Jump to content

Recommended Posts

I have had several machines using end point protection...  keep detecting Reflectdl.exe as the emotet trojan, when in fact i know this file is the macrium reflect download installer. The location of the file is correct ( c:\users\username\downloads\) I'm assuming this is a false detection and I have been seeing it only one machines which have the installer and macrium reflect installed on. Just looking for a confirmation and to make you aware of the false detection.

 

 

Link to post
Share on other sites

Scan Log Details  
Endpoint name: Jerryofficewin8
Scan date and time: 07/27/2020 3:56:09 PM
Version: 3.8.5.2971
Component package version: 1.0.651
Protection update version: 1.0.17296
OS: Windows 10 (Build 18362.959)
CPU: x64
File system type: NTFS
Logged-in user: \
Scan Summary  
Scan Type: Threat
Result: Completed
Objects scanned: 337683
Time elapsed: 0h 38m 25s
Processes: 0
Modules: 0
Registry keys: 0
Registry values: 0
Registry data: 0
Folders: 0
Files: 1
Scan Options  
Memory: True
Startup: True
File system: True
Rootkits: True
Heuristics: True
Archives: True
PUM: True
PUP: True

Threats Found

Name Type Location Action ID
Trojan.Emotet File C:\USERS\JERRY\DOWNLOADS\REFLECTDL (1).EXE Quarantined 8cb57c10-d047-11ea-b145-a41f728d9cb6
 
 
 

 

Link to post
Share on other sites

I have looked at the file and it is the Macrium reflect install file so far on each machine. Been trying to determine if its a certain update version of the file or not cause this just started sunday night and last night.. depending when each machine ... Let me see if i can get that file off one of the machines that detected it.

Link to post
Share on other sites

It was another file name but here it is

 

D3E772470CD9EDB1EE058FCCE4AC713414E37974975551D266189A8E369787A7
{
   "applicationVersion" : "3.8.5.2971",
   "chromeSyncResetQueryRequested" : false,
   "chromeSyncResetQueryResult" : false,
   "clientID" : "Endpoint Agent:ee1b5ffb-681f-4848-9e20-9859a07ecb29",
   "clientType" : "agentScan",
   "componentsUpdatePackageVersion" : "1.0.651",
   "cpu" : "x64",
   "dbSDKUpdatePackageVersion" : "1.0.17296",
   "detectionDateTime" : "2020-07-27T19:56:09Z",
   "fileSystem" : "NTFS",
   "id" : "3762537d-d043-11ea-a796-a41f728d9cb6",
   "isUserAdmin" : true,
   "licenseState" : "licensed",
   "linkagePhaseComplete" : true,
   "loggedOnUserName" : "\\",
   "machineID" : "",
   "os" : "Windows 10 (Build 18362.959)",
   "schemaVersion" : 16,
   "sourceDetails" : {
      "aggressiveMode" : false,
      "clientMetadata" : {
         "jobId" : "",
         "scheduleId" : "527135a5-e3cf-4951-9921-2312e6b41b04",
         "scheduleTag" : "cb30cf35c3a8bec4513b378ee13c1ba6"
      },
      "ddsigEnabled" : true,
      "filesScannedByIG" : 0,
      "objectsScanned" : 337683,
      "scanEndTime" : "2020-07-27T20:34:34Z",
      "scanOnlineStatus" : "online",
      "scanOptions" : {
         "pumHandling" : "detect",
         "pupHandling" : "detect",
         "scanArchives" : true,
         "scanFileSystem" : true,
         "scanMemoryObjects" : true,
         "scanPUMs" : true,
         "scanPUPs" : true,
         "scanRookits" : true,
         "scanStartupAndRegistry" : true,
         "scanType" : "threat",
         "useHeuristics" : true
      },
      "scanResult" : "completed",
      "scanStartTime" : "2020-07-27T19:56:09Z",
      "scanState" : "completed",
      "shurikenEnabled" : true,
      "type" : "scan"
   },
   "threats" : [
      {
         "ddsSigFileVersion" : "",
         "linkedTraces" : [

         ],
         "mainTrace" : {
            "archiveMember" : "",
            "archiveMemberMD5" : "",
            "cleanAction" : "quarantine",
            "cleanContext" : {
            },
            "cleanResult" : "successful",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2020-07-27T20:34:38Z",
            "generatedByPostCleanupAction" : false,
            "id" : "8cb57c10-d047-11ea-b145-a41f728d9cb6",
            "isPEFile" : false,
            "linkType" : "none",
            "objectMD5" : "44EC7B3F7BFA980AC3F79CFD0B46CAA1",
            "objectPath" : "C:\\USERS\\JERRY\\DOWNLOADS\\REFLECTDL (1).EXE",
            "objectSha256" : "34DAB471C9C45416A19004925749324F8CDC8CA655215E619DE37D5B4B721601",
            "objectType" : "file",
            "resolvedPath" : "C:\\Users\\jerry\\Downloads\\REFLECTDL (1).EXE",
            "suggestedAction" : {
               "archiveDir" : false,
               "chromeExtensionOther" : false,
               "chromeExtensionPreferences" : false,
               "chromeExtensionSecurePreferences" : false,
               "chromeExtensionSyncData" : false,
               "chromeUrlOther" : false,
               "chromeUrlSecurePreferences" : false,
               "chromeUrlSyncData" : false,
               "chromeUrlWebData" : false,
               "disableHubbleWhiteListing" : true,
               "disableSignatureWhiteListing" : true,
               "fileDelete" : true,
               "fileReplace" : false,
               "fileTxtReplace" : false,
               "folderDelete" : false,
               "isChromeObject" : false,
               "isDDS" : false,
               "isDoppleganging" : false,
               "isExternalDetection" : false,
               "isPUP" : false,
               "isShuriken" : false,
               "isWMIEventConsumer" : false,
               "killProcess" : false,
               "minimalWhiteListing" : false,
               "moduleUnload" : false,
               "noLinking" : false,
               "physicalSectorReplace" : false,
               "priorityHigh" : false,
               "priorityNormal" : false,
               "priorityUrgent" : false,
               "processUnload" : false,
               "regKeyDelete" : false,
               "regValueDelete" : false,
               "regValueReplace" : false,
               "shortcutReplace" : false,
               "silentMode" : false,
               "singleDelete" : false,
               "treatAsRootkit" : true,
               "useDDA" : false,
               "verifyResolvedPath" : true,
               "whitelistCheckError" : false
            }
         },
         "ruleID" : 843766,
         "ruleString" : "",
         "rulesVersion" : "1.0.17296",
         "srcEngineComponent" : "unknown",
         "srcEngineThreatNames" : [

         ],
         "threatID" : 529,
         "threatName" : "Trojan.Emotet"
      }
   ],
   "threatsDetected" : 1
}

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.