Eraser 6.0.7.1893 - Screen Logger detected

lonewolf

New Member
I've just freshly re-installed yesterday my WinXP Pro SP3 O/S and am putting my utilities and programs back on.

My Firewall/Program Guard, Tall Emu's Online Armor, suddenly after an MS Auto-update session reboot decides that Eraser has a Screen Logger.

My AV scans show nothing - AVG, Avast, Ad-Aware and an online scan from Trend's Housecall.

I'm not particularly worried, but it is puzzling. I've used Erase for about a year with no troubles other than some slight crashes in W7.

Added attachment is screen-capture of the warning alert.

log file said:
Created: 30/10/2010 13:55:35
Summary: Keylogger detected: Eraser.exe
Description: C:\Program Files\Eraser\Eraser.exe
Event type: Keyboard logger
Event action: Blocked
Here is their info on the file :
http://www.online-armor.com/oasis2/repo ... 89C716A599

How should I proceed?
 

Attachments

DavidHB

Active Member
Assuming that you downloaded Eraser from a trusted site (the Eraser Page on heidi.ie being the obvious one, but you can also go direct to SourceForge), the detection is a false positive.

Eraser uses root certificates to validate the plug-ins it uses (no-one would want a program like Eraser to use a rogue plug-in!). On first use, it calls the Windows routine that checks the validity of the installed certificates, and that routine 'calls home' to do the validation. This only needs to happen once, but it will try again if is blocked. A classic case of a security program blocking a Windows security feature. You need to tell Online Armor that this is a trusted application.

David
 

Joel

Active Member
According to OASIS:
What does Eraser.exe do?

Autorun - automatically runs every time you start your computer
Cache
DnsApiUse
EnumerateFiles
ExecutableCreate
Installer - Installs software on your computer.
KeyLogger - Capable of reading keystrokes from the keyboard. Can potentially log them if malicious
Process - a process that runs on your computer
ProcessStart
RemoteCode
StartWithParams
I'm not sure if they are using an authentic copy of Eraser in the first place. Certain characteristics are true but others seem to be misinformed or just not there
  • Autorun: for scheduling, and the user is aware of it.
  • Cache -- I don't know what this refers to
  • DnsApiUse -- the only internet capability of Eraser for 6.0 is the update checker and the certificate validation at the start of the program. 6.2 Adds a crash reporting component which does have a screenshot capability but that information is only sent when the user authorises the report.
  • EnumerateFiles -- standard file erasure behaviour and self explanatory
  • ExecutableCreate -- if I understand this Eraser will create executables. This behaviour only is used by the updater (for downloading updates)
  • Installer -- self explanatory
  • Keylogger -- this is interesting. If its meant that Eraser will store keystrokes, I am sure that I've not any code like this. Eraser however does use certain things (e.g. mouse positions) for entropy gathering (seeing the random number generator) so that there is sufficient randomness when it is required for, e.g. erasing files
  • Process, ProcessStart, StartWithParams -- Eraser is a program (yes), it starts (yes), and it starts using command line parameters (for the system startup to determine if it is a normal start up or a "restart" startup, to trigger the running of "run at restart" tasks)
  • RemoteCode -- only for Inter process communications, e.g. context menu

Let me know if any points need clarification.
 

lonewolf

New Member
Yeah, I always download from original sources - or at the very least sites like download.com that are known to be trustworthy.

Like I said in my post, I'm not particularly worried about your product, but it is puzzling that the program guard suddenly started flagging it...after about a year...

I'll pass it on to them and advise it's a false alarm, thanks.
 

Joel

Active Member
Thank you :)
 
Top