False Positive - ESET NOD32's ekrn.exe

[1PW]

Hello Pedro:
 
With MBARW 0.9.4.299 installed on a W8.1x64Home system, I have received reproducible false positive pop-ups for an ESET NODE32 Service executable:

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

The MBARW pop-up states that ekrn.exe has been placed in its quarantine but I fail to see GUI evidence of any files in the MBARW quarantine.
 
In the meantime I have entered the above pathname into MBARW's Exclusions.

 

Attached is a copy of C:\ProgramData\Malwarebytes\Malwarebytes Anti-Ransomware zipped and the VirusTotal report of that system's ekrn.exe
 
Malwarebytes Anti-Ransomware.zip

https://www.virustotal.com/en/file/829d8093d77f0bc863a801102c693fd8aaa22a7121771fe481c9a32e64b50e04/analysis/

Thank you.

[Decrypterfixer]

Thanks for the information! I will be looking into this ASAP!

[1PW]

Thank you Nathan and welcome to our little corner of the world sir.

[puff_m_d]

Hello,

 

Just to add...

I get the same false positive except with ESET Smart Security 9.0.349.14 (64-bit) on a Windows 10 Pro 64-bit Version 1511 (OS Build 10586.63).

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

MBARW tried to quarantine the file but the ESS self-protection module blocked it as the file did not show up in the MBARW quarantine. The MBARW service started using about 25 % CPU. The only way to stop this was to add the ESS file to the MBARW exclusion list and reboot. After this, the MBARW CPU usage went back down.

 

On a side note: On a reboot, MBARW appears both in the system tray and minimized to the task bar. I have to open MBARW from the task bar and then close the window to have it appear only in the system tray. I would think that the desired action here would be for MBARW to start minimized to the system tray only, not also to the task bar.

 

For the time being, I have removed the MBARW beta as with this first release there seems to be to many false positive/quarantine issues. I will install the next build when it is released to test further. If you need any further information to help you troubleshoot this issue, please let me know and I will install this version again if needed. MBARW looks very promising but it is a bit early in the beta stage to run it full time on a production machine.

[Decrypterfixer]

1PW can u please also upload the EXE that we detected on? and thanks for the warm welcome

[Decrypterfixer]

Puff,

 

Can you please follow these steps and post the results here? Thanks!

 

https://forums.malwarebytes.org/index.php?/topic/177810-how-to-report-a-false-positive/

[pbust]

Nathan, I downloaded it from VirusTotal and already processed.

[1PW]

1PW can u please also upload the EXE that we detected on? and thanks for the warm welcome

 

Hello Nathan:

 

Attached please find ekrn.zip

 

ekrn.zip

 

HTH

[Decrypterfixer]

Thanks, this FP should now be fixed.

[puff_m_d]

Hello,

 

I see you have the NOD32 version of ekrn.exe. If you need it, attached you will find the ESS version of ekrn.exe.

I will get the program data files for MBARW later today when I reinstall MBARW. Please let me know if you still need them.

(I realize that fixing the false positive for NOD32 may have also fixed it for ESS but wanted to be sure you do not still need more information from me)

ekrn.7z

[Decrypterfixer]

From what i can see this is now fixed. It would be great if you could verify this.

 

Thanks!

[Decrypterfixer]

Malwarebytes Anti-Ransomware Beta 2 has been released, download or update now!

(If you have MBARW installed it should prompt to update)

Information:

Malwarebytes Anti-Ransomware (BETA) 0.9.5

Improvements:

• Improved rules to prevent false positives on legitimate software

Issues Fixed:

• Fixed issue that interfered with proper detection of latest CryptoWall 4 variant

[puff_m_d]

Hello Nathan,

 

I can verify that the issue is fixed... Thanks!

[1PW]

Hello Nathan:

 

Back up okay with MBARW 0.9.5.304 after a conventional uninstall of v0.9.4.299. Previously required exclusion is not required for ESET's ekrn.exe now.

 

Please show this thread as [sOLVED] if you wish.

 

Thank you.

[Grendizer]

Hi everyone,

 

This is my first post.

I would like to point out that like the others in this thread, I am running ESET NOD32 (I was).

After updating MB to latest beta, I noticed that my ESET icon was no longer in the taskbar.

I tried launching the application manually but nothing happens.

 

I then proceeded to try and repair the installation.

This is where I got insufficient provileges messages for various components and files belonging to ESET.

I found this strange but then remembered that MB had tagged ekrn as a risk.

 

It seems that ESET and all components have been blocked.

 

I am now without antivirus, am unable to repair the installation let alone uninstall it and ESET informed me that I need to get in touch with you guys to unlock the files. Fantastic!

 

MB doesn't have anything in the quarantine list, which seems odd considering it has already deemed ekern as a security risk.

 

I tried uninstalling MB but that didn't help. All the ESET files are now locked and can't be used.

 

I need assistance as soon as possible. I will not reformat this machine to get it to work.

[1PW]

Hello Grendizer and

 

Until a staffer weighs in on this issue, please take no further actions so as to allow the possible capture of volatile & pertinent data.

 

Does the system in question contain viable System Restore Points (SRP)?

 

Has the system been recently imaged? Similar?

 

Thank you.

[Decrypterfixer]

Hello,

Beta 4 has been released for download only. Please download and update MBARW and see if your problem persists after the updates. Thanks!

https://forums.malwarebytes.org/index.php?/topic/177751-introducing-malwarebytes-anti-ransomware/

[Grendizer]

Here's what I did.

 

- attempted to do a repair of ESET and get the following error:

 

 

 

- cancelled the repair then uninstalled MBARW and rebooted

- attempted to repair the ESET installation. Same error message as above

- attempted to uninstall ESET installation. Same error message as above

 

- Attempted to do a system restore and got the following error:

 

 

- left the domain and logged in as local administrator, thinking it was a permissions issue.

- Rebooted system then performed a system restore as local administrator. This time it worked.

- attempted to repair/uninstall ESET, still no dice.

 

MBARW initially deemed ESET to be risky and did *something* to it. What did it do exactly and why has it not been reverted when MBARW was uninstalled?

[Grendizer]

I am available for a remote session if an engineer would like to do some diagnostics...