Author Topic: Possible false positive Eset AV  (Read 8205 times)

0 Members and 1 Guest are viewing this topic.

March 16, 2015, 10:47:53 PM

gigasquid

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Possible false positive Eset AV
« on: March 16, 2015, 10:47:53 PM »
Ran RogueKiller and this came back under Processes:

Status: Killed [DrvNtTerm]
detection: Proc.Injected
ID: 2072
Name: ekrn.exe
Eset-NOD32\ekrn.exe

Dump generated available at: https://www.dropbox.com/s/caaz62kr6ko30so/smss.dmp?dl=0

Thanks

Reply #1March 17, 2015, 12:18:34 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Possible false positive Eset AV
« Reply #1 on: March 17, 2015, 12:18:34 PM »
Hi gigasquid,

Welcome to Adlice.com Forum!
Which version of RogueKiller did you use ?

Regards.

Reply #2March 18, 2015, 02:23:03 AM

gigasquid

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: Possible false positive Eset AV
« Reply #2 on: March 18, 2015, 02:23:03 AM »
Hi Curson.
v10.5.4.0

Thanks

Reply #3March 18, 2015, 10:39:26 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Possible false positive Eset AV
« Reply #3 on: March 18, 2015, 10:39:26 AM »
Hi gigasquid,

This false positive should be fixed in version 10.5.5.
Could you please redo an scan with the lastest version of RogueKiller ?

Regards.

Reply #4March 19, 2015, 02:03:25 AM

gigasquid

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: Possible false positive Eset AV
« Reply #4 on: March 19, 2015, 02:03:25 AM »
Hi Curson

Scanned again with 10.5.5 and false pos remains.

Status: Killed [DrvNtTerm]
detection: Proc.Injected
ID: 2108
Name: ekrn.exe
Eset-NOD32\ekrn.exe (Red 1x)

I'm also getting hits under AntiRootkit. They all involve:

- SystemRoot\system32\DRIVERS\SamsungRapidDiskFltr.sys (Orange 4x)

- SystemRoot\system32\DRIVERS\SamsungRapidFSFltr.sys (Red 2x)

These drivers came with the Samsung SSD purchased recently and are most likely false positives.

A suggestion Curson: how about adding a way in RK to 'exempt' a detection when it is most likely to be from friendly software? An auto response could be sent to you to save you time?

Thank you

Reply #5March 19, 2015, 08:49:30 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Possible false positive Eset AV
« Reply #5 on: March 19, 2015, 08:49:30 AM »
Hi gigasquid,

Could you please post the full path of the detected process ?
Quote
- SystemRoot\system32\DRIVERS\SamsungRapidDiskFltr.sys (Orange 4x)
- SystemRoot\system32\DRIVERS\SamsungRapidFSFltr.sys (Red 2x)
Thanks for bringing this to your attention. They are indeed false positives and they will be fixed in the next version of RogueKiller.

Quote
A suggestion Curson: how about adding a way in RK to 'exempt' a detection when it is most likely to be from friendly software? An auto response could be sent to you to save you time?
Thanks for the suggestion.
An user-based ignore list is already planned for future versions of RogueKiller.
We will look at your suggestion of a "Report false positive" feature as well.

EDIT : Could you please copy/paste the full report of RogueKiller showing thoses false positives ?

Regards.
« Last Edit: March 19, 2015, 12:01:57 PM by Curson »

Reply #6March 23, 2015, 06:46:17 AM

gigasquid

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: Possible false positive Eset AV
« Reply #6 on: March 23, 2015, 06:46:17 AM »
RogueKiller V10.5.5.0 [Mar 16 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : deepblack [Administrator]
Started from : C:\Users\deepblack\Desktop\RogueKiller.exe
Mode : Scan -- Date : 03/23/2015  18:25:35

¤¤¤ Processes : 2 ¤¤¤
[Proc.Injected] ekrn.exe(2180) -- C:\SECURITY\Eset-NOD32\ekrn.exe[7] -> Killed [DrvNtTerm]
[Tr.Zeus] mbamservice.exe(2512) -- C:\SECURITY\Malwarebytes' Anti-Malware\Malwarebytes Anti-Malware\mbamservice.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 12 ¤¤¤
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnlockerDriver5 (\??\C:\utilities\Unlocker\UnlockerDriver5.sys) -> Found
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2474097703-2774914646-1890302379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2474097703-2774914646-1890302379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2474097703-2774914646-1890302379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 2  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2474097703-2774914646-1890302379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2474097703-2774914646-1890302379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2474097703-2774914646-1890302379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2474097703-2774914646-1890302379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2474097703-2774914646-1890302379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 2 (Driver: Loaded) ¤¤¤
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass1 : \Driver\DCR @ Unknown (\SystemRoot\system32\DRIVERS\SamsungRapidFSFltr.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass0 : \Driver\DCR @ Unknown (\SystemRoot\system32\DRIVERS\SamsungRapidFSFltr.sys)

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] kh8tl6z5.default : user_pref("browser.startup.homepage", "file:///E:/websites/MYPORTAL/JS_portal.htm"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 840 EVO 120GB ATA Device +++++
--- User ---
[MBR] 0cd36e6253263a30d795f63ee61f48ba
[BSP] ecabf34cb79be80f691b1e77db54afc9 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 102924 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD20EZRX-00D8PB0 ATA Device +++++
--- User ---
[MBR] 527b4e09a837ede356e04aec32b9fac7
[BSP] 36d97a1cf154b7255ae6a08bd5d16f59 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 16072 | Size: 1907718 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: WDC WD10EARS-00Y5B1 ATA Device +++++
--- User ---
[MBR] 7a677abb4f17a785cba6d05e4ac0352b
[BSP] a30a08a673cd5d3a550c2b29a608e8f1 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 16065 | Size: 953859 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_03232015_175709.log

Reply #7March 23, 2015, 03:14:01 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Possible false positive Eset AV
« Reply #7 on: March 23, 2015, 03:14:01 PM »
Hi gigasquid,

The false positives present in your report will be whitelisted in RogueKiller's next release.
Regarding the following detections :
Quote
[Proc.Injected] ekrn.exe(2180) -- C:\SECURITY\Eset-NOD32\ekrn.exe[7] -> Killed [DrvNtTerm]
[Tr.Zeus] mbamservice.exe(2512) -- C:\SECURITY\Malwarebytes' Anti-Malware\Malwarebytes Anti-Malware\mbamservice.exe[7] -> Killed [TermProc]
Theses processes, although legitimate, won't be whitelisted because they are not in the standard "Program Files" directory.

Regards.