mchinjdrv.sys deleted from seemingly legit program

Hi All,

I've had Http Analyzer 2 (it analyzes web traffic similar to Firebug) on my machine for about 10 months without any issues.

Today when I launched it, NOD 2.7 deleted mchinjdrv.sys which renders it unusable.

Since I've had NOD on here even longer than Http analyzer, I'm wondering why NOD is suddenly flagging and deleting something I've used for a long time. I checked the install files and nothings changed since my original install last March.

Has anyone else seen a similar issue, maybe the latest virus def is more aggressive?

Here's the full error:

file C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Win32/Monitor.PCAgent application

quarantined - deleted

Event occurred on a new file created by the application:
C:\Program Files\IEInspector\HTTPAnalyzerFullV2\HttpAnalyzerStdV2.exe.

And is there a way to preemptively have it ignore something like that?

Thanks,
Dave

 

Do you have detection of potentially unsafe applications enabled? These cover commercial tools that can be exploited for malicious purpose and whose presence is not desired in corporate environments if installed and used without administrator's consent. By the way, EAV/ESS v4 alert about them by a yellow window, always asking the user to choose an action when strict cleaning is not used.

 

MAMUTU also makes use of that SAME driver (albeit likely modified for security purposes) as it was passed on to them with the source code via Novatix when CyberHawk first entered the Behavioral Blocker scene.

It can be and has been used for malicious means in the past too. I remember a warning once from Madshi who apparently created it to begin with for his projects.

EASTER

 

Hi Guys,

Thanks for the responses.

Yes, I have potentially unsafe apps checked but I haven't changed my settings in quite awhile and have been using HttpAnalyzer almost daily with no issues until yesterday.

If I relaunch the program it recreates the file and NOD promptly deletes it again.
I suppose I could set an exception but I was just wondering what could have changed all of the sudden.

The program itself has no changes since I installed it (all the files say 3/08 or older)

I may try 4.0 out and see what it does.

Thanks,
Dave

 

Same warning here due to Threatfire. Below is a quote from pc tools Threatfire forum.

"Please report this to ESET as a false positive. mchInjDrv.sys is a dynamically created driver used by ThreatFire to inject DLLs into other processes to monitor them."

 

Hello NewlessClubie,

Can you please submit a sample to samples@eset.com. Refer to the following Knowledgebase article for submitting samples:

http://training.eset.com/kb/index.php?option=com_kb&Itemid=29&page=articles&articleid=141

It's most likely just a change in the virus signature DB.

Thank you,
Richard

 

It was already answered but I can summarize it:
The file is not detected by default. User have to change detection settings in order to be detected - to enable detection of potentially unsafe applications.
mchInjDrv.sys - Win32/Monitor.PCAgent application

When something detected as potentially unsafe application it does not mean it is a threat and need to be removed. It is intended to be a help for the users who know what they are doing.

Generally potentially unsafe applications are complete legitimate components which can be abused, used by malware, or used against you without your knowledge.

So if you knowingly installed the application, then it is not a threat but in the case somebody else installed it with the scope in mind to perform some stealth actions on you PC, then identification of the application is desired. Depends on circumstances. That's why it is optional detection.

For those who want the mchInjDrv.sys I recommend stay at default settings for p.unsafe apps in realtime protection, it will run without problems.
Don't forget the settings for in-depth scanning may be different from the realtime protection, it is necessary to verify them too (only those who change them).

 

Hi All,


Ironically enough, if I set an exception for that file, start the HTTP analyzer program and then search for the file, it can't be found.

So I can't submit it for analysis because NOD deletes it on launch if it's not excluded, and if it is excluded, it doesn't seem to exist anywhere when I search for it.

So I'm kind of stumped

Thanks,
Dave

 

Hi, I am running ESET SS v4 beta and I have the same issue. I am using mamutu and its seems its dynamically creating a driver during booting and then after loading the main program (mamutu.exe) its automatically deleted.

Log:

 

Hello vijayind,

The file should be quarantined in C:\Program Files\ESET\Infected for NOD32 2.7.

Thank you,
Richard

 

Since potentially unsafe applications cover legit tools that can be exploited for malicious purposes, not everyone may want to enable them. If it's causing you troubles, simply disable them in the AMON setup. I'd strongly recommend that you upgrade to v4 that has been recently released.

 

Well Lo & Behold i got my Mamutu hidden driver deleted too today. Had to reinstall mamutu again after turning off NOD Resident Protection which i have set to high on all instances, but it was only a matter of adding it to the exclusion list which i had to do manually because it's ??/ hidden in the driver's table of some tools i use for rootkit detection purposes but the invisible file mchInjDrv.sys in System32/Drivers took hold in NOD's avoid list and no more captures are expected.

It must be a very well written driver to still be causing a stir after all these years and even some security vendors must find it useful enough to use it. But i remember a day when it was being passed around to malware makers to hide their crafts and caused MADSHI some anxious moments. LoL

Still a good catch NOD, glad it was on duty.

EASTER