FrankM 0 Posted October 11 Share Posted October 11 ESET is deleting a DLL from official LENOVO Vantage package since update 30033 (20241010) of ESET Endpoint Protection. VirusTotal does not report this HASH as threat (as of now): https://www.virustotal.com/gui/file/1b9a17a21ebccca4485585f4a7097aadd8f4b25faf00024ee6a797cb47b4ea74 All of our systems running Windows are affected. Files affected are: file:///C:/ProgramData/Lenovo/Vantage/Addins/GenericMessagingAddin/1.0.0.147/SLSLib.dll file:///C:/Program Files (x86)/Lenovo/VantageService/4.2.24.0/LenovoVantage-(GenericMessagingAddin).exe file:///C:/ProgramData/Lenovo/Vantage/Addins/GenericMessagingAddin/1.0.0.147/SLAHlp64.dll file:///C:/Program Files (x86)/Lenovo/VantageService/4.2.24.0/LenovoVantage-(LenovoSystemUpdateAddin).exe (as of now) Quote Link to comment Share on other sites More sharing options...
Guest Posted October 11 Share Posted October 11 I can confirm this behavior on all my Lenovo endpoints. Also I received a "Malware outbreak" notification just for a supposed bloatware... Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted October 11 Administrators Share Posted October 11 It's detected as a PUA with aggressive level of detection. You can create a detection exclusion to use the application without lowering the detection level. Quote Link to comment Share on other sites More sharing options...
FrankM 0 Posted October 11 Author Share Posted October 11 2 minutes ago, Marcos said: It's detected as a PUA with aggressive level of detection. You can create a detection exclusion to use the application without lowering the detection level. Thanks for your response. On which basis should we exclude the application? I do have the following options: If I choose "Path & Detection, I would have to "whitelist" all DLLs reported (which are at least 4 or 5). Same for exact file (hash). If I choose "Detection", I will not detect real threats from other applications. Any chance to somehow whitelist the service (LenovoVantageService.exe) itself? Quote Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,407 Posted October 11 Administrators Solution Share Posted October 11 Normally you would select "Detection" to create an exclusion by the detection name, however, since this is an aggressive PUA detection, I'd recommend setting reporting and cleaning of PUAs to "Balanced": Quote Link to comment Share on other sites More sharing options...
_Dennis 0 Posted October 11 Share Posted October 11 Here is the ESET documentation so you can decide for yourself if it's worth it. (source: Protections | ESET Endpoint Security | ESET Online Helphttps://help.eset.com/ees/10.1/en-US/idh_config_protections.html?idh_config_protections.html) If I read this right (see below), the advice is to run with Aggressive, switch back to Balanced to deal with false positives/exclusions, and then back to Aggressive when done. @Marcos Is your suggestion a temporary one while ESET deals with a false positive and updates the definitions? Or should we create exceptions? When do we switch back to Aggressive? Aggressive Reporting: Reporting configured to maximum sensitivity. More detections are reported. The Aggressive setting can falsely identify objects. Aggressive Protection: Reported aggressive (or lower) level detections are blocked, and automatic remediation (i.e., cleaning) is started. This setting is recommended when all endpoints have been scanned with aggressive settings and falsely reported objects have been added to detection exclusions. Balanced Reporting: This setting is optimized to balance the performance and accuracy of detection rates and the number of falsely reported objects. Balanced Protection: Reported balanced (or lower) level detections are blocked, and automatic remediation (i.e., cleaning) is started. Cheers! Dennis Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted October 11 Administrators Share Posted October 11 5 minutes ago, _Dennis said: Is your suggestion a temporary one while ESET deals with a false positive and updates the definitions? We do not deal with a false positive, the detection / classification is correct. Quote Link to comment Share on other sites More sharing options...
_Dennis 0 Posted October 11 Share Posted October 11 @marcos This still doesn't answer if we should: (A) stick with Aggressive and just create the required exceptions OR (B) if you are advising to go from Aggressive to Balanced permanently If (B), why should we do this based on a single detection? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted October 11 Administrators Share Posted October 11 There have been numerous complaints about the application from users, e.g. https://forums.lenovo.com/t5/Pre-Installed-Lenovo-Software-and-Applications/Please-stop-installing-the-Lenovo-App-Explorer-adware-on-our-computers/m-p/4091222https://www.reddit.com/r/Lenovo/comments/kg5ixu/lenovo_vantage_is_now_adware. Whether you want to uninstall it or keep it and create a detection exclusion is up to you. With aggressive PUA detection some popular applications may start to be detected all of a sudden if they meet PUA criteria like a 3rd party module which is a part of this application. itman, Jamil-soc and _Dennis 3 Quote Link to comment Share on other sites More sharing options...
msha1 0 Posted October 13 Share Posted October 13 It seems you provided instructions on how to switch from 'aggressive' to 'balance' mode on an individual endpoint. Could you please provide similar instructions for performing this action on multiple endpoints via the web console portal? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted October 13 Administrators Share Posted October 13 The screenshot above is virtually same in Endpoint and the ESET PROTECT policy editor. Quote Link to comment Share on other sites More sharing options...
msha1 0 Posted October 14 Share Posted October 14 (edited) With all due respect, this situation is unacceptable. Lenovo software, responsible for updating laptops BIOS and critical drivers, is being detected as a PUA (Potentially Unwanted Application). Despite my attempts to whitelist the software, it continues to be flagged and deleted each time the endpoint is restarted. I see no reason to lower PUA detection for what appears to be an error, especially since no other antivirus software raises this issue. The only solution I have found is to remove Lenovo’s Voltage software from the endpoint to prevent ESET from flagging it. I find it perplexing that ESET, alone among antivirus providers, is flagging software from the world's largest laptop manufacturer, IBM-Lenovo, as unwanted. This appears to be a mistake. Please advise. Edited October 14 by msha1 Quote Link to comment Share on other sites More sharing options...
FSORENSEN 1 Posted October 14 Share Posted October 14 On 10/11/2024 at 3:06 AM, FrankM said: ESET is deleting a DLL from official LENOVO Vantage package since update 30033 (20241010) of ESET Endpoint Protection. VirusTotal does not report this HASH as threat (as of now): https://www.virustotal.com/gui/file/1b9a17a21ebccca4485585f4a7097aadd8f4b25faf00024ee6a797cb47b4ea74 All of our systems running Windows are affected. Files affected are: file:///C:/ProgramData/Lenovo/Vantage/Addins/GenericMessagingAddin/1.0.0.147/SLSLib.dll file:///C:/Program Files (x86)/Lenovo/VantageService/4.2.24.0/LenovoVantage-(GenericMessagingAddin).exe file:///C:/ProgramData/Lenovo/Vantage/Addins/GenericMessagingAddin/1.0.0.147/SLAHlp64.dll file:///C:/Program Files (x86)/Lenovo/VantageService/4.2.24.0/LenovoVantage-(LenovoSystemUpdateAddin).exe (as of now) I also confirm the behavior, i also see detections in this two files: file:///C:/program files (x86)/lenovo/vantageservice/4.2.24.0/lenovovantage-(smartperformanceaddin).exe file:///C:/program files (x86)/lenovo/vantageservice/4.2.24.0/lenovo.vantage.addinhost.x86.exe On a side note, i have to admit that Lenovo Vantage IT IS KINDA a bloatware, so the detection as annoying at it is seems accurate. P4r4do0x 1 Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted October 14 Administrators Share Posted October 14 If you think that detection exclusions don't work as supposed, please provide logs collected with ESET Log Collector from the machine. The application contains a 3rd party adware-related module which uses techniques to evade AV detection. Quote Link to comment Share on other sites More sharing options...
itman 1,789 Posted October 14 Share Posted October 14 (edited) FYI on this Eset SweetLabs detection; Quote Lenovo Vantage is an application which was pre-installed on a computer which I bought in the past. The app keeps auto-updating itself, it has multiple components. Now it contains GenericMessagingAddin which contains third-party software developed by SweetLabs Inc. When I purchased the computer, I didn't know that Lenovo will download SweetLabs software there. SweetLabs has reputation as creator of OpenCandy advertising software, which often installed various problematic software "from sponsors" you would not install otherwise. Somone tried to complain to Lenovo about it in the past, see: https://forums.lenovo.com/t5/Pre-Installed-Lenovo-Software-and-Applications/Please-stop-installing-the-Lenovo-App-Explorer-adware-on-our-computers/m-p/4091222 People who are using my computer told me that they are not using the Lenovo Vantage application. So they just uninstalled it, saved approx 400 MB of disk space and they subjectively feel that the old computer works slightly faster now. https://www.reddit.com/r/eset/comments/1g0taa8/comment/lrdv8de/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button Edited October 14 by itman garioch7 and Peter Randziak 2 Quote Link to comment Share on other sites More sharing options...
Jov 0 Posted October 14 Share Posted October 14 Same problem that we encounter last week. It is really disturbing and annoying. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted October 15 Administrators Share Posted October 15 6 hours ago, Jov said: Same problem that we encounter last week. It is really disturbing and annoying. If you want to keep Lenovo Vantage installed despite the dubious 3rd party component, you can create a detection exclusions. Should the detection exclusions don't work for an unknown reason, please provide logs collected with ESET Log Collector for perusal. garioch7 1 Quote Link to comment Share on other sites More sharing options...
QuickSilverST250 6 Posted October 24 Share Posted October 24 (edited) We also have this issue since it became one. We have uninstalled vantage from our endpoints in the Microsoft app store and all Lenovo software from program files, but still getting alerts pointing to: C:\ProgramData\Lenovo\ImController\ Anyone know what else to uninstall or remove it complete to stop getting these alerts. We use N-able for patching so real need for vantage to do drivers etc. Edited October 24 by QuickSilverST250 Quote Link to comment Share on other sites More sharing options...
itman 1,789 Posted October 24 Share Posted October 24 (edited) 2 hours ago, QuickSilverST250 said: but still getting alerts pointing to: C:\ProgramData\Lenovo\ImController\ ImController.exe file is a software component of Lenovo System Interface Foundation by Lenovo. Lenovo System Interface Foundation is a support software. Lenovo. Modern. ImController.exe is associated with this support framework. 2 hours ago, QuickSilverST250 said: Anyone know what else to uninstall or remove it complete to stop getting these alerts. Quote To uninstall Lenovo System Interface Foundation, you can: Open the Device Manager, expand the System devices category, right-click System Interface Foundation V2 Device, and select Uninstall Open an administrator command prompt or PowerShell and execute the command: "c:\windows\system32\imcontroller.infinstaller.exe -uninstall" You can also uninstall programs on a Windows computer by going to the control panel, clicking Programs or Programs and Features, selecting the program, and clicking Uninstall. Per Google AI Assitant Edited October 24 by itman Quote Link to comment Share on other sites More sharing options...
QuickSilverST250 6 Posted October 24 Share Posted October 24 @itman Thnx i did find it afterwards, did it on a couple machines so holding thumbs it works and alerts stop. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.