Jump to content

False positive?


Umiamz
 Share

Recommended Posts

For the past 3 hours EAM has been detecting Trojan.MSIL.XAA in a .DLL in a Temp directory. It looks like something runs at the same time each hour and creates a temporary DLL. Here's the File Guard log:

 

Emsisoft Anti-Malware - Version 11.0
FG log
 
Date PID Application Event Detection
05/12/2015 08:49:05 0 C:\Users\mikez\AppData\Local\Temp\kn0uetb-.dll Quarantined by rule Trojan.MSIL.XAA (B)
05/12/2015 07:49:03 0 C:\Users\mikez\AppData\Local\Temp\kliukj8k.dll Quarantined by rule Trojan.MSIL.XAA (B)
05/12/2015 06:49:02 0 C:\Users\mikez\AppData\Local\Temp\ddcyoaxm.dll Quarantined by rule Trojan.MSIL.XAA (B)
 
 
I've no idea what is creating the DLL - I can't see anything in any of the more common Windows event logs, and whatever it is cleans up after itself and leaves no files in Temp that are dated around the same time.
 
Also, Quarantine is actually empty, as is the Quarantine log.
 
Any ideas?
Link to comment
Share on other sites

I spoke too soon - it's doing it again but detecting a different trojan this time:

 

Emsisoft Anti-Malware - Version 11.0
FG log
 
Date PID Application Event Detection
06/12/2015 07:49:03 0 C:\Users\mikez\AppData\Local\Temp\0_emqk0k.dll Quarantined by rule Trojan.Ranapama.HJ (B)
06/12/2015 06:49:02 0 C:\Users\mikez\AppData\Local\Temp\pnnmocab.dll Quarantined by rule Trojan.Ranapama.HJ (B)
06/12/2015 05:49:03 0 C:\Users\mikez\AppData\Local\Temp\bz-t3r32.dll Quarantined by rule Trojan.Ranapama.HJ (B)
06/12/2015 04:49:03 0 C:\Users\mikez\AppData\Local\Temp\d2gs8m_1.dll Quarantined by rule Trojan.Ranapama.HJ (B)
06/12/2015 03:49:03 0 C:\Users\mikez\AppData\Local\Temp\qlcyvklq.dll Quarantined by rule Trojan.Ranapama.HJ (B)
06/12/2015 02:49:02 0 C:\Users\mikez\AppData\Local\Temp\wxlhesaq.dll Quarantined by rule Trojan.Ranapama.HJ (B)
05/12/2015 11:49:03 0 C:\Users\mikez\AppData\Local\Temp\i7vznkoj.dll Quarantined by rule Trojan.MSIL.XAA (B)
05/12/2015 10:49:04 0 C:\Users\mikez\AppData\Local\Temp\ywuwzr7w.dll Quarantined by rule Trojan.MSIL.XAA (B)
05/12/2015 09:49:04 0 C:\Users\mikez\AppData\Local\Temp\vt-yy5xq.dll Quarantined by rule Trojan.MSIL.XAA (B)
05/12/2015 08:49:05 0 C:\Users\mikez\AppData\Local\Temp\kn0uetb-.dll Quarantined by rule Trojan.MSIL.XAA (B)
05/12/2015 07:49:03 0 C:\Users\mikez\AppData\Local\Temp\kliukj8k.dll Quarantined by rule Trojan.MSIL.XAA (B)
05/12/2015 06:49:02 0 C:\Users\mikez\AppData\Local\Temp\ddcyoaxm.dll Quarantined by rule Trojan.MSIL.XAA (B)
Link to comment
Share on other sites

What kind of scan does this appear with quick, malware or custom?

 

Or does it appear in all types of scans?

 

None of those - it's File Guard that's detecting it. The DLL only seems to be there for a very short time and isn't appearing in quarantine or in the quarantine log despite EAM saying it has quarantined it. File Guard is on the Balanced setting.

 

Appears to be fixed again now, anyway...

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...