demonlight 0 Posted November 9 Posted November 9 I just received a popup from Eset Smart Security stating that a threat was removed. Viewing the logs, I see this. Quote Time: 11/9/2024 2:41:20 PM Scanner: Real-time file system protection Object type: file Object: C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveCrashHandler64.exe Detection: a variant of Win64/Agent_AGen.CLQ trojan Action: cleaned by deleting User: NT AUTHORITY\SYSTEM Information: Event occurred during an attempt to run the file by the application: C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe (0A15F92761D8D1F4116690F426AF3FE153F9AD22). Hash: 326AEC1C5E2884B53EBC09DF1D167F134548BF65 First seen here: 7/19/2024 8:56:10 PM I did a search on VirusTotal on that Hash and it appears that ESET-NOD32 and Rising are the only vendors that flagged this file malicious. https://www.virustotal.com/gui/file/8c0e9919eb71420ef60145fdcb7eb9e564921a4f2cac39f027e0d41fb784e2a7/detection Since Eset deleted the file (its not in quarantine), I cannot analyze the file myself. Is this a false positive? Is there a way to restore a file that Eset deleted? Quote
itman 1,807 Posted November 9 Posted November 9 (edited) 19 minutes ago, demonlight said: I did a search on VirusTotal on that Hash and it appears that ESET-NOD32 and Rising are the only vendors that flagged this file malicious. https://www.virustotal.com/gui/file/8c0e9919eb71420ef60145fdcb7eb9e564921a4f2cac39f027e0d41fb784e2a7/detection The suspicious thing is this update was first uploaded to VT on 7/15/2024. Why would you be receiving a browser update that is 4 months old? The latest Brave update is dated Nov. 6: https://brave.com/latest/ . Edited November 9 by itman Quote
demonlight 0 Posted November 9 Author Posted November 9 4 minutes ago, itman said: The suspicious thing is this update was first uploaded to VT on 7/15/2024. Why would you be receiving a browser update that is 4 months old? Maybe this is a standard updater exe? I checked to see when Brave was last updated and it was last night. Quote
demonlight 0 Posted November 9 Author Posted November 9 (edited) I found this Reddit thread. Appears that others have the same issue. EDIT: And another thread. Edited November 9 by demonlight Quote
itman 1,807 Posted November 9 Posted November 9 27 minutes ago, demonlight said: Maybe this is a standard updater exe? I checked to see when Brave was last updated and it was last night. If Brave updated last night, why is it again updating today? Me thinks that someone might be pushing a bogus update. Quote
demonlight 0 Posted November 9 Author Posted November 9 12 minutes ago, itman said: If Brave updated last night, why is it again updating today? Me thinks that someone might be pushing a bogus update. I'm going by the date shown in Windows App list, not sure if that's the install date or the application date. What do you suggest I do? I ran a full scan on my system and nothing else was detected. Quote
itman 1,807 Posted November 9 Posted November 9 (edited) 1 hour ago, demonlight said: What do you suggest I do? First, let @Marcos determine if it's a false positive. At this point, I would say it is not. The point to note is Brave successfully updated on your device yesterday with no Eset detection. Edited November 9 by itman Quote
itman 1,807 Posted November 10 Posted November 10 I am pretty sure this BraveCrashHandler64.exe is malware. Although the hash doesn't match this sample analyzed by any.run: https://any.run/report/282e89ab3858800c8fbce89effebd7b9f7b1c280a5ff7639767a6c520f85b350/12b343be-c1a9-440b-90d2-b46e44218d10 , the file version does match. This might be a new malware variant. Quote
demonlight 0 Posted November 10 Author Posted November 10 1 hour ago, itman said: I am pretty sure this BraveCrashHandler64.exe is malware. Although the hash doesn't match this sample analyzed by any.run: https://any.run/report/282e89ab3858800c8fbce89effebd7b9f7b1c280a5ff7639767a6c520f85b350/12b343be-c1a9-440b-90d2-b46e44218d10 , the file version does match. This might be a new malware variant. On the any.run link you posted, it doesn't list anything in the Behavior Activities. What are you thoughts on the VirusTotal link I posted earlier? That fact that ESET and Rising are the only vendors who flagged this file? I know that Brave has a reward program, which has been controversial in the browser space. Heck, I only have Brave installed as a backup browser in case I have an issue with a site in my other browsers. I found a post on the Brave Community forum, no responses from Brave yet. https://community.brave.com/t/eset-reported-brave-updater-accessing-malicious-file-win64-agent-agen-clq/579879 This has me worried, since I am very careful with my computer habits. I never install anything from unknown sources, heck, I even scan legit sources both with ESET and VirusTotal. I mentioned in an earlier post that Brave was updated last night. I checked my Windows logs and I didn't have my computer on. So the update must have run when I logged in today. Brave has an update service that runs automatically (Windows Services). Quote
Administrators Marcos 5,468 Posted November 10 Administrators Posted November 10 It was FP on an automated detection which was also auto-resolved shortly after it was created yesterday. Quote
Purpleroses 21 Posted November 10 Posted November 10 (edited) Never mind it was from yesterday not today!! Edited November 10 by Purpleroses Quote
demonlight 0 Posted November 10 Author Posted November 10 13 hours ago, Marcos said: It was FP on an automated detection which was also auto-resolved shortly after it was created yesterday. Thanks for the update @Marcos. I see that VirusTotal link that I originally posted no longer shows that EXE as being flagged by either ESET or Rising. Any ideas why ESET deleted the EXE and not put it in Quarantine? Is there another way I can restore that file? Quote
Administrators Marcos 5,468 Posted November 11 Administrators Posted November 11 If a cleaning action is taken on a file, the file should be always quarantined. Please provide logs collected with ESET Log Collector. Quote
Atharv59 0 Posted November 18 Posted November 18 Regarding the any.run link you mentioned, it seems odd that nothing appears in the Behavior Activities section—this could mean the file isn’t performing any notable actions, or it wasn’t analyzed fully. As for the VirusTotal link you posted, it’s concerning that only ESET and Rising flagged the file, especially considering other major vendors didn’t. This could be a false positive or something specific to those particular vendors' detection algorithms. I’m aware of the Brave reward program and the controversy surrounding it, but I mainly use Brave as a backup browser for troubleshooting, too. The Brave Community forum post you linked also raises a good point, especially given that ESET flagged the Brave updater accessing a potentially malicious file. It’s worth keeping an eye on, especially if you're cautious about your computer habits and avoid installing anything from unknown sources. Regarding the Brave update, it’s strange that it ran automatically when you logged in, especially since your computer wasn’t on overnight. This suggests Brave’s update service might have triggered when you logged into Windows. It's worth monitoring, as automatic background updates can sometimes introduce unexpected issues. Stay vigilant and continue using your trusted security tools like ESET and VirusTotal. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.