1.64 What is the recommended way to deal with these please? Although the threats tab lists the above, it does not give any clues as to the location of the files, so I'm working in the dark. Am I to visit the affected machine and run a manual scan? Or is there a way to remove the PUAs from ERA? Many thanks Jim EDIT Well, that table formatted nicely in the forum, NOT! Hopefully you can make sense of the content.... Edited March 2, 2015 by jimwillsher
Administrators Marcos 5,408 Posted March 3, 2015 Administrators Posted March 3, 2015 Where exactly do you see this log in ERA?
jimwillsher 65 Posted March 3, 2015 Author Posted March 3, 2015 On the Threats tab against a computer - see attachment. The PUAs are listed, but no clue as to where in the filesystem they are, so no helpers for getting rid of them. Thanks Jim
short_bus4 3 Posted March 3, 2015 Posted March 3, 2015 (edited) I'm not an ESET employee so don't quote me on any of this. Since they are potentially unwanted they aren't exactly malware or malicious. You should be able to go to the ERA6 installed applications tab and choose to uninstall them if they support agent uninstall. Otherwise you could just remote in to the machine and uninstall the applications. It looks like it uninstalled the Conduit.Y, maybe it is just a matter of time or it hasn't updated the newest information and it will get the rest? Is there any menu that pops up when you left click the red ones? Or is there any buttons at the bottom of the page (got cut off in your image)? That being said I would probably choose to do a manual scan with malwarebytes because it will allow you to remove PUPs/PUAs. I would go through and remove as many as I can through the normal add/remove process (I use CCleaner, so I can uninstall the programs and also check out the computer startup entries, IE/Firefox/Chrome Addons, and scheduled tasks), then run malwarebytes to see if it finds any files or folders that didn't get removed by ccleaner, reboot, then run ccleaners registry cleaner to get rid of any orphaned registry entries or folders. And I backup the registry file when it asks just in case. I also will go through the users appdata folder and program files folders just to look for anything else that doesn't belong, but that might be overkill. That's just my 2 cents. If you are in an enterprise environment it might be faster to just re-image the machine. And tell your user to stop installing software if they aren't going to pay attention to what gets installed along with it. Good luck! Edited March 3, 2015 by short_bus4
bbraunstein 27 Posted March 3, 2015 Posted March 3, 2015 I actually brought up this same point a few weeks ago. I believe I made a topic with the title, "Product Suggestion: More verbosity in logs", or something like that. How am I supposed to track down and handle virus threats if I don't know where they are or what they're coming from? Because of this, I accidentally wiped out my boss's metasploit on his computer. Sure, we laughed at it, but what if something important gets deleted from one of my developers or QAs? ERAC v5 had the path listed of the problematic file. If it was in a earlier version, then why is it not in the next release???
ESET Moderators Peter Randziak 1,178 Posted March 4, 2015 ESET Moderators Posted March 4, 2015 Hello, you can find this information in Reports, I would recommend you to check it in Antivirus threats in last 7 days, you should be able to find all info required here. If you need more info just customize the reports to add necessary columns into it. P.R.
Recommended Posts