RSLCS

Win defender quarantines Emsisoft Anti-Malware\a2hooks64.dll

Recommended Posts

I turned on PC this morning and have both Emsisoft and a perodic scan using Windows Defender enabled (Been set that way for some time now) anyway Defender uprooted its ugly head this morning over a file in Emsisoft:

I know this file is part of Emsisoft antimale, but could it have really become infected with some ransom crap or is this a false finding with Windows Defender: results of scan below

...

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Items:
file:C:\Program Files (x86)\Emsisoft Anti-Malware\a2hooks64.dll

curios of those running Win 10 64 Bit and emsisoft, if you run a windows denfender scan are you getting this as well?

 

Perhaps Microsoft at its game again: Eliminate all competition even if disassembling a great A/V to risk customers potential Bull-Shit invasions that defender has no idea how to handle, and curls up in a fetal position while your Pc is ravaged, raped of data and destroyed. sold on the black market to who knows who and your credit and life become a dark blanketed cesspool of pain and burden.. No Thanks defender I am not quarantining or disabling this until get the word from Emsisoft to do so! 

 

PC O/S: Windows 10 Version 1607 for x64-based Systems

Emsisoft Antimalware: Version 2017.1.0.7125

windows Defender info:

Antimalware Client Version: 4.10.14393.0

Engine Version: 1.1.13407.0

Antivirus definition: 1.235.1637.0

Antispyware definition: 1.235.1637.0

Network Inspection System Engine Version: 2.1.12706.0

Network Inspection System Definition Version: 116.72.0.0

Share this post


Link to post
Share on other sites

Hello,

Can you please check if this is still detected, I just submitted it as FP to Microsoft, they listed it as "not detected".

Share this post


Link to post
Share on other sites

I also encountered this shortly after you posted your message... My Microsoft Security Essentials/Windows Defender indicated that Ransom:Win32/Nemreq.A was detected in a2hooks64.dll. As I am typing my current message, another notification from Microsoft Security Essentials came up and displayed the same message (as described by RSLCS) with a different directory:

C:\ProgramData\Emsisoft\Updates\a2hooks64.dll

And, Microsoft Security Essentials just kept popping up the same message after some minutes again and again... Someone please kindly advise!

BTW, I am running Windows 7 64-bit and have both Emsisoft Internet Security and Microsoft Security Essentials active.

Share this post


Link to post
Share on other sites

Just to clarify, this is a false positive from Windows Defender. The problem is that if this file keeps getting deleted, your computer will be at risk because without this file Emsisoft products cannot properly protect your computer. If possible I would either disable Windows Defender or create an exclusion in Windows defender for this file to avoid possible problems.

Share this post


Link to post
Share on other sites

As a follow up, only the a2hooks64.dll file in the stable version of EAM/EIS is detected (the same file in beta is not detected). According to MS malware protection:

Quote

SHA1 92CBB4204FB774FCC61342DF2FCF7123B53D8BF5
Detection Status Ransom:Win32/Nemreq.A
Alert Level severe
File a2hooks64.dll

Let's hope they will fix this ASAP.

Share this post


Link to post
Share on other sites

I have a customer on beta it was also detected on his machine a well. so the above is in correct

 

Also my point  about the Windows defender finding was, Yes many users and customers only have Emsisoft running, however many a Windows update will indeed turn on Windows Defender, also noted  at times while on some computers I have been servicing remotely or on site I have seen cases were customer has a really slow internet connection and there is a big lag between updating and applying the new services Windows  thinks there is no antivirus installed so it turns on Windows Defender as well.

 

And for these folks whom have Defender on ( like it or not or even not aware it is running) the needed a2hooks64.dll get either quarantined or even worse removed then Emsisoft isn't running at all.

Rick

RSL Computer Solutions, LLC

 

Share this post


Link to post
Share on other sites

Any chance you can check if the hash of the file (in beta version) is the same as the one I posted above? Unfortunately besides reporting this to Microsoft and hoping they'll fix it ASAP, there is very little we can do about it. Even if the file is deleted, any update should redownload the file, so as long as you disable Windows Defender or create an exclusion for the file you should be okay.

FTR, Microsoft FPs can be reported here: https://www.microsoft.com/en-us/security/portal/submission/submit.aspx

Share this post


Link to post
Share on other sites

The current status from the submission site is:

 

  • SHA192CBB4204FB774FCC61342DF2FCF7123B53D8BF5
  • Detection Status: Under investigation
  • Alert Level:
  • File:a2hooks64.dll

For me it currently still gets detected. Excluding the file in Windows Defender should help.

Share this post


Link to post
Share on other sites

Thank you, I suspect that Windows Defender didn't update yet. I checked and the file is no longer detected by Microsoft:

 

Share this post


Link to post
Share on other sites

Can you tell me what Windows version you have on the computer this is detected on (and is this the same Windows version as the other laptops have)?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.