Jump to content

False Positive - ESET NOD32's ekrn.exe


1PW
 Share

Recommended Posts

Hello Pedro:
 
With MBARW 0.9.4.299 installed on a W8.1x64Home system, I have received reproducible false positive pop-ups for an ESET NODE32 Service executable:

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

The MBARW pop-up states that ekrn.exe has been placed in its quarantine but I fail to see GUI evidence of any files in the MBARW quarantine.
 
In the meantime I have entered the above pathname into MBARW's Exclusions.

 

Attached is a copy of C:\ProgramData\Malwarebytes\Malwarebytes Anti-Ransomware zipped and the VirusTotal report of that system's ekrn.exe
 
Malwarebytes Anti-Ransomware.zip

https://www.virustotal.com/en/file/829d8093d77f0bc863a801102c693fd8aaa22a7121771fe481c9a32e64b50e04/analysis/

Thank you.

Link to post
Share on other sites

Hello,

 

Just to add...

I get the same false positive except with ESET Smart Security 9.0.349.14 (64-bit) on a Windows 10 Pro 64-bit Version 1511 (OS Build 10586.63).

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

MBARW tried to quarantine the file but the ESS self-protection module blocked it as the file did not show up in the MBARW quarantine. The MBARW service started using about 25 % CPU. The only way to stop this was to add the ESS file to the MBARW exclusion list and reboot. After this, the MBARW CPU usage went back down.

 

On a side note: On a reboot, MBARW appears both in the system tray and minimized to the task bar. I have to open MBARW from the task bar and then close the window to have it appear only in the system tray. I would think that the desired action here would be for MBARW to start minimized to the system tray only, not also to the task bar.

 

For the time being, I have removed the MBARW beta as with this first release there seems to be to many false positive/quarantine issues. I will install the next build when it is released to test further. If you need any further information to help you troubleshoot this issue, please let me know and I will install this version again if needed. MBARW looks very promising but it is a bit early in the beta stage to run it full time on a production machine.

Link to post
Share on other sites

Hello,


 


I see you have the NOD32 version of ekrn.exe. If you need it, attached you will find the ESS version of ekrn.exe.


I will get the program data files for MBARW later today when I reinstall MBARW. Please let me know if you still need them.


(I realize that fixing the false positive for NOD32 may have also fixed it for ESS but wanted to be sure you do not still need more information from me)


ekrn.7z

Link to post
Share on other sites

  • Staff

Malwarebytes Anti-Ransomware Beta 2 has been released, download or update now!

(If you have MBARW installed it should prompt to update)

Information:

Malwarebytes Anti-Ransomware (BETA) 0.9.5

Improvements:

• Improved rules to prevent false positives on legitimate software

Issues Fixed:

• Fixed issue that interfered with proper detection of latest CryptoWall 4 variant

Link to post
Share on other sites

Hello Nathan:

 

Back up okay with MBARW 0.9.5.304 after a conventional uninstall of v0.9.4.299. Previously required exclusion is not required for ESET's ekrn.exe now.

 

Please show this thread as [sOLVED] if you wish.

 

Thank you.

Link to post
Share on other sites

Hi everyone,

 

This is my first post.

I would like to point out that like the others in this thread, I am running ESET NOD32 (I was).

After updating MB to latest beta, I noticed that my ESET icon was no longer in the taskbar.

I tried launching the application manually but nothing happens.

 

I then proceeded to try and repair the installation.

This is where I got insufficient provileges messages for various components and files belonging to ESET.

I found this strange but then remembered that MB had tagged ekrn as a risk.

 

It seems that ESET and all components have been blocked.

 

I am now without antivirus, am unable to repair the installation let alone uninstall it and ESET informed me that I need to get in touch with you guys to unlock the files. Fantastic!

 

MB doesn't have anything in the quarantine list, which seems odd considering it has already deemed ekern as a security risk.

 

I tried uninstalling MB but that didn't help. All the ESET files are now locked and can't be used.

 

I need assistance as soon as possible. I will not reformat this machine to get it to work.

Link to post
Share on other sites

Hello Grendizer and :welcome:

 

Until a staffer weighs in on this issue, please take no further actions so as to allow the possible capture of volatile & pertinent data.

 

Does the system in question contain viable System Restore Points (SRP)?

 

Has the system been recently imaged? Similar?

 

Thank you.

Link to post
Share on other sites

Here's what I did.

 

- attempted to do a repair of ESET and get the following error:

 

 files_locked.png

 

- cancelled the repair then uninstalled MBARW and rebooted

- attempted to repair the ESET installation. Same error message as above

- attempted to uninstall ESET installation. Same error message as above

 

- Attempted to do a system restore and got the following error:

 

failes_system_restore.png

 

- left the domain and logged in as local administrator, thinking it was a permissions issue.

- Rebooted system then performed a system restore as local administrator. This time it worked.

- attempted to repair/uninstall ESET, still no dice.

 

MBARW initially deemed ESET to be risky and did *something* to it. What did it do exactly and why has it not been reverted when MBARW was uninstalled?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.