goldfish 0 Posted October 20, 2015 Posted October 20, 2015 Hello, yesterday i upgraded eset from 8.xx to the 9.xx (the latest version) on windows 7 64-bit, and i've had only one issue this far, which seems to be a conflict which prompts multiple memory threat messages. I use a known not-trusted app which i'm fine with it and added it to the exclusions list (actually i upgraded from 8 without a clean install but it upgraded just fine and kept my preferences, which is nice and i checked they're still there), however every now and then (multiple times a day) eset keeps detecting a memory threat and spawns like 9 messages almost equal, only changes one letter in the "Threat" field, and says "cleaned by deleting" however, the program keeps running and it's running just fine (which is what i specified on the exclusion list), however, the messages must be sometype of glitch because they shouldn't appear and i can't detect anything eset 'cleaned' on it as they say. Is this a known bug? I never had this problem in the previous versions (i'm a user since v4) ... it's really just the messages afaik, but i thought it'd be nice to report. I have PUP detection enabled, the rest i believe it's as default right now, which is basically everything enabled.. Thanks for any help.
Administrators Marcos 5,461 Posted October 20, 2015 Administrators Posted October 20, 2015 Please post a screen shot of the complete warning you're getting (ie. where the complete path and detection name is fully visible).
goldfish 0 Posted October 20, 2015 Author Posted October 20, 2015 Does the log file meet your request? There is no file path, and as far as i remember, there was no file path either on the popup message displayed. That's all the detections i got since i installed, however as i said, the file wasn't deleted, nor i detected any problems in nanocore. hxxp://i.imgur.com/zixq4lG.png
Administrators Marcos 5,461 Posted October 20, 2015 Administrators Posted October 20, 2015 In this case the path to the file could not be determined as it was a code in memory which was detected. If you believe it's a false positive, please submit it to samples[at]eset.com so that the detection is removed if those files are indeed innocuous.
goldfish 0 Posted October 20, 2015 Author Posted October 20, 2015 The question is not that, it isn't a false positive, however, i trust the program and i allowed it through file exclusions on the 'Computer protection' part in Advanced Setup, shouldn't eset respect the file exclusion list in all it's detection algorithms? This didn't seem to happen in eset 8.xx or any of the previous versions as i said above... it doesn't seem to delete the file that's right but the messages pop up, and i got another files in exclusions and they don't seem to have this problem. (which they would have if i took them off the exclusion list)
itman 1,806 Posted October 20, 2015 Posted October 20, 2015 You sure what your using is not the "cracked" version? hxxp://xozen.blogspot.com/2015/04/leaked-full-version-of-nanocore-rat.html hxxp://www.herdprotect.com/nanocore.exe-e6c4bc39dd65fe8b41bb52823f06c4a2fefa26c5.aspx
goldfish 0 Posted October 20, 2015 Author Posted October 20, 2015 You sure what your using is not the "cracked" version? hxxp://xozen.blogspot.com/2015/04/leaked-full-version-of-nanocore-rat.html hxxp://www.herdprotect.com/nanocore.exe-e6c4bc39dd65fe8b41bb52823f06c4a2fefa26c5.aspx Yes i am, it's the original (paid), i have this for a long time. btw, i just noticed, it seems to happen when there's a new update on the virus signature database, right after the update, the messages come up, like now.
Administrators Marcos 5,461 Posted October 20, 2015 Administrators Posted October 20, 2015 Trojans and other malware cannot be excluded from detection just by name. If there's a innocuous application erroneously detected as a threat, report it to samples[at]eset.com. If it's actually benign, we'll remove the detection so it won't be detected in memory any more. If you want to take the risk, you can disable memory scan in the startup scan setup but this will substantially cripple the protection so we don't recommend it at all.
goldfish 0 Posted October 20, 2015 Author Posted October 20, 2015 Trojans and other malware cannot be excluded from detection just by name. If there's a innocuous application erroneously detected as a threat, report it to samples[at]eset.com. If it's actually benign, we'll remove the detection so it won't be detected in memory any more. If you want to take the risk, you can disable memory scan in the startup scan setup but this will substantially cripple the protection so we don't recommend it at all. By name you mean the exclusion path list? It was working fine on the previous versions though... i'm more intrigued of the multiple messages and no process termination from eset, because nanocore keeps running after these detections, if that's intended, and the exclusion-list-'ignore' then i can accept it and deal with it, but it was working fine on previous versions that's why i made this thread asking what changed... because i got another 'malware' apps running and they seem all fine, it must be a specific detection then which doesn't warrant process kill specific to nanocore. Oh well, i can deal with it, thanks for the help if that's intended.
Administrators Marcos 5,461 Posted October 20, 2015 Administrators Posted October 20, 2015 No, by detection name I mean detection name, e.g. @ApplicUnsaf.Win32/NetFilter.A. Exclusions don't work for memory detections if the path to a file cannot be determined. And exclusions by name don't work for other detections than PUA for security reasons. It has always worked like that and nothing has changed recently in this regard. Maybe something has changed so that we know better scan the memory which is perfectly ok as we can better detected malware, if already unpacked in memory. Again, if something is detected as a trojan or other kind of malware and you suspect that it's detected erroneously (so-called false positive), submit it to ESET for analysis so that the detection can be removed if FP is confirmed.
goldfish 0 Posted October 21, 2015 Author Posted October 21, 2015 I could understand that if it didn't detect the file name, and it's PID, because you can get the file path with process PID kind of easy, but, i respect and understand what you're saying even though i believe the way it is detecting it should exclude. One final question if i may, how can i see what eset algorithm is detecting? It is the memory scanner as a whole? Or it has to do with PUA (unwanted) or PUA (unsafe) ? Thanks for your help.
Recommended Posts