mchinjdrv.sys deleted from seemingly legit program

Discussion in 'NOD32 version 2 Forum' started by NewlessClubie, Jan 28, 2009.

Thread Status:
Not open for further replies.
  1. NewlessClubie

    NewlessClubie Registered Member

    Joined:
    Jul 20, 2008
    Posts:
    19
    Hi All,

    I've had Http Analyzer 2 (it analyzes web traffic similar to Firebug) on my machine for about 10 months without any issues.

    Today when I launched it, NOD 2.7 deleted mchinjdrv.sys which renders it unusable.

    Since I've had NOD on here even longer than Http analyzer, I'm wondering why NOD is suddenly flagging and deleting something I've used for a long time. I checked the install files and nothings changed since my original install last March.

    Has anyone else seen a similar issue, maybe the latest virus def is more aggressive?

    Here's the full error:

    file C:\WINDOWS\system32\Drivers\mchInjDrv.sys
    Win32/Monitor.PCAgent application

    quarantined - deleted

    Event occurred on a new file created by the application:
    C:\Program Files\IEInspector\HTTPAnalyzerFullV2\HttpAnalyzerStdV2.exe.

    And is there a way to preemptively have it ignore something like that?

    Thanks,
    Dave
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Do you have detection of potentially unsafe applications enabled? These cover commercial tools that can be exploited for malicious purpose and whose presence is not desired in corporate environments if installed and used without administrator's consent. By the way, EAV/ESS v4 alert about them by a yellow window, always asking the user to choose an action when strict cleaning is not used.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    MAMUTU also makes use of that SAME driver (albeit likely modified for security purposes) as it was passed on to them with the source code via Novatix when CyberHawk first entered the Behavioral Blocker scene.

    It can be and has been used for malicious means in the past too. I remember a warning once from Madshi who apparently created it to begin with for his projects.

    EASTER
     
  4. NewlessClubie

    NewlessClubie Registered Member

    Joined:
    Jul 20, 2008
    Posts:
    19
    Hi Guys,

    Thanks for the responses.

    Yes, I have potentially unsafe apps checked but I haven't changed my settings in quite awhile and have been using HttpAnalyzer almost daily with no issues until yesterday.

    If I relaunch the program it recreates the file and NOD promptly deletes it again.
    I suppose I could set an exception but I was just wondering what could have changed all of the sudden.

    The program itself has no changes since I installed it (all the files say 3/08 or older)

    I may try 4.0 out and see what it does.

    Thanks,
    Dave
     
  5. fosl

    fosl Registered Member

    Joined:
    Mar 5, 2007
    Posts:
    54
    Same warning here due to Threatfire. Below is a quote from pc tools Threatfire forum.

    "Please report this to ESET as a false positive. mchInjDrv.sys is a dynamically created driver used by ThreatFire to inject DLLs into other processes to monitor them."
     
  6. Rmuffler

    Rmuffler Former Eset Moderator

    Joined:
    Jun 26, 2008
    Posts:
    995
    Location:
    San Diego, CA USA
  7. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    It was already answered but I can summarize it:
    The file is not detected by default. User have to change detection settings in order to be detected - to enable detection of potentially unsafe applications.
    mchInjDrv.sys - Win32/Monitor.PCAgent application

    When something detected as potentially unsafe application it does not mean it is a threat and need to be removed. It is intended to be a help for the users who know what they are doing.

    Generally potentially unsafe applications are complete legitimate components which can be abused, used by malware, or used against you without your knowledge.

    So if you knowingly installed the application, then it is not a threat but in the case somebody else installed it with the scope in mind to perform some stealth actions on you PC, then identification of the application is desired. Depends on circumstances. That's why it is optional detection.

    For those who want the mchInjDrv.sys I recommend stay at default settings for p.unsafe apps in realtime protection, it will run without problems.
    Don't forget the settings for in-depth scanning may be different from the realtime protection, it is necessary to verify them too (only those who change them).
     
    Last edited: Feb 4, 2009
  8. NewlessClubie

    NewlessClubie Registered Member

    Joined:
    Jul 20, 2008
    Posts:
    19
    Hi All,


    Ironically enough, if I set an exception for that file, start the HTTP analyzer program and then search for the file, it can't be found.

    So I can't submit it for analysis because NOD deletes it on launch if it's not excluded, and if it is excluded, it doesn't seem to exist anywhere when I search for it.

    So I'm kind of stumped :)

    Thanks,
    Dave
     
  9. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Hi, I am running ESET SS v4 beta and I have the same issue. I am using mamutu and its seems its dynamically creating a driver during booting and then after loading the main program (mamutu.exe) its automatically deleted.

    Log:
     
  10. Rmuffler

    Rmuffler Former Eset Moderator

    Joined:
    Jun 26, 2008
    Posts:
    995
    Location:
    San Diego, CA USA
    Hello vijayind,

    The file should be quarantined in C:\Program Files\ESET\Infected for NOD32 2.7.

    Thank you,
    Richard
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Since potentially unsafe applications cover legit tools that can be exploited for malicious purposes, not everyone may want to enable them. If it's causing you troubles, simply disable them in the AMON setup. I'd strongly recommend that you upgrade to v4 that has been recently released.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Well Lo & Behold i got my Mamutu hidden driver deleted too today. Had to reinstall mamutu again after turning off NOD Resident Protection which i have set to high on all instances, but it was only a matter of adding it to the exclusion list which i had to do manually because it's ??/ hidden in the driver's table of some tools i use for rootkit detection purposes but the invisible file mchInjDrv.sys in System32/Drivers took hold in NOD's avoid list and no more captures are expected.

    It must be a very well written driver to still be causing a stir after all these years and even some security vendors must find it useful enough to use it. But i remember a day when it was being passed around to malware makers to hide their crafts and caused MADSHI some anxious moments. LoL

    Still a good catch NOD, glad it was on duty.

    EASTER
     
Thread Status:
Not open for further replies.