Author Topic: False positive or legit? Esif_assist_64.exe  (Read 8013 times)

0 Members and 1 Guest are viewing this topic.

October 23, 2016, 12:23:24 AM

Salenai

  • Newbie

  • Offline
  • *

  • 11
  • Reputation:
    0
    • View Profile
False positive or legit? Esif_assist_64.exe
« on: October 23, 2016, 12:23:24 AM »
hello, each time I run roguekiller in normal mode, it finds esif_assist_64.exe in C:/Windows/Temp/DPTF/ folder.

Detection is labeled as Suspicious.Path, and type is Process.

Each time I click on delete it does not get deleted, instead it gets "killed".

File shows up every time I boot computer and shows time of creation time I booted the computer.

Description of the file is: Intel (R) Dynamic Platform and Thermal Framework Utility Application.

File does not show up in the folder when I boot computer in safe mode, and neithet does it get detected by roguekiller. It gets detected only when I run it in normal mode.


I ran it through virustotal and it came in clean, however I checked the details and it shows all certificates as legit except the first one. Also, it specified it as a Portable execution file.

Is it legit? Thanks

Reply #1October 24, 2016, 01:33:57 PM

Salenai

  • Newbie

  • Offline
  • *

  • 11
  • Reputation:
    0
    • View Profile
Re: False positive or legit? Esif_assist_64.exe
« Reply #1 on: October 24, 2016, 01:33:57 PM »
can plz anyone verify this to me?
I found out that file and folder was not present there after reinstall, but became once I updated windows.

Reply #2October 24, 2016, 06:01:18 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: False positive or legit? Esif_assist_64.exe
« Reply #2 on: October 24, 2016, 06:01:18 PM »
Hi Salenai,

This item is legit.
Every process that is launched from any temporary folders is considered Suspicous by RogueKiller.
You can safely leave it alone.

Regards.

Note : This thread has been moved to the "RogueKiller" section for clarity.

Reply #3October 28, 2016, 10:27:48 PM

Salenai

  • Newbie

  • Offline
  • *

  • 11
  • Reputation:
    0
    • View Profile
Re: False positive or legit? Esif_assist_64.exe
« Reply #3 on: October 28, 2016, 10:27:48 PM »
Thank you.

So I do not need to be concerned?
Has this file been tested by others and reported as suspicious?

Virus total,nor anything else found anything wrong with it. Roguekiller is only thing that found it to be suspicious. Virustotal found 0 viruses, but upon closer inspection I found expired main certificate.
 Intel (R) Software - Certificate Intel external basic issuing CA 3B.
It is expired certificate that expired on 7/15/2016.

Timestamp is however all right (which I heard it is most important?) along with other sub-certificates of the file.
There are also 2 more files in DPTF folder, something with name wwan and wlan, both have also expired first main certificate with same name while othet sub-certificates are ok.

I tried deleting folder, I cant. I tried cancelling process in task manager, I will kill process and at same moment it will start again, so it cannot be stopped.

Reply #4October 28, 2016, 10:57:33 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: False positive or legit? Esif_assist_64.exe
« Reply #4 on: October 28, 2016, 10:57:33 PM »
Hi Salenai,

You are welcome.
Quote from: Salenai
So I do not need to be concerned?
Has this file been tested by others and reported as suspicious?
No, this file is safe.
Since malware process are often launched from temporary folders , RogueKiller flags every such process as Suspicious.

Quote from: Salenai
Virus total,nor anything else found anything wrong with it. Roguekiller is only thing that found it to be suspicious. Virustotal found 0 viruses, but upon closer inspection I found expired main certificate.
 Intel (R) Software - Certificate Intel external basic issuing CA 3B.
It is expired certificate that expired on 7/15/2016.

Timestamp is however all right (which I heard it is most important?) along with other sub-certificates of the file.
There are also 2 more files in DPTF folder, something with name wwan and wlan, both have also expired first main certificate with same name while othet sub-certificates are ok.
Expired certificates are indeed not really an issue

Quote from: Salenai
I tried deleting folder, I cant. I tried cancelling process in task manager, I will kill process and at same moment it will start again, so it cannot be stopped.
Temp folder is essential to Windows, don't delete it.
esif_assist_64.exe is likely monitored and automatically restarted.

Regards.