Jump to content

Lenovo Vantage DLL deleted (Win64/Bloatware.SweetLabs.D)


Go to solution Solved by Marcos,

Recommended Posts

ESET is deleting a DLL from official LENOVO Vantage package since update 30033 (20241010) of ESET Endpoint Protection.

VirusTotal does not report this HASH as threat (as of now): https://www.virustotal.com/gui/file/1b9a17a21ebccca4485585f4a7097aadd8f4b25faf00024ee6a797cb47b4ea74

All of our systems running Windows are affected.

Files affected are:

  • file:///C:/ProgramData/Lenovo/Vantage/Addins/GenericMessagingAddin/1.0.0.147/SLSLib.dll
  • file:///C:/Program Files (x86)/Lenovo/VantageService/4.2.24.0/LenovoVantage-(GenericMessagingAddin).exe
  • file:///C:/ProgramData/Lenovo/Vantage/Addins/GenericMessagingAddin/1.0.0.147/SLAHlp64.dll
  • file:///C:/Program Files (x86)/Lenovo/VantageService/4.2.24.0/LenovoVantage-(LenovoSystemUpdateAddin).exe

(as of now)

Link to comment
Share on other sites

I can confirm this behavior on all my Lenovo endpoints.
Also I received a "Malware outbreak" notification just for a supposed bloatware...

Link to comment
Share on other sites

  • Administrators

It's detected as a PUA with aggressive level of detection. You can create a detection exclusion to use the application without lowering the detection level.

Link to comment
Share on other sites

2 minutes ago, Marcos said:

It's detected as a PUA with aggressive level of detection. You can create a detection exclusion to use the application without lowering the detection level.

Thanks for your response.

On which basis should we exclude the application? I do have the following options:

image.png.39000eded0ec2c53f1e9d0a50b135ce7.png

 

If I choose "Path & Detection, I would have to "whitelist" all DLLs reported (which are at least 4 or 5). Same for exact file (hash). If I choose "Detection", I will not detect real threats from other applications.

Any chance to somehow whitelist the service (LenovoVantageService.exe) itself?

Link to comment
Share on other sites

  • Administrators
  • Solution

Normally you would select "Detection" to create an exclusion by the detection name, however, since this is an aggressive PUA detection, I'd recommend setting reporting and cleaning of PUAs to "Balanced":

image.png

Link to comment
Share on other sites

Here is the ESET documentation so you can decide for yourself if it's worth it.
(source: Protections | ESET Endpoint Security | ESET Online Helphttps://help.eset.com/ees/10.1/en-US/idh_config_protections.html?idh_config_protections.html)

If I read this right (see below), the advice is to run with Aggressive, switch back to Balanced to deal with false positives/exclusions, and then back to Aggressive when done. @Marcos Is your suggestion a temporary one while ESET deals with a false positive and updates the definitions? Or should we create exceptions? When do we switch back to Aggressive?

Aggressive Reporting: Reporting configured to maximum sensitivity. More detections are reported. The Aggressive setting can falsely identify objects.
Aggressive Protection: Reported aggressive (or lower) level detections are blocked, and automatic remediation (i.e., cleaning) is started. This setting is recommended when all endpoints have been scanned with aggressive settings and falsely reported objects have been added to detection exclusions.

Balanced Reporting: This setting is optimized to balance the performance and accuracy of detection rates and the number of falsely reported objects.
Balanced Protection: Reported balanced (or lower) level detections are blocked, and automatic remediation (i.e., cleaning) is started.

Cheers!
Dennis

Link to comment
Share on other sites

  • Administrators
5 minutes ago, _Dennis said:

Is your suggestion a temporary one while ESET deals with a false positive and updates the definitions?

We do not deal with a false positive, the detection / classification is correct.

Link to comment
Share on other sites

@marcos This still doesn't answer if we should:
(A) stick with Aggressive and just create the required exceptions OR
(B) if you are advising to go from Aggressive to Balanced permanently

If (B), why should we do this based on a single detection?
Link to comment
Share on other sites

  • Administrators

There have been numerous complaints about the application from users, e.g. https://forums.lenovo.com/t5/Pre-Installed-Lenovo-Software-and-Applications/Please-stop-installing-the-Lenovo-App-Explorer-adware-on-our-computers/m-p/4091222https://www.reddit.com/r/Lenovo/comments/kg5ixu/lenovo_vantage_is_now_adware.

Whether you want to uninstall it or keep it and create a detection exclusion is up to you. With aggressive PUA detection some popular applications may start to be detected all of a sudden if they meet PUA criteria like a 3rd party module which is a part of this application.

Link to comment
Share on other sites

It seems you provided instructions on how to switch from 'aggressive' to 'balance' mode on an individual endpoint. Could you please provide similar instructions for performing this action on multiple endpoints via the web console portal?

Link to comment
Share on other sites

With all due respect, this situation is unacceptable. Lenovo software, responsible for updating laptops BIOS and critical drivers, is being detected as a PUA (Potentially Unwanted Application). Despite my attempts to whitelist the software, it continues to be flagged and deleted each time the endpoint is restarted.

I see no reason to lower PUA detection for what appears to be an error, especially since no other antivirus software raises this issue. The only solution I have found is to remove Lenovo’s Voltage software from the endpoint to prevent ESET from flagging it.

I find it perplexing that ESET, alone among antivirus providers, is flagging software from the world's largest laptop manufacturer, IBM-Lenovo, as unwanted. This appears to be a mistake.

Please advise.

Edited by msha1
Link to comment
Share on other sites

On 10/11/2024 at 3:06 AM, FrankM said:

ESET is deleting a DLL from official LENOVO Vantage package since update 30033 (20241010) of ESET Endpoint Protection.

VirusTotal does not report this HASH as threat (as of now): https://www.virustotal.com/gui/file/1b9a17a21ebccca4485585f4a7097aadd8f4b25faf00024ee6a797cb47b4ea74

All of our systems running Windows are affected.

Files affected are:

  • file:///C:/ProgramData/Lenovo/Vantage/Addins/GenericMessagingAddin/1.0.0.147/SLSLib.dll
  • file:///C:/Program Files (x86)/Lenovo/VantageService/4.2.24.0/LenovoVantage-(GenericMessagingAddin).exe
  • file:///C:/ProgramData/Lenovo/Vantage/Addins/GenericMessagingAddin/1.0.0.147/SLAHlp64.dll
  • file:///C:/Program Files (x86)/Lenovo/VantageService/4.2.24.0/LenovoVantage-(LenovoSystemUpdateAddin).exe

(as of now)

I also confirm the behavior, i also see detections in this two files:

file:///C:/program files (x86)/lenovo/vantageservice/4.2.24.0/lenovovantage-(smartperformanceaddin).exe
file:///C:/program files (x86)/lenovo/vantageservice/4.2.24.0/lenovo.vantage.addinhost.x86.exe

On a side note, i have to admit that Lenovo Vantage IT IS KINDA a bloatware, so the detection as annoying at it is seems accurate.

Link to comment
Share on other sites

  • Administrators

If you think that detection exclusions don't work as supposed, please provide logs collected with ESET Log Collector from the machine. The application contains a 3rd party adware-related module which uses techniques to evade AV detection.

Link to comment
Share on other sites

FYI on this Eset SweetLabs detection;

Quote

Lenovo Vantage is an application which was pre-installed on a computer which I bought in the past.

The app keeps auto-updating itself, it has multiple components. Now it contains GenericMessagingAddin which contains third-party software developed by SweetLabs Inc. When I purchased the computer, I didn't know that Lenovo will download SweetLabs software there.

SweetLabs has reputation as creator of OpenCandy advertising software, which often installed various problematic software "from sponsors" you would not install otherwise.

Somone tried to complain to Lenovo about it in the past, see:
https://forums.lenovo.com/t5/Pre-Installed-Lenovo-Software-and-Applications/Please-stop-installing-the-Lenovo-App-Explorer-adware-on-our-computers/m-p/4091222

People who are using my computer told me that they are not using the Lenovo Vantage application. So they just uninstalled it, saved approx 400 MB of disk space and they subjectively feel that the old computer works slightly faster now.

https://www.reddit.com/r/eset/comments/1g0taa8/comment/lrdv8de/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

Edited by itman
Link to comment
Share on other sites

  • Administrators
6 hours ago, Jov said:

Same problem that we encounter last week. It is really disturbing and annoying.

If you want to keep Lenovo Vantage installed despite the dubious 3rd party component, you can create a detection exclusions. Should the detection exclusions don't work for an unknown reason, please provide logs collected with ESET Log Collector for perusal.

Link to comment
Share on other sites

  • 2 weeks later...

We also have this issue since it became one. We have uninstalled vantage from our endpoints in the Microsoft app store and all Lenovo software from program files, but still getting alerts pointing to: C:\ProgramData\Lenovo\ImController\

Anyone know what else to uninstall or remove it complete to stop getting these alerts. We use N-able for patching so real need for vantage to do drivers etc.

Edited by QuickSilverST250
Link to comment
Share on other sites

2 hours ago, QuickSilverST250 said:

but still getting alerts pointing to: C:\ProgramData\Lenovo\ImController\

ImController.exe file is a software component of Lenovo System Interface Foundation by Lenovo. Lenovo System Interface Foundation is a support software. Lenovo. Modern. ImController.exe is associated with this support framework.

2 hours ago, QuickSilverST250 said:

Anyone know what else to uninstall or remove it complete to stop getting these alerts.

 
Quote
To uninstall Lenovo System Interface Foundation, you can:
  1. Open the Device Manager, expand the System devices category, right-click System Interface Foundation V2 Device, and select Uninstall
  2. Open an administrator command prompt or PowerShell and execute the command: "c:\windows\system32\imcontroller.infinstaller.exe -uninstall"
You can also uninstall programs on a Windows computer by going to the control panel, clicking Programs or Programs and Features, selecting the program, and clicking Uninstall.
Per Google AI Assitant
Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...