Advice Request Anybody seen a block like this before?

Please provide comments and solutions that are helpful to the author of this topic.

blackice

Level 38
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
It seems to be the .exe for Burnout Paradise Remastered (which I do have installed). Strangely I did not run this, just happened to notice the alert in my notifications. It logged the block right as I was stepping away from the PC.
From the Notifications:
1674157697362.png

From F-Secure log:
1674157374073.png
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
It seems to be the .exe for Burnout Paradise Remastered (which I do have installed). Strangely I did not run this, just happened to notice the alert in my notifications. It logged the block right as I was stepping away from the PC.
From the Notifications:
View attachment 272253
From F-Secure log:
View attachment 272250
This detection looks like from Avria, they usually named like: Trojan.TR/...
@blackice do you have uploaded this exe to VT and compare detection there?
 

Victor M

Level 7
Verified
Well-known
Oct 3, 2022
343
It also could be that the malware is new, and there are no signatures for it yet. Signatures are what a manual scan uses. So the block could have been a behavioural block. Did you install this program just within the last couple of days ?
 

blackice

Level 38
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
It also could be that the malware is new, and there are no signatures for it yet. Signatures are what a manual scan uses. So the block could have been a behavioural block. Did you install this program just within the last couple of days ?
No it's been installed and unmodified since October. Installed through the official EA app legitimately. But it does show it was last accessed at the time of the block.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Looks like a generic detection for the packer or maybe DRM in this case for a paid game. No Avira detection on VT could mean it's a cloud-based detection. Must be a false positive.
Submit to Avira as a false positive as well. Whoever sees it first, will fix it.
(This F-Secure's Trojan/TR detection names looks quite stupid IMO. TR from Avira already means Trojan. Don't know why F-Secure adds these extra prefixes when detected on their product. There are other detection names from them like these also eg: Heuristic/Heur....Very silly. Anyway, enough ranting).
 

blackice

Level 38
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
processes still run on a system during system when you walk away, at idle and sleep
the process could be executed as part of a scheduled task (not in task scheduler) or updater or telemetry or ...
And that's why it's weirded me out a bit. I don't think this file in particular is a trojan, but I think there might be something odd going on since a game was accessed when I wasn't using the PC.
 

blackice

Level 38
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
looks like ancient case of avira false positive continues 4 years later


Very interesting. It's odd because if I launch Burnout Paradise Remaster from Game Pass/EA launcher it doesn't get blocked. So it does seem to be an Avira sig and not a behavior block of any kind. The question is, what caused F-Secure to access it in the first place?
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
What is strange is that it happened on it's own, I was not even at the computer when it happened. So I was not executing any programs.

Edit: Also a manual scan of this file results in no detections.
I ignored something like this earlier today, but since you posted... I got a warning from ESET that it detected a variant of win32.exe (IIRC) in E:\\kerish.rar file that I was holding AND that ESET could not clean. That file was just in miscellaneous storage and of no use to me, so I just deleted /wiped it. I did not manually scan E;\\ I did pause long enough to scratch my head but then got busy with something else. Curious!!?? :unsure:
 

Divine_Barakah

Level 29
Verified
Top Poster
Well-known
May 10, 2019
1,854
I ignored something like this earlier today, but since you posted... I got a warning from ESET that it detected a variant of win32.exe (IIRC) in E:\\kerish.rar file that I was holding AND that ESET could not clean. That file was just in miscellaneous storage and of no use to me, so I just deleted /wiped it. I did not manually scan E;\\ I did pause long enough to scratch my head but then got busy with something else. Curious!!?? :unsure:
Was this Kerish Doctor? Today I tried to install it and Emsisoft threw a couple of alerts and it finally quarantined Kerish Doctor excutable because it was determined as Dangerous by Emsisoft cloud.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
Was this Kerish Doctor? Today I tried to install it and Emsisoft threw a couple of alerts and it finally quarantined Kerish Doctor excutable because it was determined as Dangerous by Emsisoft cloud.
Yes Kerish Doctor from some time ago, not (no longer) installed, and just parked in a compressed rar. I just saw there's another thread about this today!!
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
Very interesting. It's odd because if I launch Burnout Paradise Remaster from Game Pass/EA launcher it doesn't get blocked. So it does seem to be an Avira sig and not a behavior block of any kind. The question is, what caused F-Secure to access it in the first place?
Glad to see you stay curious, instead of as some simply un-install the AV no matter what brand/vendor and gets satisfied because now the new AV don't warn for infections! 🙄🤦‍♂️

Since you already submitted this, you will sooner or later get an answer, but personal I wonder not on exact what gets blocked because I have no doubt it's legit, but the warning message mention parts I can't see been said/asked in this thread.

From the Notifications:
1674157697362-png.272253
F: , is that a external drive or USB?
 

blackice

Level 38
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Glad to see you stay curious, instead of as some simply un-install the AV no matter what brand/vendor and gets satisfied because now the new AV don't warn for infections! 🙄🤦‍♂️

Since you already submitted this, you will sooner or later get an answer, but personal I wonder not on exact what gets blocked because I have no doubt it's legit, but the warning message mention parts I can't see been said/asked in this thread.


F: , is that a external drive or USB?
Nope just my NVME game drive.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top