GoogleUpdate.exe 'Application modification detected' : a false positive?

[j1212james 0]

ESET recommends I 'Deny' Google update installer ("C:\Program Files\Google\Update\GoogleUpdate.exe").  I compared certificates/certificate keys between the same installer application file on another machine utilizing the same ESET product activation and both certificates appear to be identical.  I am 99% sure it is ok to ignore ESET's warning but am posting this to the Forum both to seek reassurance and as an FYI.  Is this a bug? 

 

Thanks

Edited September 14, 2015 by j1212james

[Marcos 5,074]

By default, ESS doesn't notify about changes in files with a valid digital signature. Maybe you disabled the option to trust such applications which would be a reason for the notification.

[itman 1,659]

By default, ESS doesn't notify about changes in files with a valid digital signature. Maybe you disabled the option to trust such applications which would be a reason for the notification.

I have never received an alert about a file change and I have the "valid digital signature" option disabled.

 

It is my understanding that this file change alerting only works if outbound firewall monitoring is enabled. Is this correct? 

[Marcos 5,074]

It is my understanding that this file change alerting only works if outbound firewall monitoring is enabled. Is this correct?

It's not clear how would you limit the firewall to monitor outbound or inbound communication separately. With the firewall enabled you should have received a notification with action selection. Of course, if firewall is disabled than network-aware applications won't be monitored for changes.

[itman 1,659]

 

It is my understanding that this file change alerting only works if outbound firewall monitoring is enabled. Is this correct?

It's not clear how would you limit the firewall to monitor outbound or inbound communication separately. With the firewall enabled you should have received a notification with action selection. Of course, if firewall is disabled than network-aware applications won't be monitored for changes.

 

Hum ........ didn't say correctly what I meant. It is my understanding the firewall needs to be set to interactive mode to receive program update alerts? As you can see from the below screen shot, mine is to set to the default automatic mode. And I have never received any update alert about signed or non-signed software.

 

Note: I do all my updating manually. Does this feature only apply to automatic program updating?

 

Edited September 7, 2015 by itman

[Marcos 5,074]

No, it works with default settings. I've tested it as follows and it worked:

1, Open a website in a browser

2, Close the browser

3, Backup the browser's executable (I performed the test with iexplore.exe)

4, Edit one character in a string so that the executable remains functional

5, Run the modified executable and open a website. You should get a warning that the application was modified.

[itman 1,659]

Tried to duplicate what you did. Modified "Microsoft" copyright data to "Midosoft" in IE10 x64 and saved it. Program wouldn't run; something about a x86 x64 compatibility issue.

 

So the question remains why I am getting any alerts. Does the signed check apply to WIndows apps? Obviously there have been many updates to those since I installed Eset. I have also manually updated RevoUninstaller Pro for example and never received any alerts on that. By manually, I mean I get an notice from the app upon start up that an update is available and I indicate that it is OK to download and install the update. 

 

Perhaps this only applies to apps that have been silently modified/updated during actual execution of the app?

[itman 1,659]

Maybe I was right after all. The below is from the Endpoint user manual. Notice what I underlined. So I assume you would have to be running in interactive mode initially or manually create rules for all apps you want monitored.

 

 

Application Modification Detection

 

 

The application modification detection feature displays notifications if modified applications, for which a firewall rule exists, attempt to establish connections. This is useful to avoid abusing rules configured for some application by another application by temporarily or permanently replacing the original application's executable file with the other applications executable file, or by maliciously modifying the original application's executable file. Please be aware that this feature is not meant to detect modifications to any application in general. The goal is to avoid abusing existing firewall rules, and only applications for which specific firewall rules exist are monitored.

 

Enable detection of application modifications – If selected, the program will monitor applications for changes (updates, infections, other modifications). When a modified application attempts to establish a connection, you will be notified by the Personal firewall.

 

Allow modification of signed (trusted) applications – Don't notify if the application has the same valid digital signature before and after the modification.

List of applications excluded from checking – This window lets you add or remove individual applications for which modifications are allowed without notification.

Edited September 8, 2015 by itman

[itman 1,659]

Just verified that after setting firewall to interactive and having created a rule for iexplore.exe, I did indeed receive an alert about a program change for iexplore.exe upon access of it after the Sept. Win Updates were downloaded and applied.

 

 

[j1212james 0]

 

Thanks Marcos and itman for your responses -- 

 

Yes, my Network / Firewall setting is on Interactive mode, where both options are checked [these are the default settings]:  'enable detection of application modifications' and 'allow modification of signed (trusted) applications'

 

[in: ESET Smart Security8>enter Advanced setup>open Network tree>open Personal firewall tree>Application modification detection]

 

In the same window, you are able to add paths to application files to exclude from detection, or filtering; I had excluded the Picassa updater [another Google product], and another for Canopy, a Python package manager. I manually added GoogleUdate.exe to the exclusion list to see if that would eliminate the application modification warning but it did not. 

 

I have had my firewall set up in interactive mode for several years - I installed Chrome on this machine about 1.5 yrs ago but this is the first time I have received this warning on Chrome's GoogleUpdate.exe -- so to be safe and to test I uninstalled/reinstalled Chrome, while retaining the same settings for ESET. With GoogleUpdate.exe still in the exclusion list for application modification warnings, I received no warning on Chrome's fresh reinstall after clicking 'about' in Chrome.  I then removed GoogleUpdate.exe from the exclusion list in ESET and after checking for updates in Chrome again got the same application modification warning on a certainly clean Google updater file.  I 'allowed' this file thru the ESET GUI [which adds the path to the exclusion list] and now Chrome updates as expected with no warnings from ESET.

 

So I will mark this issue as 'solved' -- since I was able to reproduce the warning on a clean copy of Google's updater, it seems safe to keep in the exclusion list, essentially I guess making firewall filtering automatic instead of interactive for those application files. Though I still don't understand what changed to create this issue.

[bbahes 29]

I have to reopen this thread, since I don't want to start new one.

I'm having same issue with Skype for Desktop and Skype for Business applications.
We use ERA v5 ans EES v5.

Basically my users started getting dialog "Application modification detected" even though firewall settings are set to: Allow modification of signed (trusted) applications: Yes
Filtering mode is set to Policy-based mode

I have explicit rule for these applications to allow all communication since they use random port numbers.

I wouldn't want users to see this dialog, yet I'd like to see it logged somewhere in ERA:

[Marcos 5,074]

You can only exclude particular applications from being monitored for modifications in the advanced firewall -> Application modification detection setup. By default trusted (signed) applications are not monitored.

[bbahes 29]

Yes I can exclude that app. I wonder why do users even get that dialog?

If it is malicious I'd like to know. This event is not logged in ERA?

I have also checked .exe digital signature and it has two signatures. One with sha256 and one with sha1. Could it be because of this sha1 certificate that EES does not see as "correctly" signed app?

 

@Marcos @MichalJ @Peter Randziak

Edited November 20, 2017 by bbahes