marko

Windows Defender thinks a2hooks32.dll is a trojan

Recommended Posts

Hello

I'm running EIS v12.2.0.7060 on a W10 Home 64-bit system with no other real-time security software.

EIS last updated two days ago as I hadn't used the machine since then.

When I turned the machine on this morning, EIS did an update which updated a2core.dll, a2hooks32.dll and a2hooks64.dll along with a load of signature files,

During the update, Windows defender reported that it had encountered suspicious behaviour and said it had quarantined a2hooks32.dll because it thinks it's a trojan (Ransom:Win32/Nemreq.A), even though Windows Defender real-time protection is turned off.

EIS seems to be working ok since the update but I've never seen ths behaviour before and thought I'd flag it up.

I've attached the EIS Update log together with the Windows Defender event log from Windows Event Viewer in case this sheds any light on why this happened.

Marko

EIS Update Log.txt

Windows Defender event log.txt

Share this post


Link to post
Share on other sites

Same thing happened to me half an hour ago. I let defender delete the file.

Now defender stops emsisoft from updating, it detects suspicious activity every time it tries to update.

Share this post


Link to post
Share on other sites

Well, I didn't let Windows Defender remove the file, but it's still in quarantine.

EIS stil updates ok, but it downloads the dll file again, at which point, Windows Defender quarantines it again.

I've since managed to grab a copy of the file (before Windows Defender quarantines it) and have uploaded it to VirusTotal - all antivirus vendors show it to be clean with the exception of Microsoft which flags it as a trojan, so it looks like it's a false positive and a problem with Microsoft's virus definitions.

Share this post


Link to post
Share on other sites

I was kind of worried and wondering how a freshly installed Windows PC could catch malware this easily. Then I saw it was one of Emsisoft's own files.

Ironically, Emsisoft's anti-malware network has copied over this false positive from Windows defender:http://www.isthisfilesafe.com/sha1/F564B91383250DAC777C310C30978F0BD2D6FED9_details.aspx

The reason defender still quarantines the file even if disabled is because it starts up temporarily after a fresh boot, until the service responsible for AV status reporting is loaded in.

Share this post


Link to post
Share on other sites
11 minutes ago, reerden said:

The reason defender still quarantines the file even if disabled is because it starts up temporarily after a fresh boot, until the service responsible for AV status reporting is loaded in.

Does it follow, then, that one can un-quarantine it in Windows Defender and then, provided you don't reboot, EIS will continue to run ok?

Share this post


Link to post
Share on other sites
2 minutes ago, JeremyNicoll said:

Does it follow, then, that one can un-quarantine it in Windows Defender and then, provided you don't reboot, EIS will continue to run ok?

I think so. You could try adding the EMS program files folder to exclusions in Windows defender to prevent it from scanning that file again.

Share this post


Link to post
Share on other sites
53 minutes ago, stapp said:

Do a manual update of Windows Defender and then see if it still detects the file.

I've just tried that Stapp, and yes, after updating Windows Defender, it still detects it as a trojan

Share this post


Link to post
Share on other sites

Just to give an official response, our management team was aware of the issue on Friday morning. I haven't specifically been told if Microsoft has fixed the issue yet, however from the posts at Microsoft Answers (thank you @quietman7 for the links ;)) it sounds like Microsoft has more than likely fixed it. If you're still having trouble, try updating the database in MSE or Windows Defender manually, and if that doesn't help then please post a screenshot showing the detection, and if possible a log as well. Note that since it is the weekend, you will more than likely receive faster help by e-mailing [email protected] than you will on the forums.

 

12 hours ago, fizcella said:

By the way - I opened a support nearly 2h ago and still no reaction...

Did you receive Thomas Ott's reply to your e-mail? I think it was sent 4 hours after your message was received.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.