Jump to content

Easeus Todo Backup Home - False Positive


garioch7

Recommended Posts

  • Staff

Hello,

Can you provide a zipped copy of the file please? (after restore)
C:\Program Files (x86)\EaseUS\Todo Backup\bin\TBConsoleUI.exe

If you want to wait until confirmed safe, you can grab the .quar file with today's date from here:
C:\ProgramData\Malwarebytes\MBAMService\Quarantine

Zip and attach please.

Thanks!

Link to post
Share on other sites

blender:

Unable to attach the original file because after the restore from the MBAM Quarantine because when I tried to launch the Easeus Todo Backup Home (ETBH) program, it would issue a UAC, then try to start loading and just quit with no error message. Rebooting, quitting MBAM, etc., made no difference.  I had to uninstall ETBH via Windows and reinstall it.  I am attaching the zipped version of the requested file from my new desktop computer ETBH installation.  I am sure that they are the same as the old one.  I have been using ETBH for years now with no issues.  No ETBH updates in the last month or so.

My desktop computer is a Dell XPS 8930 SE, running Windows 11 Pro, fully updated.  Bitdefender Total Security (BDTS) is my anti-virus solution.  Both MBAM and BDTS have the recommended exemptions so that they have played nicely in the same sandbox for many years.

I will be quitting MBAM on my laptop later today to avoid having to reinstall ETBH again on that computer (Dell XPS 15 7590).

Thank you, and have a great day.

Regards,
Phil

TBConsoleUI.zip

Link to post
Share on other sites

  • Staff

Thanks for the file. 

This one is not triggering any detections on my machine. It also has a different MD5/SHA256 than the one reported in your log. 
Try to just copy out the exe somewhere so not have these warnings while trying to start the program.

In the mean-time, I'll create a rule to help prevent detections on this in the future. 

Link to post
Share on other sites

blender,

I am attaching the file from my laptop.  It runs the same version of ETBH as was on the desktop.  I have not yet tried running ETBH on my laptop.

I am not sure what you mean by "just copy out the exe somewhere . . . "  I will just quit MBAM before launching ETBH until this false positive is corrected.

Thank you, and have a great day.

Regards,
Phil

 

 

TBConsoleUI.zip

Link to post
Share on other sites

Thanks for your reply.  It is curious that the files were the same . . . ?  I only run ETBH every second Friday.  In the alternate weeks, I run Macrium Reflect Home, so I have no idea when the FP started occurring.  The 3rd of February was the last time I ran ETBH on both of my computers.

Have a great day.

Regards,
Phil

Link to post
Share on other sites

  • Staff

Looking at the log it seems to be a RTP (real-time protection) event.. so it would have to be "running". It wasn't a result of a scan.
If it was tagged previously, you should see it in quarantine unless you dump that out regularly. I think also that is pretty common software so I would kind of expect to have more reports. Whatever version that particular file was, it was not a very common one because I can't find that MD5 anywhere. Curious for sure.
On the machine that had the detection...
You might be able to find a copy that was there before MBAM tagged it by looking at your shadow copies if you have that enabled. (If you don't, no worries)
I can't be 100% sure it will work for Windows 11.
10 or earlier it does.
Right click "Program Files (x86)" > properties> previous versions> pick closest date to today before MBAM quarantined the file. > "open".
drill down to: EaseUS\Todo Backup\bin
Might be able to copy out the TBConsoleUI.exe to your desktop or something to upload it.
Exit out of previous versions window.
Like I said, it is a common program so I am curious to see what is so different about that file.

Link to post
Share on other sites

@blender

Thank you for the suggestions.  I have Shadow Explorer installed on my computers.  I went to a Restore Point taken 2023-02-14 and exported the version of the file on that date on my desktop.

I notice immediately that this file is much smaller zipped than the other files I sent you, though the actual unzipped size is in the ballpark.

I uploaded the .exe file to my SendSpace account.  Here is the link: https://www.sendspace.com/file/zq9ole

I will be interested in your findings, and yes, there should have been more complaints.  All very strange.

Thank you, and have a great day.

Regards,
Phil

TBConsoleUI.zip

Link to post
Share on other sites

@blender

The file is gone from SendSpace when I logged in.  I have uploaded the version of the file from a Restore Point today, created just ten minutes before I tried to launch ETBH.  The link is: https://www.sendspace.com/file/azus5m.

I always create a Restore Point just before launching my backup program on any given Friday.  ETBH had not been used since 2023-02-03, so there should have been no updates or other modifications to its files.

This just keeps getting stranger, but I am out of ideas now.

Thank you, and have a great day.

Regards,
Phil

Link to post
Share on other sites

  • Staff

Yeah .. I'm not sure what happened here. The file you just uploaded (from 10 min before ETBH launch) is the same as previous one you uploaded to sendspace. 
I can see why MBAM heuristics would have tagged it though .. parts of it are corrupt (icon is borked, can't view much for version info, etc) and does not look like a normal executable at all. There is a bunch of what looks to KErnel junk all through it. (I don't know how else to describe it)
MBAM would indeed see anomaly when you tried to launch it. Even if MBAM didn't tag it, it would likely shut down with an error anyway.

Might want to look at say restore points from say last week or last time you did a backup to see if that one is normal.
Then check your system event logs, application event logs and see of there is something listed there that crashed. (just trying to narrow the timeline a bit)

Everything else seem to function alright?

Link to post
Share on other sites

@blender

Easeus is launching on the desktop now with MBAM enabled.  MBAM scans of both the laptop and desktop are negative, as are full system scans by BD.

I am not much good at Event Logs.  I would not know where to look without doing some research.

I have gone back to my last Easeus backup of 2023-02-03, restored that file, and uploaded the file to SendSpace.  The link is: https://www.sendspace.com/file/rboflt

I just ran an SFC scan, and it came back clean.

All is working here, and I am about to turn off my computer.  It is Friday evening here, and I have plans for the evening.

Thank you for your rapid and professional assistance.  I would like to finally find out what caused the problem, but that can wait.

Have a great weekend, and thank you again.

Regards,
Phil

Link to post
Share on other sites

  • Staff

Indeed that file looks normal. Good to hear things are OK. Takes me forever to rummage through event logs too. 

Something else with the corrupt one .. it seems to have been packed with "private exe protector". I'll have a look over the weekend. I have to rebuild my VM to play with unpackers lol.
I will let you know what I find.


Have a great weekend as well.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.