carmik 0 Posted November 11 Posted November 11 (edited) Rustdesk 1.3.2 64-bit exe https://github.com/rustdesk/rustdesk/releases/download/1.3.2/rustdesk-1.3.2-x86_64.exe is flagged as infected by the Win64\GenKryptik.HDRR virus. On virustotal it is not detected: https://www.virustotal.com/gui/url/5624386dd82f40403ed304a3f7994231da8df87ff9e08abeacd0a4cec0fa905b Is this a false positive? Platform is ESET endpoint security 11.1.2052.0 with the LiveGuard license. Edited November 11 by carmik Quote
Guest Posted November 11 Posted November 11 "There is no detection on my ESET Internet Security. I don't know if additional signatures have been received by endpoint products." Quote
thae 14 Posted November 11 Posted November 11 Installed the 1.3.2 when it came out on 100+ computers and I also didn't see any warning. Quote
itman 1,807 Posted November 11 Posted November 11 I just downloaded the .exe and no detection from Eset. Submitted to Virustotal which showed one detection: https://www.virustotal.com/gui/file/465e3cc0befa33ef54db3819d224e19cffe684cfe687c76b43352f5bb9c2d87e . Also VT analysis comments give it a -11. Note this a different analysis than the above one shown by the OP. I will submit to CrowdStrike and later post its finding. I would proceed with caution here in regards to this .exe. Quote
itman 1,807 Posted November 11 Posted November 11 CrowdStrike rates the .exe malicious with a 100/100 confidence factor: https://www.hybrid-analysis.com/sample/465e3cc0befa33ef54db3819d224e19cffe684cfe687c76b43352f5bb9c2d87e . Quote
carmik 0 Posted November 11 Author Posted November 11 Stranger and stranger... I'll post tomorrow the detection screenshot from endpoint security. Quote
itman 1,807 Posted November 11 Posted November 11 There is also the question of if you should be using RustDesk in the first place: https://discuss.tchncs.de/post/21632052 Quote
carmik 0 Posted November 12 Author Posted November 12 (edited) @itman thanks for the pointer to the discussion mate. Unfortunately, rustdesk remains the fastest remote control software I've used, coupled with the capability to operate a relay (in-the-middle) server of my own. Hence, no data goes anywhere else. At least as far as guys in the reddit channel have examined. I find unsettling with ESET the following bits: a) why my ESET detects something different on my platform, whereas in others did not detect anything at all, b) why previous Rustdesk versions up to and including version 1.3.1 were not flagged at all, c) why even saving the file triggers detection (ie, the executable was not even started) The screenshot from the detection (detection is triggered upon download): Edited November 12 by carmik Quote
carmik 0 Posted November 12 Author Posted November 12 14 hours ago, itman said: CrowdStrike rates the .exe malicious with a 100/100 confidence factor: https://www.hybrid-analysis.com/sample/465e3cc0befa33ef54db3819d224e19cffe684cfe687c76b43352f5bb9c2d87e . Due to the nature of the program (not a simple app, does a lot of stuff to provide remote accesss, with startup as a service etc) it could be a case of a false positive. But you are correct in that we should be extra careful here. Quote
itman 1,807 Posted November 12 Posted November 12 (edited) 11 hours ago, carmik said: The screenshot from the detection (detection is triggered upon download): Post the entry from the Eset Detection log related to this. I went to Github RustDesk web site and downloaded Release 1.3.2 x86-64(64bit) Windows .exe option from there. Eset didn't detect anything upon file creation on my Win10 desktop. Edited November 12 by itman Quote
carmik 0 Posted November 12 Author Posted November 12 Will do. In the meantime, are you using the same product with me? If so, which ESET default policies are enabled? Quote
itman 1,807 Posted November 12 Posted November 12 4 minutes ago, carmik said: If so, which ESET default policies are enabled? I am using Smart Security Premium; not Eset Endpoint. However, a sig. detection by Eset would be same for both products. Quote
carmik 0 Posted November 12 Author Posted November 12 We are using the standard signature set, so yeah, I think so too. Quote
carmik 0 Posted November 12 Author Posted November 12 On 11/11/2024 at 4:44 PM, itman said: CrowdStrike rates the .exe malicious with a 100/100 confidence factor: https://www.hybrid-analysis.com/sample/465e3cc0befa33ef54db3819d224e19cffe684cfe687c76b43352f5bb9c2d87e . Out of curiosity, would you be so nice and redo the test with 1.3.1? Quote
itman 1,807 Posted November 12 Posted November 12 1 hour ago, carmik said: Out of curiosity, would you be so nice and redo the test with 1.3.1? Same result: https://www.hybrid-analysis.com/sample/fc20fd159eea217fa8ba30309aef177ec00913007f42b325e6b7dd1f21a2f245 , malicious with 100/100 confidence factor. Quote
carmik 0 Posted November 13 Author Posted November 13 (edited) 10 hours ago, itman said: Same result: https://www.hybrid-analysis.com/sample/fc20fd159eea217fa8ba30309aef177ec00913007f42b325e6b7dd1f21a2f245 , malicious with 100/100 confidence factor. Feels this is definitely a false positive. To @Marcos and the rest of the ESET gang, should this thread be moved to the malware detection and cleaning? There are 3 log entries (3 tries to download the file), in Greek: Ώρα;Σαρωτής;Τύπος αντικειμένου;Αντικείμενο;Ανίχνευση;Ενέργεια;Χρήστης;Πληροφορίες;Κατακερματισμός;Πρώτη εμφάνιση εδώ 11/11/2024 8:14:11 πμ;Προστασία συστήματος αρχείων σε πραγματικό χρόνο;αρχείο;C:\Users\a.user\Downloads\R4xXWbgN.exe.part;παραλλαγή του Win64/GenKryptik.HDRR trojan;καθαρίστηκε με διαγραφή (μετά την επόμενη επανεκκίνηση);PKM\a.user;Προέκυψε συμβάν σε ένα αρχείο που τροποποιήθηκε από την εφαρμογή: C:\Program Files\Mozilla Firefox\firefox.exe (CE586D3C6D1EF782B35A7B9276D1FEBF0F2F1F3D).;65BA4A49891526C1362C43937C9CA594FD146DDC;11/11/2024 8:14:02 πμ 11/11/2024 8:15:06 πμ;Προστασία συστήματος αρχείων σε πραγματικό χρόνο;αρχείο;C:\Users\a.user\Downloads\SSEzRkc9.exe.part;παραλλαγή του Win64/GenKryptik.HDRR trojan;καθαρίστηκε με διαγραφή (μετά την επόμενη επανεκκίνηση);PKM\a.user;Προέκυψε συμβάν σε ένα αρχείο που τροποποιήθηκε από την εφαρμογή: C:\Program Files\Mozilla Firefox\firefox.exe (CE586D3C6D1EF782B35A7B9276D1FEBF0F2F1F3D).;666E1DD6B1FE6F92B5702D113DAFDDCC52185A4E;11/11/2024 8:15:00 πμ 11/11/2024 12:36:33 μμ;Προστασία συστήματος αρχείων σε πραγματικό χρόνο;αρχείο;C:\Users\a.user\Downloads\lR2DC5N1.exe.part;παραλλαγή του Win64/GenKryptik.HDRR trojan;καθαρίστηκε με διαγραφή (μετά την επόμενη επανεκκίνηση);PKM\a.user;Προέκυψε συμβάν σε ένα αρχείο που τροποποιήθηκε από την εφαρμογή: C:\Program Files\Mozilla Firefox\firefox.exe (CE586D3C6D1EF782B35A7B9276D1FEBF0F2F1F3D).;111E196761E45DD91FE2823FEBFB42A239DE5BAE;11/11/2024 12:36:26 μμ An interesting fact is the column before the last, which is the hash (if I understand correctly), is not the same for some reason, wonder why. From the policy side I can see that I have enabled the antivirus - maximum security policy, as well as liveguard. Edited November 13 by carmik Quote
carmik 0 Posted November 13 Author Posted November 13 (edited) On a hunch, I removed the antivirus-maximum security from this system and re-tried to download rustdesk. This time it downloaded just fine! Do note that this policy is included with ESET PROTECT (on-premise). @Marcos can you try to reproduce this from your side? Edited November 13 by carmik Quote
itman 1,807 Posted November 13 Posted November 13 (edited) 7 hours ago, carmik said: There are 3 log entries (3 tries to download the file), in Greek: Ώρα;Σαρωτής;Τύπος αντικειμένου;Αντικείμενο;Ανίχνευση;Ενέργεια;Χρήστης;Πληροφορίες;Κατακερματισμός;Πρώτη εμφάνιση εδώ 11/11/2024 8:14:11 πμ;Προστασία συστήματος αρχείων σε πραγματικό χρόνο;αρχείο;C:\Users\a.user\Downloads\R4xXWbgN.exe.part;παραλλαγή του Win64/GenKryptik.HDRR trojan;καθαρίστηκε με διαγραφή (μετά την επόμενη επανεκκίνηση);PKM\a.user;Προέκυψε συμβάν σε ένα αρχείο που τροποποιήθηκε από την εφαρμογή: C:\Program Files\Mozilla Firefox\firefox.exe (CE586D3C6D1EF782B35A7B9276D1FEBF0F2F1F3D).;65BA4A49891526C1362C43937C9CA594FD146DDC;11/11/2024 8:14:02 πμ 11/11/2024 8:15:06 πμ;Προστασία συστήματος αρχείων σε πραγματικό χρόνο;αρχείο;C:\Users\a.user\Downloads\SSEzRkc9.exe.part;παραλλαγή του Win64/GenKryptik.HDRR trojan;καθαρίστηκε με διαγραφή (μετά την επόμενη επανεκκίνηση);PKM\a.user;Προέκυψε συμβάν σε ένα αρχείο που τροποποιήθηκε από την εφαρμογή: C:\Program Files\Mozilla Firefox\firefox.exe (CE586D3C6D1EF782B35A7B9276D1FEBF0F2F1F3D).;666E1DD6B1FE6F92B5702D113DAFDDCC52185A4E;11/11/2024 8:15:00 πμ 11/11/2024 12:36:33 μμ;Προστασία συστήματος αρχείων σε πραγματικό χρόνο;αρχείο;C:\Users\a.user\Downloads\lR2DC5N1.exe.part;παραλλαγή του Win64/GenKryptik.HDRR trojan;καθαρίστηκε με διαγραφή (μετά την επόμενη επανεκκίνηση);PKM\a.user;Προέκυψε συμβάν σε ένα αρχείο που τροποποιήθηκε από την εφαρμογή: C:\Program Files\Mozilla Firefox\firefox.exe (CE586D3C6D1EF782B35A7B9276D1FEBF0F2F1F3D).;111E196761E45DD91FE2823FEBFB42A239DE5BAE;11/11/2024 12:36:26 μμ An interesting fact is the column before the last, which is the hash (if I understand correctly), is not the same for some reason, wonder why. None of the files associated with the three hashes shown in the log entries have been submitted to VirusTotal. This leads me to believe that you are being redirected from the Github RustDesk download site to somewhere else which is serving up a malicious download that Eset is detecting. Or, the Github RustDesk download site you're connecting to is a bogus fake web site. Perform the Github 1.3.2 RustDesk download using a different browser and see if Eset still detects it as malicious. Edited November 13 by itman Quote
carmik 0 Posted November 13 Author Posted November 13 Easy to test; can you upload somewhere 1.3.2 and give me a download link? Quote
itman 1,807 Posted November 13 Posted November 13 (edited) 3 hours ago, carmik said: Easy to test; can you upload somewhere 1.3.2 and give me a download link? https://www.mediafire.com/file/o1bv999sfra6d6m/rustdesk-1.3.2-x86_64.exe/file Note if you see the following message after download, ignore it since the download was successful; Edited November 13 by itman Quote
carmik 0 Posted November 13 Author Posted November 13 Thanks @itman! The file was downloaded just fine from mediafire! And from the rustdesk site, after trying immediately afterwards!!!! Has ESET perhaps done something on their part? Quote
itman 1,807 Posted November 13 Posted November 13 (edited) 1 hour ago, carmik said: The file was downloaded just fine from mediafire! And from the rustdesk site, after trying immediately afterwards!!!! Has ESET perhaps done something on their part? Doubtful. Of note is you were the only one having an Eset detection upon download. Note that all the Eset file detection's you posted above were for partial file downloads from Firefox; e.g. Quote 11/11/2024 8:14:11 AM;Real-time File System Protection;file;C:\Users\a.user\Downloads\R4xXWbgN.exe.part;variant of Win64/GenKryptik.HDRR trojan;cleaned by delete (after next restart);PKM\a.user;An event occurred in a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe (CE586D3C6D1EF782B35A7B9276D1FEBF0F2F1F3D) 5BA4A49891526C1362C43937C9CA594FD146DDC;11/11/2024 8:14:02 AM Firefox does these partial file downloads to speed up the file download. Firefox will actually begin the file download prior to your actual selecting the file download from the web site. Most significant is the file name, R4xXWbgN.exe.part, being detected by Eset is not what should be being downloaded. It is possible there was a previous network issue; most likely in the external network connections, resulting in something else being downloaded to your device. Edited November 13 by itman Quote
itman 1,807 Posted November 13 Posted November 13 (edited) I also strongly advise you start paying attention to Eset detection alerts. When you received the first alert on 11/11/2024, Eset instructed you reboot to remove the trojan. Assumed you did not do this with the result being continued like alerts received throughout the day. All indications are something infected Firefox; memory, cache, whatever to redirect to malicious downloads. Have you enabled EES Secured Browser mode: https://help.eset.com/ees/11/en-US/?idh_config_sb.html ? Edited November 13 by itman garioch7 1 Quote
carmik 0 Posted November 14 Author Posted November 14 8 hours ago, itman said: I also strongly advise you start paying attention to Eset detection alerts. When you received the first alert on 11/11/2024, Eset instructed you reboot to remove the trojan. Assumed you did not do this with the result being continued like alerts received throughout the day. I did not do any reboots at that time. But, I did disable the aggressive antivirus policy for a while. Should have tried at that time to download with a different browser as well. 8 hours ago, itman said: All indications are something infected Firefox; memory, cache, whatever to redirect to malicious downloads. Have you enabled EES Secured Browser mode: https://help.eset.com/ees/11/en-US/?idh_config_sb.html ? Not using it TBH, just plain firefox with ublock origin. We have never had any infections in our LAN (to our knowledge), with the exception of one vulnerable Cisco router, which was not even owned/operated by us. I'll do some runs with Hitman Pro and MBAM and keep my eye on the browser for the next weeks. Thanks for your help! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.