Da Phu

Windows Defender detect Emsisoft Emergency Kit temp folder as a threat

Recommended Posts

It detect some temp file in Appdata > Local > tempxxxxxxx folder as a threat during scanning. 

Threat detection name is Trojan:Win32/Zpevdo.A 

 

 

Share this post


Link to post
Share on other sites

Why do you describe that folder as the "EEK temporary folder"?     Its name suggests it's the normal system temporary folder... and if there's an iffy file in there surely you'd want to know about it?

Share this post


Link to post
Share on other sites
7 hours ago, JeremyNicoll said:

Why do you describe that folder as the "EEK temporary folder"?     Its name suggests it's the normal system temporary folder... and if there's an iffy file in there surely you'd want to know about it?

It is in the Appdata > Local > temp > Tempxxxxxx folder. This is where Windows Defender removed the threat and it didn't quarantined it during Emsisoft scan.  There is some files in Emsisoft temp folder in Appdata Local that Windows Defender detect when doing a scan. 

Share this post


Link to post
Share on other sites

But   "Appdata > Local > temp"   is where all the temporary files created by many applications, and by the OS itself on your behalf, will be put.

And a file/folder inside that named "Tempxxxxxx"  could have been created by any application or by the OS.  

Is what you're saying just that you've got some files in %temp% which Windows Defender says are infected, but EEK did not think were infected?    If so, that could mean that WD was wrong - maybe the files are ok.  If you still have them you could upload them to VirusTotal, one at a time, to see what it thinks about them.  If it thinks they are ok then there's no issue.  If it thinks they are infected then for each of those it would be useful if you tell us the URL of the VT report that says that for each file.

The VirusTotal site is at: https://www.virustotal.com/en-gb/

Their service is public so if the files concerned contain confidential data of yours, you might not want to upload them there.

Share this post


Link to post
Share on other sites

Do you have a copy of the scan report with the full path? They're usually saved in the following folder:

  • C:\EEK\Reports

Share this post


Link to post
Share on other sites
18 hours ago, JeremyNicoll said:

But   "Appdata > Local > temp"   is where all the temporary files created by many applications, and by the OS itself on your behalf, will be put.

And a file/folder inside that named "Tempxxxxxx"  could have been created by any application or by the OS.  

Is what you're saying just that you've got some files in %temp% which Windows Defender says are infected, but EEK did not think were infected?    If so, that could mean that WD was wrong - maybe the files are ok.  If you still have them you could upload them to VirusTotal, one at a time, to see what it thinks about them.  If it thinks they are ok then there's no issue.  If it thinks they are infected then for each of those it would be useful if you tell us the URL of the VT report that says that for each file.

 The VirusTotal site is at: https://www.virustotal.com/en-gb/

Their service is public so if the files concerned contain confidential data of yours, you might not want to upload them there.

It was created by EEK. The temp folder appeared when I opened EEk, and disappear when I closed EEK. I wish I can restore the files that Windows Defender detected, but for some reasons Windows Defender automatically removed the files instead of quarantined it. 

 

4 hours ago, GT500 said:

Do you have a copy of the scan report with the full path? They're usually saved in the following folder:

  • C:\EEK\Reports

I ran a malware scan in EEK and this is where Windows Defender detected some files in EEK temp folder in Appdata > Local as a threat. Windows Defender automatically removed the threat instead of quarantine the threat. I just did a malware scan today with EEK latest signatures, and it seems like Windows Defender no longer detect EEK files in EEK temp folder as a threat anymore.  

Share this post


Link to post
Share on other sites

It was probably the contents of an archive (ZIP, RAR, 7z, etc) that was extracted to the TEMP folder for scanning. The BitDefender scan engine does that if the option to scan inside archives is selected.

Share this post


Link to post
Share on other sites
4 hours ago, GT500 said:

It was probably the contents of an archive (ZIP, RAR, 7z, etc) that was extracted to the TEMP folder for scanning. The BitDefender scan engine does that if the option to scan inside archives is selected.

Update: 7/26 1:11 AM EST 

I have that option enable on Custom Scan. Malware Scan also triggered it as well. 

Windows Defender latest signatures detect one of the Emsisoft's temp files in temp folder located Appdata Local as a Trojan during malware scan. The detection name is Trojan: Win32/Zpevdo.A. 

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Zpevdo.A&ThreatID=-2147240153

 

 

Share this post


Link to post
Share on other sites

Do you know what file is being scanned when these TEMP files are detected?

Share this post


Link to post
Share on other sites
On 7/27/2018 at 3:06 AM, GT500 said:

Do you know what file is being scanned when these TEMP files are detected?

I don't remember, but Windows Defender detect some temp files in the temp folder with a whole bunch of number as a threat. The file detected change each time I update the signatures. 

Share this post


Link to post
Share on other sites

Scanning archives isn't used in a Malware Scan, so if it happens when running a Malware Scan then let me know what file is being scanned when it happens (or take a screenshot of EAM so that I can see what it's scanning).

Share this post


Link to post
Share on other sites
On ‎7‎/‎30‎/‎2018 at 12:37 PM, GT500 said:

Scanning archives isn't used in a Malware Scan, so if it happens when running a Malware Scan then let me know what file is being scanned when it happens (or take a screenshot of EAM so that I can see what it's scanning).

Tested 2 days straight, and it seems like Windows Defender is no longer detect anything related to Emsisoft as a threat. In addition, Microsoft replied to my reported ticket that they already fixed this false positive detection.

 

Share this post


Link to post
Share on other sites
8 hours ago, Jerky McDilerino said:

Tested 2 days straight, and it seems like Windows Defender is no longer detect anything related to Emsisoft as a threat. In addition, Microsoft replied to my reported ticket that they already fixed this false positive detection.

 

Awesome. Thanks for letting us know. ;)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.