Jump to content

NVIDA Driver update


sdalgl72
 Share

Recommended Posts

For some reason, EAM says there is suspicious behaviour every time that I update my drivers for my graphics card.

I know that it stores fails in the temp folder to install but something like this should be whitelisted surely.

16/08/2017 07:02:42
Application Rule created for "C:\Users\user\AppData\Local\Temp\NVI2_29.DLL"

16/08/2017 07:42:24
Behavior Blocker detected suspicious behavior "AutorunCreation" of "C:\Users\user\AppData\Local\Temp\NVI2_29.DLL"


 

Link to comment
Share on other sites

I think I remember being told that these nVidia DLLs are not signed.  If that's the case there's no easy way for EAM to identify that a file named NV-something or other.DLL really is a genuine nVidia DLL, far less to be certain that it is trustworthy.     I suppose you could define an exclusion for NV-something.DLL files, in the temp folder... but I certainly wouldn't do that.

Link to comment
Share on other sites

I just updated my NV drivers using GeForce Experience - that particular file is signed by NV but tries to modify an autorun entry. It also had no reputation on the anti-malware network, so I'm guessing the combination of the two things caused the BB popup.

Link to comment
Share on other sites

17 hours ago, sdalgl72 said:

I know that it stores fails in the temp folder to install but something like this should be whitelisted surely.

It's possible that it's being executed by a program that isn't digitally signed.

Can you upload the file in question to VirusTotal and post the link here for me to look at?

Link to comment
Share on other sites

I tried capturing the file, but the installer extracts, executes and deletes it faster than I can grab a copy. Additionally, EAM fails to quarantine it but blocks the autorun modification attempt. Would be helpful if EAM would write the SHA-1/MD5/SHA-256 hash to the forensic log. The BB dialog is blank except for the action the file is taking.

 

Here you go: https://www.virustotal.com/en/file/95705ae60a89adbf2b06534d52cb1817080d4480e1a5cc89f15d2a4dd7a096df/analysis/

 

file shows as NVI2.dll, but it had the same hash as the one being executed by the installer process after the install was complete (guessing it's registering the nv stuff to start w/the computer)

Link to comment
Share on other sites

4 hours ago, m0unds said:

Would be helpful if EAM would write the SHA-1/MD5/SHA-256 hash to the forensic log.

Open Emsisoft Anti-Malware, click on Protection, click on Behavior Blocker in the menu at the top, and change the option at the bottom from Auto resolve with notification to Alert. When an alert is displayed, there's a "More info" link you can click on that will take you to the hashes so that we can look it up on VirusTotal.

Link to comment
Share on other sites

29 minutes ago, GT500 said:

Open Emsisoft Anti-Malware, click on Protection, click on Behavior Blocker in the menu at the top, and change the option at the bottom from Auto resolve with notification to Alert. When an alert is displayed, there's a "More info" link you can click on that will take you to the hashes so that we can look it up on VirusTotal.

Yep, that's how I run the product, however in the case of this particular file: 

 

5 hours ago, m0unds said:

The BB dialog is blank except for the action the file is taking.

See screenshot below

Untitled.png.77a8ffe49bbba262521ada215e7d2f8a.png

Link to comment
Share on other sites

That usually happens when the file is not in the location that the Windows kernel says its in. Usually because the file was moved, and the path hasn't been updated yet. Although the file being deleted too quickly can also cause this issue.

The only workarounds that I know of is to add the file to the monitoring exclusions so that the Behavior Blocker ignores it, or disable the Behavior Blocker before installing the NVIDIA drivers.

Since the file doesn't exist when you try to add it to the exclusions, you'll need to add another random file, and then paste the name and path of the file you want to exclude into the exclusions. You can also use wildcards if the file name has a tendency to change, however since it's a TEMP folder it might not be safe to make extensive use of wildcards in exclusions.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...