Jump to content

Recommended Posts

Posted

I just received a popup from Eset Smart Security stating that a threat was removed.   Viewing the logs, I see this.
 

Quote

 

Time: 11/9/2024 2:41:20 PM

Scanner: Real-time file system protection

Object type: file

Object: C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandler64.exe

Detection: a variant of Win64/Agent_AGen.CLQ trojan

Action: cleaned by deleting

User: NT AUTHORITY\SYSTEM

Information: Event occurred during an attempt to run the file by the application: C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe (0A15F92761D8D1F4116690F426AF3FE153F9AD22).

Hash: 326AEC1C5E2884B53EBC09DF1D167F134548BF65

First seen here: 7/19/2024 8:56:10 PM

 

I did a search on VirusTotal on that Hash and it appears that ESET-NOD32 and Rising are the only vendors that flagged this file malicious. 

https://www.virustotal.com/gui/file/8c0e9919eb71420ef60145fdcb7eb9e564921a4f2cac39f027e0d41fb784e2a7/detection

Since Eset deleted the file (its not in quarantine), I cannot analyze the file myself.

Is this a false positive?

Is there a way to restore a file that Eset deleted?

 

 

Posted (edited)
19 minutes ago, demonlight said:

I did a search on VirusTotal on that Hash and it appears that ESET-NOD32 and Rising are the only vendors that flagged this file malicious. 

https://www.virustotal.com/gui/file/8c0e9919eb71420ef60145fdcb7eb9e564921a4f2cac39f027e0d41fb784e2a7/detection

The suspicious thing is this update was first uploaded to VT on 7/15/2024. Why would you be receiving a browser update that is 4 months old? The latest Brave update is dated Nov. 6: https://brave.com/latest/ .

Edited by itman
Posted
4 minutes ago, itman said:

The suspicious thing is this update was first uploaded to VT on 7/15/2024. Why would you be receiving a browser update that is 4 months old?

Maybe this is a standard updater exe?   I checked to see when Brave was last updated and it was last night.

Posted (edited)

I found this Reddit thread.  Appears that others have the same issue.

 

EDIT:

And another thread. 

 

Edited by demonlight
Posted
27 minutes ago, demonlight said:

Maybe this is a standard updater exe?   I checked to see when Brave was last updated and it was last night.

If Brave updated last night, why is it again updating today? Me thinks that someone might be pushing a bogus update.

Posted
12 minutes ago, itman said:

If Brave updated last night, why is it again updating today? Me thinks that someone might be pushing a bogus update.

I'm going by the date shown in Windows App list, not sure if that's the install date or the application date.   

What do you suggest I do?  I ran a full scan on my system and nothing else was detected.

Posted (edited)
1 hour ago, demonlight said:

What do you suggest I do? 

First, let @Marcos determine if it's a false positive. At this point, I would say it is not.

The point to note is Brave successfully updated on your device yesterday with no Eset detection.

Edited by itman
Posted
1 hour ago, itman said:

I am pretty sure this BraveCrashHandler64.exe is malware. Although the hash doesn't match this sample analyzed by any.run: https://any.run/report/282e89ab3858800c8fbce89effebd7b9f7b1c280a5ff7639767a6c520f85b350/12b343be-c1a9-440b-90d2-b46e44218d10 , the file version does match.

This might be a new malware variant.

On the any.run link you posted, it doesn't list anything in the Behavior Activities.   What are you thoughts on the VirusTotal link I posted earlier?    That fact that ESET and Rising are the only vendors who flagged this file?    I know that Brave has a reward program, which has been controversial in the browser space.   Heck, I only have Brave installed as a backup browser in case I have an issue with a site in my other browsers.

I found a post on the Brave Community forum, no responses from Brave yet.   https://community.brave.com/t/eset-reported-brave-updater-accessing-malicious-file-win64-agent-agen-clq/579879

This has me worried, since I am very careful with my computer habits.  I never install anything from unknown sources, heck, I even scan legit sources both with ESET and VirusTotal.   

I mentioned in an earlier post that Brave was updated last night.   I checked my Windows logs and I didn't have my computer on.  So the update must have run when I logged in today.  Brave has an update service that runs automatically (Windows Services).   

  • Administrators
Posted

It was FP on an automated detection which was also auto-resolved shortly after it was created yesterday.

Posted (edited)

Never mind it was from yesterday not today!!

Edited by Purpleroses
Posted
13 hours ago, Marcos said:

It was FP on an automated detection which was also auto-resolved shortly after it was created yesterday.

Thanks for the update @Marcos.    I see that VirusTotal link that I originally posted no longer shows that EXE as being flagged by either ESET or Rising.     Any ideas why ESET deleted the EXE and not put it in Quarantine?  Is there another way I can restore that file?

  • Administrators
Posted

If a cleaning action is taken on a file, the file should be always quarantined. Please provide logs collected with ESET Log Collector.

Posted

Regarding the any.run link you mentioned, it seems odd that nothing appears in the Behavior Activities section—this could mean the file isn’t performing any notable actions, or it wasn’t analyzed fully. As for the VirusTotal link you posted, it’s concerning that only ESET and Rising flagged the file, especially considering other major vendors didn’t. This could be a false positive or something specific to those particular vendors' detection algorithms.

I’m aware of the Brave reward program and the controversy surrounding it, but I mainly use Brave as a backup browser for troubleshooting, too. The Brave Community forum post you linked also raises a good point, especially given that ESET flagged the Brave updater accessing a potentially malicious file. It’s worth keeping an eye on, especially if you're cautious about your computer habits and avoid installing anything from unknown sources.

Regarding the Brave update, it’s strange that it ran automatically when you logged in, especially since your computer wasn’t on overnight. This suggests Brave’s update service might have triggered when you logged into Windows. It's worth monitoring, as automatic background updates can sometimes introduce unexpected issues. Stay vigilant and continue using your trusted security tools like ESET and VirusTotal.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...