Detection disappeared

[templar]

Hi folks,

Nothing serious but I just performed a scan with EAM and it found two detections:

C:\windows\system32\[email protected]@@k.dll detected: [email protected]@@k!A2

C:\Windows\SysWOW64\[email protected]@@k.DLL detected: Riskware.Win32.HackTool.HotKeysHook!A2.

I thought I'd go take a look at the locations of these files and while the second detection was present the first was not. Also when I quarantined the said files only the visible detection was quarantined. Any explanation for why this would happen?

[Lynx]

Hi templar, welcome to the forum

Your saved report correctly reflecting what was done - 1 File and 1 Trace were quarantined

The Riskware was a file indeed physically present

The Traces are entries in the Registry. It may happen in many cases that those are representing Registry entries only, which are leftovers.

EAM did not warn you about any detection of the file named “[email protected]@@k.dll” compare to "[email protected]@@k.DLL"

The leftovers can be present in the Registry though. Say, you may'ev uninstalled the Software , but the uninstall procedures sometimes are not necessarily implemented correctly , so the Registry entries are still in place. Then, some users are deleting the Software or files without using Add/Remove. In this case many Registry entries can be present , but there are no associated files in the system anymore. The Registry Cleaning procedure should be performed afterwards if such actions took place

Those were just few scenarios re: Traces

Now, you can run just a Quick Scan (QS) in order to be sure that quarantined Traces are not present anymore . QS always checks for all known Registry Traces

.. and/or in addition you can perform Registry Search in order to be convinced that specific entries are not present any more

You can use RegScanner by NirSoft - very fast & reliable

My regards

[templar]

Hi templar, welcome to the forum

Your saved report correctly reflecting what was done - 1 File and 1 Trace were quarantined

The Riskware was a file indeed physically present

The Traces are entries in the Registry. It may happen in many cases that those are representing Registry entries only, which are leftovers.

EAM did not warn you about any detection of the file named “[email protected]@@k.dll” compare to "[email protected]@@k.DLL"

The leftovers can be present in the Registry though. Say, you may'ev uninstalled the Software , but the uninstall procedures sometimes are not necessarily implemented correctly , so the Registry entries are still in place. Then, some users are deleting the Software or files without using Add/Remove. In this case many Registry entries can be present , but there are no associated files in the system anymore. The Registry Cleaning procedure should be performed afterwards if such actions took place

Those were just few scenarios re: Traces

Now, you can run just a Quick Scan (QS) in order to be sure that quarantined Traces are not present anymore . QS always checks for all known Registry Traces

.. and/or in addition you can perform Registry Search in order to be convinced that specific entries are not present any more

You can use RegScanner by NirSoft - very fast & reliable

My regards

Cheers for the explanation, Lynx ! I'm positive the [email protected]@@k.DLL was generated to monitor keystrokes when I ran a trainer to let my little nephew cheat on a game. I deleted the said trainer after he finished playing the game but obviously it left over these files, so excellent work on EAM detecting them!

Two quick questions though: 1. I have moved the file to quarantine and can probably delete it but am I correct in assuming anything placed in quarantine is unable to perform malicious actions? I.e. Has malware ever been known to escape quarantine? 2. I use EAM free and these threats were labelled Medium and Low risk; I'm no expert but I assume keyloggers have to run in memory and processes must be running in order for it to capture keystrokes. Now I know EAM free has no realtime-protection but if this was malicious and I had run a quick scan while these processes were running would EAM have warned me?

[Lynx]

You are welcome, templar

I have moved the file to quarantine and can probably delete it but am I correct in assuming anything placed in quarantine is unable to perform malicious actions? I.e. Has malware ever been known to escape quarantine?

That's impossible. EAM keeps jailed files in \Quarantine\ folder

See files named like 38253096AB9883064A781E9331EC1A280EBAC792.A2Q

and quarantined items inside are encrypted.

In addition quarantined items are rescanned within quarantine after an update. See the respective options. If the False Positive detections were found, the item(s) can be restored either silently or after the notification

I use EAM free and these threats were labelled Medium and Low risk; I'm no expert but I assume keyloggers have to run in memory and processes must be running in order for it to capture keystrokes. Now I know EAM free has no realtime-protection but if this was malicious and I had run a quick scan while these processes were running would EAM have warned me?

Free version has on-demand scanner only. Sure, when you are running Quick Scan all processes running at that particular moment (important) will be analyzed, based on current scanner's knowledge, so to speak (its' signatures) … no more than that.

Definitely, EAM has a very high rate of detection (one of the best if not the best on the market for years), but none of the existing “pure AV” solutions can protect you 100%

You are right: real-time protection components/layers of protection available in full EAM Suite, especially its Behaviour Blocker are very much needed if you want to be protected constantly against potential dangers, since every process is monitored as soon as it's activated/executed.

Again – that is not ever 100% but that dramatically increases a chance of catching new/0-days suspects

Cheers!

[templar]

Thanks for the replies Lynx, you are a top bloke!