sdalgl72 Posted August 16, 2017 Report Share Posted August 16, 2017 For some reason, EAM says there is suspicious behaviour every time that I update my drivers for my graphics card. I know that it stores fails in the temp folder to install but something like this should be whitelisted surely. 16/08/2017 07:02:42 Application Rule created for "C:\Users\user\AppData\Local\Temp\NVI2_29.DLL" 16/08/2017 07:42:24 Behavior Blocker detected suspicious behavior "AutorunCreation" of "C:\Users\user\AppData\Local\Temp\NVI2_29.DLL" Link to comment Share on other sites More sharing options...
JeremyNicoll Posted August 16, 2017 Report Share Posted August 16, 2017 I think I remember being told that these nVidia DLLs are not signed. If that's the case there's no easy way for EAM to identify that a file named NV-something or other.DLL really is a genuine nVidia DLL, far less to be certain that it is trustworthy. I suppose you could define an exclusion for NV-something.DLL files, in the temp folder... but I certainly wouldn't do that. Link to comment Share on other sites More sharing options...
m0unds Posted August 16, 2017 Report Share Posted August 16, 2017 I just updated my NV drivers using GeForce Experience - that particular file is signed by NV but tries to modify an autorun entry. It also had no reputation on the anti-malware network, so I'm guessing the combination of the two things caused the BB popup. Link to comment Share on other sites More sharing options...
GT500 Posted August 17, 2017 Report Share Posted August 17, 2017 17 hours ago, sdalgl72 said: I know that it stores fails in the temp folder to install but something like this should be whitelisted surely. It's possible that it's being executed by a program that isn't digitally signed. Can you upload the file in question to VirusTotal and post the link here for me to look at? Link to comment Share on other sites More sharing options...
JeremyNicoll Posted August 17, 2017 Report Share Posted August 17, 2017 There's been threads in the past about this, eg on the FP forum. The files are deleted after use by the installer, which makes uploading anywhere tricky. Link to comment Share on other sites More sharing options...
m0unds Posted August 17, 2017 Report Share Posted August 17, 2017 I tried capturing the file, but the installer extracts, executes and deletes it faster than I can grab a copy. Additionally, EAM fails to quarantine it but blocks the autorun modification attempt. Would be helpful if EAM would write the SHA-1/MD5/SHA-256 hash to the forensic log. The BB dialog is blank except for the action the file is taking. Here you go: https://www.virustotal.com/en/file/95705ae60a89adbf2b06534d52cb1817080d4480e1a5cc89f15d2a4dd7a096df/analysis/ file shows as NVI2.dll, but it had the same hash as the one being executed by the installer process after the install was complete (guessing it's registering the nv stuff to start w/the computer) Link to comment Share on other sites More sharing options...
GT500 Posted August 18, 2017 Report Share Posted August 18, 2017 4 hours ago, m0unds said: Would be helpful if EAM would write the SHA-1/MD5/SHA-256 hash to the forensic log. Open Emsisoft Anti-Malware, click on Protection, click on Behavior Blocker in the menu at the top, and change the option at the bottom from Auto resolve with notification to Alert. When an alert is displayed, there's a "More info" link you can click on that will take you to the hashes so that we can look it up on VirusTotal. Link to comment Share on other sites More sharing options...
m0unds Posted August 18, 2017 Report Share Posted August 18, 2017 29 minutes ago, GT500 said: Open Emsisoft Anti-Malware, click on Protection, click on Behavior Blocker in the menu at the top, and change the option at the bottom from Auto resolve with notification to Alert. When an alert is displayed, there's a "More info" link you can click on that will take you to the hashes so that we can look it up on VirusTotal. Yep, that's how I run the product, however in the case of this particular file: 5 hours ago, m0unds said: The BB dialog is blank except for the action the file is taking. See screenshot below Link to comment Share on other sites More sharing options...
GT500 Posted August 19, 2017 Report Share Posted August 19, 2017 That usually happens when the file is not in the location that the Windows kernel says its in. Usually because the file was moved, and the path hasn't been updated yet. Although the file being deleted too quickly can also cause this issue. The only workarounds that I know of is to add the file to the monitoring exclusions so that the Behavior Blocker ignores it, or disable the Behavior Blocker before installing the NVIDIA drivers. Since the file doesn't exist when you try to add it to the exclusions, you'll need to add another random file, and then paste the name and path of the file you want to exclude into the exclusions. You can also use wildcards if the file name has a tendency to change, however since it's a TEMP folder it might not be safe to make extensive use of wildcards in exclusions. Link to comment Share on other sites More sharing options...
Recommended Posts