Jump to content

Recommended Posts

Posted (edited)

Rustdesk 1.3.2 64-bit exe https://github.com/rustdesk/rustdesk/releases/download/1.3.2/rustdesk-1.3.2-x86_64.exe is flagged as infected by the Win64\GenKryptik.HDRR virus.

On virustotal it is not detected: https://www.virustotal.com/gui/url/5624386dd82f40403ed304a3f7994231da8df87ff9e08abeacd0a4cec0fa905b

Is this a false positive?

Platform is ESET endpoint security 11.1.2052.0 with the LiveGuard license.

Edited by carmik
Posted

"There is no detection on my ESET Internet Security. I don't know if additional signatures have been received by endpoint products."

image.png.72fdcef4a78b17c3e03438f58985d723.png

Posted

Installed the 1.3.2 when it came out on 100+ computers and I also didn't see any warning.

Posted

I just downloaded the .exe and no detection from Eset.

Submitted to Virustotal which showed one detection: https://www.virustotal.com/gui/file/465e3cc0befa33ef54db3819d224e19cffe684cfe687c76b43352f5bb9c2d87e . Also VT analysis comments give it a -11. Note this a different analysis than the above one shown by the OP. I will submit to CrowdStrike and later post its finding.

I would proceed with caution here in regards to this .exe.

Posted

Stranger and stranger... I'll post tomorrow the detection screenshot from endpoint security.

Posted (edited)

@itman thanks for the pointer to the discussion mate. Unfortunately, rustdesk remains the fastest remote control software I've used, coupled with the capability to operate a relay (in-the-middle) server of my own. Hence, no data goes anywhere else. At least as far as guys in the reddit channel have examined.

I find unsettling with ESET the following bits:

a) why my ESET detects something different on my platform, whereas in others did not detect anything at all,

b) why previous Rustdesk versions up to and including version 1.3.1 were not flagged at all,

c) why even saving the file triggers detection (ie, the executable was not even started)

The screenshot from the detection (detection is triggered upon download):

image.thumb.png.b93cd8824485ec3fdc5c38584ee5c6bd.png

 

Edited by carmik
Posted
14 hours ago, itman said:

CrowdStrike rates the .exe malicious with a 100/100 confidence factor: https://www.hybrid-analysis.com/sample/465e3cc0befa33ef54db3819d224e19cffe684cfe687c76b43352f5bb9c2d87e .

Due to the nature of the program (not a simple app, does a lot of stuff to provide remote accesss, with startup as a service etc) it could be a case of a false positive. But you are correct in that we should be extra careful here.

Posted (edited)
11 hours ago, carmik said:

The screenshot from the detection (detection is triggered upon download):

Post the entry from the Eset Detection log related to this.

I went to Github RustDesk web site and downloaded Release 1.3.2 x86-64(64bit) Windows .exe option from there. Eset didn't detect anything upon file creation on my Win10 desktop.

Edited by itman
Posted

Will do.

In the meantime, are you using the same product with me? If so, which ESET default policies are enabled?

Posted
4 minutes ago, carmik said:

If so, which ESET default policies are enabled?

I am using Smart Security Premium; not Eset Endpoint. However, a sig. detection by Eset would be same for both products.

Posted

We are using the standard signature set, so yeah, I think so too.

Posted (edited)
10 hours ago, itman said:

Feels this is definitely a false positive.

To @Marcos and the rest of the ESET gang, should this thread be moved to the malware detection and cleaning?

There are 3 log entries (3 tries to download the file), in Greek:

Ώρα;Σαρωτής;Τύπος αντικειμένου;Αντικείμενο;Ανίχνευση;Ενέργεια;Χρήστης;Πληροφορίες;Κατακερματισμός;Πρώτη εμφάνιση εδώ
11/11/2024 8:14:11 πμ;Προστασία συστήματος αρχείων σε πραγματικό χρόνο;αρχείο;C:\Users\a.user\Downloads\R4xXWbgN.exe.part;παραλλαγή του Win64/GenKryptik.HDRR trojan;καθαρίστηκε με διαγραφή (μετά την επόμενη επανεκκίνηση);PKM\a.user;Προέκυψε συμβάν σε ένα αρχείο που τροποποιήθηκε από την εφαρμογή: C:\Program Files\Mozilla Firefox\firefox.exe (CE586D3C6D1EF782B35A7B9276D1FEBF0F2F1F3D).;65BA4A49891526C1362C43937C9CA594FD146DDC;11/11/2024 8:14:02 πμ
11/11/2024 8:15:06 πμ;Προστασία συστήματος αρχείων σε πραγματικό χρόνο;αρχείο;C:\Users\a.user\Downloads\SSEzRkc9.exe.part;παραλλαγή του Win64/GenKryptik.HDRR trojan;καθαρίστηκε με διαγραφή (μετά την επόμενη επανεκκίνηση);PKM\a.user;Προέκυψε συμβάν σε ένα αρχείο που τροποποιήθηκε από την εφαρμογή: C:\Program Files\Mozilla Firefox\firefox.exe (CE586D3C6D1EF782B35A7B9276D1FEBF0F2F1F3D).;666E1DD6B1FE6F92B5702D113DAFDDCC52185A4E;11/11/2024 8:15:00 πμ
11/11/2024 12:36:33 μμ;Προστασία συστήματος αρχείων σε πραγματικό χρόνο;αρχείο;C:\Users\a.user\Downloads\lR2DC5N1.exe.part;παραλλαγή του Win64/GenKryptik.HDRR trojan;καθαρίστηκε με διαγραφή (μετά την επόμενη επανεκκίνηση);PKM\a.user;Προέκυψε συμβάν σε ένα αρχείο που τροποποιήθηκε από την εφαρμογή: C:\Program Files\Mozilla Firefox\firefox.exe (CE586D3C6D1EF782B35A7B9276D1FEBF0F2F1F3D).;111E196761E45DD91FE2823FEBFB42A239DE5BAE;11/11/2024 12:36:26 μμ

An interesting fact is the column before the last, which is the hash (if I understand correctly), is not the same for some reason, wonder why.

From the policy side I can see that I have enabled the antivirus - maximum security policy, as well as liveguard.

Edited by carmik
Posted (edited)

On a hunch, I removed the antivirus-maximum security from this system and re-tried to download rustdesk. This time it downloaded just fine!

Do note that this policy is included with ESET PROTECT (on-premise).

@Marcos can you try to reproduce this from your side?

Edited by carmik
Posted (edited)
7 hours ago, carmik said:

There are 3 log entries (3 tries to download the file), in Greek:

Ώρα;Σαρωτής;Τύπος αντικειμένου;Αντικείμενο;Ανίχνευση;Ενέργεια;Χρήστης;Πληροφορίες;Κατακερματισμός;Πρώτη εμφάνιση εδώ
11/11/2024 8:14:11 πμ;Προστασία συστήματος αρχείων σε πραγματικό χρόνο;αρχείο;C:\Users\a.user\Downloads\R4xXWbgN.exe.part;παραλλαγή του Win64/GenKryptik.HDRR trojan;καθαρίστηκε με διαγραφή (μετά την επόμενη επανεκκίνηση);PKM\a.user;Προέκυψε συμβάν σε ένα αρχείο που τροποποιήθηκε από την εφαρμογή: C:\Program Files\Mozilla Firefox\firefox.exe (CE586D3C6D1EF782B35A7B9276D1FEBF0F2F1F3D).;65BA4A49891526C1362C43937C9CA594FD146DDC;11/11/2024 8:14:02 πμ
11/11/2024 8:15:06 πμ;Προστασία συστήματος αρχείων σε πραγματικό χρόνο;αρχείο;C:\Users\a.user\Downloads\SSEzRkc9.exe.part;παραλλαγή του Win64/GenKryptik.HDRR trojan;καθαρίστηκε με διαγραφή (μετά την επόμενη επανεκκίνηση);PKM\a.user;Προέκυψε συμβάν σε ένα αρχείο που τροποποιήθηκε από την εφαρμογή: C:\Program Files\Mozilla Firefox\firefox.exe (CE586D3C6D1EF782B35A7B9276D1FEBF0F2F1F3D).;666E1DD6B1FE6F92B5702D113DAFDDCC52185A4E;11/11/2024 8:15:00 πμ
11/11/2024 12:36:33 μμ;Προστασία συστήματος αρχείων σε πραγματικό χρόνο;αρχείο;C:\Users\a.user\Downloads\lR2DC5N1.exe.part;παραλλαγή του Win64/GenKryptik.HDRR trojan;καθαρίστηκε με διαγραφή (μετά την επόμενη επανεκκίνηση);PKM\a.user;Προέκυψε συμβάν σε ένα αρχείο που τροποποιήθηκε από την εφαρμογή: C:\Program Files\Mozilla Firefox\firefox.exe (CE586D3C6D1EF782B35A7B9276D1FEBF0F2F1F3D).;111E196761E45DD91FE2823FEBFB42A239DE5BAE;11/11/2024 12:36:26 μμ

An interesting fact is the column before the last, which is the hash (if I understand correctly), is not the same for some reason, wonder why.

None of the files associated with the three hashes shown in the log entries have been submitted to VirusTotal.

This leads me to believe that you are being redirected from the Github RustDesk download site to somewhere else which is serving up a malicious download that Eset is detecting. Or, the Github RustDesk download site you're connecting to is a bogus fake web site.

Perform the Github 1.3.2 RustDesk download using a different browser and see if Eset still detects it as malicious.

Edited by itman
Posted

Easy to test; can you upload somewhere 1.3.2 and give me a download link?

Posted

Thanks @itman!

The file was downloaded just fine from mediafire! And from the rustdesk site, after trying immediately afterwards!!!!

Has ESET perhaps done something on their part?

Posted (edited)
1 hour ago, carmik said:

The file was downloaded just fine from mediafire! And from the rustdesk site, after trying immediately afterwards!!!!

Has ESET perhaps done something on their part?

Doubtful. Of note is you were the only one having an Eset detection upon download.

Note that all the Eset file detection's you posted above were for partial file downloads from Firefox; e.g.

Quote

11/11/2024 8:14:11 AM;Real-time File System Protection;file;C:\Users\a.user\Downloads\R4xXWbgN.exe.part;variant of Win64/GenKryptik.HDRR trojan;cleaned by delete (after next restart);PKM\a.user;An event occurred in a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe (CE586D3C6D1EF782B35A7B9276D1FEBF0F2F1F3D) 5BA4A49891526C1362C43937C9CA594FD146DDC;11/11/2024 8:14:02 AM

Firefox does these partial file downloads to speed up the file download. Firefox will actually begin the file download prior to your actual selecting the file download from the web site.

Most significant is the file name, R4xXWbgN.exe.part, being detected by Eset is not what should be being downloaded.

It is possible there was a previous network issue; most likely in the external network connections, resulting in something else being downloaded to your device.

Edited by itman
Posted (edited)

I also strongly advise you start paying attention to Eset detection alerts.

When you received the first alert on 11/11/2024, Eset instructed you reboot to remove the trojan. Assumed you did not do this with the result being continued like alerts received throughout the day.

All indications are something infected Firefox; memory, cache, whatever to redirect to malicious downloads. Have you enabled EES Secured Browser mode: https://help.eset.com/ees/11/en-US/?idh_config_sb.html ?

Edited by itman
Posted
8 hours ago, itman said:

I also strongly advise you start paying attention to Eset detection alerts.

When you received the first alert on 11/11/2024, Eset instructed you reboot to remove the trojan. Assumed you did not do this with the result being continued like alerts received throughout the day.

I did not do any reboots at that time. But, I did disable the aggressive antivirus policy for a while.

Should have tried at that time to download with a different browser as well.

8 hours ago, itman said:

All indications are something infected Firefox; memory, cache, whatever to redirect to malicious downloads. Have you enabled EES Secured Browser mode: https://help.eset.com/ees/11/en-US/?idh_config_sb.html ?

Not using it TBH, just plain firefox with ublock origin.

We have never had any infections in our LAN (to our knowledge), with the exception of one vulnerable Cisco router, which was not even owned/operated by us.

I'll do some runs with Hitman Pro and MBAM and keep my eye on the browser for the next weeks.

Thanks for your help!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...