cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Gumbercules
Paper Tape
Posts: 5
Registered: ‎08-13-2019
Location: US
Views: 817
Message 1 of 10

Uefi, Win 10 v 1903 and Anti Virus

 After running the 1903 Win 10 update my Eset Security constantly flags the UEFI partition as a potential risk.

"     \\Uefi Partition » UEFI » uefi:\\Volume 1\Firmware Volume Image {20BC8AC9-94D1-4208-AB28-5D673FD73486}\Volume 1\AbsoluteDriver - a variant of EFI/CompuTrace.A potentially unsafe application - action selection postponed until scan completion    "

 

Eset is telling me that a BIOS update or Upgrade is needed because of the potential threat of unwanted code being used in the newest hacks.

I've also been told not to worry

 

But everytime the system scan runs, I get this flag by Eset. I'm getting real tired of it.

 

Is this a windows problem or should Lenovo do something?

 

Thanks

 

 

Lenovo Staff
Lenovo Staff
Posts: 5,761
Registered: ‎10-29-2009
Location: NC
Views: 743
Message 2 of 10

Re: Uefi, Win 10 v 1903 and Anti Virus

What model PC do you have?

 

I'm not sure what this ESET warning is about, but here is my guess.  Some model PCs have a CompuTrace persistence module that can be turned off in BIOS Setup (in the security menu).  I wonder if this is what ESET is complaining about.

Gumbercules
Paper Tape
Posts: 5
Registered: ‎08-13-2019
Location: US
Views: 737
Message 3 of 10

Re: Uefi, Win 10 v 1903 and Anti Virus

Well, it did not start until the Win 10 1903.

If the Compu Trace is the issue, why would the Win 19 V1903 trigger it? It was never flagged before.

I'll have to see how to get in to the BIOS and turn it off.
I hope turning it off will not screw with anything.

 

Thanks

Highlighted
Community SeniorMod
Community SeniorMod
Posts: 3,382
Registered: ‎12-01-2007
Location: US
Views: 708
Message 4 of 10

Re: Uefi, Win 10 v 1903 and Anti Virus

Hello,

 

Can I ask what model of Lenovo computer you have, and what its BIOS and SMBIOS versions are?  The latter two pieces of information should be available by running System Information (filename: MSINFO32.EXE).

 

As for ESET's software, can you tell us which of their programs you are using (they have several), it's version, and the versions of the intalled modules?  The program version can be displayed in recent versions of ESET's software by opening the user interface from the system notification tray area and selecting Update in the left navigation pane--the program's version number will show up in the right pane.  The module versions can be found by clicking on the "Show all modules" text below it, and then clicking the Copy button to put it into the clipboard. 

 

Regards,

 

Aryeh Goretsky

 



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP72 (20MB-*)P50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

  Communities:   English    Deutsche    Español    Português    Русскоязычное    Česká    Slovenská    Українська   Język Polski    Moto English

Gumbercules
Paper Tape
Posts: 5
Registered: ‎08-13-2019
Location: US
Views: 674
Message 5 of 10

Re: Uefi, Win 10 v 1903 and Anti Virus

Attached is a text file with all the info. 

 

I am guessing that the issue is Eset's latest product update is doing an extra scan. I have heard that hackers cann insert code in so called protected areas and make bots out of people's computers.

 

Thanks

 

MTM: 80MK002CUS

 

Admin note: s/n removed from attachment to avoid possible abuse, added MTM

Gumbercules
Paper Tape
Posts: 5
Registered: ‎08-13-2019
Location: US
Views: 590
Message 6 of 10

Re: Uefi, Win 10 v 1903 and Anti Virus

I postd a document to the senior Mod but he has not answered back, Please check it out and let me know what you think.

Community SeniorMod
Community SeniorMod
Posts: 3,382
Registered: ‎12-01-2007
Location: US
Views: 520
Message 7 of 10

Re: Uefi, Win 10 v 1903 and Anti Virus

Hello,

I have reached out to an employee I know at ESET asking for more information about this, but have not yet had a response.  As soon as I know more, I shall let you know.

 

Regards,


Aryeh Goretsky



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP72 (20MB-*)P50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

  Communities:   English    Deutsche    Español    Português    Русскоязычное    Česká    Slovenská    Українська   Język Polski    Moto English

Gumbercules
Paper Tape
Posts: 5
Registered: ‎08-13-2019
Location: US
Views: 503
Message 8 of 10

Re: Uefi, Win 10 v 1903 and Anti Virus

I checked in the BIOS settings and I can either use the UEFI or Legacy Support. 
I'm wondering if this change would cause any issues?

 

Thanks

Community SeniorMod
Community SeniorMod
Posts: 3,382
Registered: ‎12-01-2007
Location: US
Views: 486
Message 9 of 10

Re: Uefi, Win 10 v 1903 and Anti Virus

Hello,

 

I am still waiting to hear back from ESET.  Until they respond, I would suggest not making any changes to BIOS (UEFI) firmware settings as it could complicate things.

 

Regards,

 

Aryeh Goretsky

 



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP72 (20MB-*)P50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

  Communities:   English    Deutsche    Español    Português    Русскоязычное    Česká    Slovenská    Українська   Język Polski    Moto English

Community SeniorMod
Community SeniorMod
Posts: 3,382
Registered: ‎12-01-2007
Location: US
Views: 409
Message 10 of 10

Re: Uefi, Win 10 v 1903 and Anti Virus

[Made some small edits to language for clarity.  20190828-2339GMT. AG]

 

Hello,

 

Sorry for the delay in a reply, but I wanted to make certain I understood what what going on and give an accurate response.  Because this is something that may affect other users as well, I am going to try to give as thorough an explanation as possible, which may cover some things of which you are already aware.  For that, I do apologize in advance for the long reply.  Before that, though, I would just like to remind you (and anyone else reading this) that I am a volunteer here in Lenovo's peer-to-peer support forum, not one of their employees, so my response should not be considered an official response by Lenovo, but rather based on my own knowledge and experience working with Lenovo's systems, plus what I have been able to learn about ESET's software.  I am speaking solely (and, perhaps, inaccurately at times) for myself.

 

I would like to begin by discussing Potentially Unsafe Applications, which, despite having 2/3rds of the same words in the phrase as the more-commonly heard about Potentially Unwanted Applications, are something that's a little bit different.  ESET provides a short definition of Potentially Unsafe Applications in their VirusRadar glossary at https://www.virusradar.com/en/glossary/pua, which states:

 

A Potentially Unsafe Application is one that is in itself legitimate (possibly commercial) software but which might be misused by an attacker. Detection of these types of application can be enabled or disabled by users of ESET software.

That short description comes from inside of a larger glossary entry on Potentially Unwanted Applications, which, unfortunately, abbreviates the same way as Potentially Unsafe Applications.  To make life a little simpler, I will be referring, for the purposes of this post only, to Potentially Unwanted Applications as PUA, and Potentially Unsafe Applications as PUSA.

 

There is a slightly-longer description of PUsAs in the ESET Glossary at https://help.eset.com/glossary/en-US/unwanted_application.html?unsafe_application.html.  It states the following:

 


There are many legitimate programs whose function is to simplify the administration of networked computers. However, in the wrong hands, they may be misused for malicious purposes. ESET provides the option to detect such applications.

Potentially unsafe applications is the classification used for commercial, legitimate software. This classification includes programs such as remote access tools, password-cracking applications, and keyloggers (a program that records each keystroke a user types).


That gives a little more detail, and gives us a better idea of what PUSAs are:  Otherwise legitimate programs that, if they fell into the wrong hands, could affect the confidentiality, integrity, availability or reliability of a computing device (my words, by the way, and not Lenovo's).

 

So, with that huge preamble now over with, what does Absolute Software's Computrace do, and why is it being detected as a PUSA by ESET?

 

Well, Absolute Software is the creator of Computrace, which is an anti-theft program that comes pre-installed on (or perhaps in might be a better term) many brands and models of computers, including some from Lenovo.  The reason for bringing up how it is pre-installed is that while a portion of Computrace's code does reside on the computer's drive, another portion of it resides in the computer's BIOS or UEFI chip as a part of what is known as the computer's firmware.  The BIOS or UEFI is firmware that initializes and performs some tests of the computer's hardware between the time the computer is turned on and the time it begins to load the operating system.  From a persistence perspective, this is actually a pretty good idea:  It means that if you remove the drive from a computer and wipe it, the anti-theft program will still be on the computer and capable of running.

 

[By the way, I should mention that Absolute Software re-branded Computrace and calls it LoJack for Laptops, but because of how it still appears on the computer and how it is identified by ESET, I will continue to refer to it by the Computrace name.]

 

So, with what we now know about ESET's classification for Potentially Unsafe Applications and Absolute Software's Computrace, what is going on with ESET's detection, you might ask.  Well, that leads us to the next piece of the puzzle....

 

In 2018, ESET's researchers discovered a rootkit inside of a computer's UEFI firmware.  This rootkit was introduced into the UEFI firmware through a vulnerability in older versions of the Computrace program.  Because of this, they called the UEFI rootkit LoJax, and ESET published a blog post here and a press release here discussing it.  I am not going tto get into a discussion of what LoJax does or may have been used for, but I will mention that both Arbor Networks and Kaspersky Lab were investigating this and discovered parts of the rootkit as well.  I will also note that this UEFI rootkit was a very, very targeted piece of malware: the kind of thing that a determined adversary would use.  As much as I hate the term because of how it is misued, this is an actual bona-fide example of an Advanced Persistent Threat (APT).  It's also the kind of thing that is going to be exceedingly rare.  Frankly, given the attention drawn to it, I would be surprised if LoJax' creators were still using it and hadn't already abandoned it.

 

Anyway, although the computer is never likely to encounter the LoJax rootkit, it does have an older version of the Computrace program on it, which is vulnerable to compromise through the exploitation chain used to implant the LoJax rootkit.  Because of this, no matter how improbable it is likely to occur, ESET is detecting vulnerable versions of Computrace as a Potentially Unsafe Application, which I would like to circle back around to, again.

 

One thing I did not mention before about PUSA's is that their detection is, in fact, optional in ESET's software.  You can toggle detection of PUSA's on and off.  As a matter of fact, by default, detection of PUSA's in ESET's software is disabled, and you have to go into the advanced setup of their software to enable it, or turn it back off, again.  A quick search of ESET's knowledgebase revealed a couple of articles discussing how to do this:

 

 

So, with all of that now in mind, what are your options?  As I see it, here are the three that come to mind:

 

1.  You can disable checking for PUSA's, entirely.  It is, after all, an optional check, and the default setting for that option is not to check for them.

 

2.  You can disable detection specifically for the parts of Computrace being detected by ESET.  You can continue to check for other PUSA's, but the detection of Computrace will be ignored and not reported.  The ESET knowledgebase articles above would be a starting point for that, but I would suggest contacting their technical support engineers to go over the steps, just to make sure their software is configured exactly the way you want it to be. 

 

3.  You can leave the settings for detection as they are currently set, and continue to see the warning about the PUSA as it currently appears.  That would be the "no further action on anyone's part" scenario.

 

Regardless of what you choose, there is one thing I would suggest that you do, and that's to contact Lenovo technical support over the phone, and open a ticket with them about the issue.  As this is a peer-to-peer forum in which I am a volunteer, this is not something I can do on your behalf.  But if people do contact Lenovo and request updated BIOS/UEFI firmware for their computers without the vulnerable version of Computrace installed, perhaps Lenovo will make updated firmware available to them.

 

By the way, if you want to read more about how ESET thinks about Potentially Unwanted Applications and Potentially Unsafe Applications, they have a white paper on their blog here discussing them in detail.  It's several years old so doesn't get into situation like this one, but perhaps the author will update it someday to do so.

 

I hope I have answered your questions, if you have any further ones, please feel free to reply.

 

Regards,

 

Aryeh Goretsky

 



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP72 (20MB-*)P50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

  Communities:   English    Deutsche    Español    Português    Русскоязычное    Česká    Slovenská    Українська   Język Polski    Moto English

Check out current deals!


Shop current deals