Why is ekrn.exe trying to modify executables?

Discussion in 'ESET NOD32 Antivirus' started by menuet2, Feb 14, 2011.

Thread Status:
Not open for further replies.
  1. menuet2

    menuet2 Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    8
    I've just installed Comodo Internet Security (Firewall and Defense+) and NOD32 Antivirus. Soon enough, Defense+ raised a warning that ekrn.exe was trying to modify an executable file that was already running.

    ESET_modifying_tunnelier.png

    Why would NOD32 attempt to modify an executable at all? Is this warning created by the fact that ekrn.exe was opening the executable for reading, but file file open flags were carelessly set to R/W in the code? Otherwise it's a bit scary when your antivirus tries to modify an executable, and it's not in order to clean it.
     
  2. ThomasC

    ThomasC Former ESET Support Rep

    Joined:
    Sep 8, 2008
    Posts:
    209
    One reason ESET would attempt to modify an executable is when it is infected. I can only speculate as to what caused the alert from Comodo. Perhaps a false positive due to the virtualization of the file done when advanced heuristics analyzes its behavior before letting it run on the machine, once again only speculation. Certainly a program that allows remote control of the system is going to get scrutinized before it is allowed to run. Rest assured that ESET is not arbitrarily modifying executables.
     
  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    It the way Comodo operates/interprets some actions. You will see more of these for other files and as alerts states if you trust file doing it allow. You should trust your AV. Any further clarifications ask in relevant Comodo forum
     
Thread Status:
Not open for further replies.