BobSoul
-
Posts
145 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by BobSoul
-
-
-
-
The following file was detected and quarantined
I belive the file listed below is from Heidleberg Engineering Software for our OCT and FA machines -
Malware.Sandbox.1 File Malware Quarantined C:\PROGRAMDATA\{9F5B1D86-96A8-483E-948D-07A8B60BA16A}\ACQUISITIONMODULE\BC8315AD\C567ED7E\HEDRIVERUPDATEFORCED_T1.35_I2.21.EXE -
Ok so it is a False Id -- thanks I wasnt 100% positive
-
-
yeah thats the clean one from this morning waiting for the scan to finish from just now to upload - just wanted to give comparison
-
The first report is the scan the pc ran automatically at 2:17am 1/15/2021
second is the manual scan ran just now that I will post next once scan finishes
-
Yeah one second - running it on this PC to get file since it flags on all machines I have it installed on ( Emsisoft does not flag it )
-
The program is obvious Photoshop C3 ( portable version) this has been on machine for several years - Today new scan flagged the following file
c:\program files(x86)\photoshop\AdobePDFL.dll as Malware.AI.1549755752
I believe that is the zero day unknown threat id Malwarebytes uses.
I appears to happen on any machine that has this installed
Previously daily scans never flagged it
-
Thanks !
-
Also note that these are not all on the same networks ( 2 machines only on same network) the rest on different networks, not connected. Total 5 machines. All using same endpoint software
-
No other exploit detections or blocks are shown beyond this file detection - rescans come up clean after...
-
It does appear to be machines with older installers on it .... The machines that have a more current installer do not detect... so I am wondering if its the older versions possibly causing the detections.
-
The (1) in the file name is cause there are two files from updating the version a few months back so I know it was downloaded on this machine 2x
-
It was another file name but here it is
D3E772470CD9EDB1EE058FCCE4AC713414E37974975551D266189A8E369787A7
{
"applicationVersion" : "3.8.5.2971",
"chromeSyncResetQueryRequested" : false,
"chromeSyncResetQueryResult" : false,
"clientID" : "Endpoint Agent:ee1b5ffb-681f-4848-9e20-9859a07ecb29",
"clientType" : "agentScan",
"componentsUpdatePackageVersion" : "1.0.651",
"cpu" : "x64",
"dbSDKUpdatePackageVersion" : "1.0.17296",
"detectionDateTime" : "2020-07-27T19:56:09Z",
"fileSystem" : "NTFS",
"id" : "3762537d-d043-11ea-a796-a41f728d9cb6",
"isUserAdmin" : true,
"licenseState" : "licensed",
"linkagePhaseComplete" : true,
"loggedOnUserName" : "\\",
"machineID" : "",
"os" : "Windows 10 (Build 18362.959)",
"schemaVersion" : 16,
"sourceDetails" : {
"aggressiveMode" : false,
"clientMetadata" : {
"jobId" : "",
"scheduleId" : "527135a5-e3cf-4951-9921-2312e6b41b04",
"scheduleTag" : "cb30cf35c3a8bec4513b378ee13c1ba6"
},
"ddsigEnabled" : true,
"filesScannedByIG" : 0,
"objectsScanned" : 337683,
"scanEndTime" : "2020-07-27T20:34:34Z",
"scanOnlineStatus" : "online",
"scanOptions" : {
"pumHandling" : "detect",
"pupHandling" : "detect",
"scanArchives" : true,
"scanFileSystem" : true,
"scanMemoryObjects" : true,
"scanPUMs" : true,
"scanPUPs" : true,
"scanRookits" : true,
"scanStartupAndRegistry" : true,
"scanType" : "threat",
"useHeuristics" : true
},
"scanResult" : "completed",
"scanStartTime" : "2020-07-27T19:56:09Z",
"scanState" : "completed",
"shurikenEnabled" : true,
"type" : "scan"
},
"threats" : [
{
"ddsSigFileVersion" : "",
"linkedTraces" : [],
"mainTrace" : {
"archiveMember" : "",
"archiveMemberMD5" : "",
"cleanAction" : "quarantine",
"cleanContext" : {
},
"cleanResult" : "successful",
"cleanResultErrorCode" : 0,
"cleanTime" : "2020-07-27T20:34:38Z",
"generatedByPostCleanupAction" : false,
"id" : "8cb57c10-d047-11ea-b145-a41f728d9cb6",
"isPEFile" : false,
"linkType" : "none",
"objectMD5" : "44EC7B3F7BFA980AC3F79CFD0B46CAA1",
"objectPath" : "C:\\USERS\\JERRY\\DOWNLOADS\\REFLECTDL (1).EXE",
"objectSha256" : "34DAB471C9C45416A19004925749324F8CDC8CA655215E619DE37D5B4B721601",
"objectType" : "file",
"resolvedPath" : "C:\\Users\\jerry\\Downloads\\REFLECTDL (1).EXE",
"suggestedAction" : {
"archiveDir" : false,
"chromeExtensionOther" : false,
"chromeExtensionPreferences" : false,
"chromeExtensionSecurePreferences" : false,
"chromeExtensionSyncData" : false,
"chromeUrlOther" : false,
"chromeUrlSecurePreferences" : false,
"chromeUrlSyncData" : false,
"chromeUrlWebData" : false,
"disableHubbleWhiteListing" : true,
"disableSignatureWhiteListing" : true,
"fileDelete" : true,
"fileReplace" : false,
"fileTxtReplace" : false,
"folderDelete" : false,
"isChromeObject" : false,
"isDDS" : false,
"isDoppleganging" : false,
"isExternalDetection" : false,
"isPUP" : false,
"isShuriken" : false,
"isWMIEventConsumer" : false,
"killProcess" : false,
"minimalWhiteListing" : false,
"moduleUnload" : false,
"noLinking" : false,
"physicalSectorReplace" : false,
"priorityHigh" : false,
"priorityNormal" : false,
"priorityUrgent" : false,
"processUnload" : false,
"regKeyDelete" : false,
"regValueDelete" : false,
"regValueReplace" : false,
"shortcutReplace" : false,
"silentMode" : false,
"singleDelete" : false,
"treatAsRootkit" : true,
"useDDA" : false,
"verifyResolvedPath" : true,
"whitelistCheckError" : false
}
},
"ruleID" : 843766,
"ruleString" : "",
"rulesVersion" : "1.0.17296",
"srcEngineComponent" : "unknown",
"srcEngineThreatNames" : [],
"threatID" : 529,
"threatName" : "Trojan.Emotet"
}
],
"threatsDetected" : 1
} -
I just looked and that machine does not have that scan result file any longer has all the ones before and after though
-
I have looked at the file and it is the Macrium reflect install file so far on each machine. Been trying to determine if its a certain update version of the file or not cause this just started sunday night and last night.. depending when each machine ... Let me see if i can get that file off one of the machines that detected it.
-
Scan Log Details Endpoint name: Jerryofficewin8 Scan date and time: 07/27/2020 3:56:09 PM Version: 3.8.5.2971 Component package version: 1.0.651 Protection update version: 1.0.17296 OS: Windows 10 (Build 18362.959) CPU: x64 File system type: NTFS Logged-in user: \ Scan Summary Scan Type: Threat Result: Completed Objects scanned: 337683 Time elapsed: 0h 38m 25s Processes: 0 Modules: 0 Registry keys: 0 Registry values: 0 Registry data: 0 Folders: 0 Files: 1 Scan Options Memory: True Startup: True File system: True Rootkits: True Heuristics: True Archives: True PUM: True PUP: True Threats Found
Name Type Location Action ID Trojan.Emotet File C:\USERS\JERRY\DOWNLOADS\REFLECTDL (1).EXE Quarantined 8cb57c10-d047-11ea-b145-a41f728d9cb6 -
I have had several machines using end point protection... keep detecting Reflectdl.exe as the emotet trojan, when in fact i know this file is the macrium reflect download installer. The location of the file is correct ( c:\users\username\downloads\) I'm assuming this is a false detection and I have been seeing it only one machines which have the installer and macrium reflect installed on. Just looking for a confirmation and to make you aware of the false detection.
Possible false detect - Malware.AI.1487257790
in File Detections
Posted
Hi
Im getting the follwing detections - on the intel bluetooth files - which started yesterday
Havent been able to get to the machine to get logs - will try to