0xDEADBEEF

Members
  • Content count

    118
  • Joined

  • Last visited

1 Follower

About 0xDEADBEEF

  • Rank
    N/A
  1. Is this file malicious or not

    hmm, alright I will submit it if I get a unzipped sample Plus I hope ESET can consider putting coinminer detection in potentially unwanted category. "Potentially unsafe" is sometimes too annoying but "potentially unwanted" is tolerable. There are a lot of users who don't want to have detection as strict as "potentially unsafe" but still want to block miner scripts.
  2. Is this file malicious or not

    I really hope zh-cn clients can detect flystudio.packed (or at least provide a switch if FP is a concern). Threat of this category is very popular in China but zh-cn and zh-tw version clients don't detect this category in PUA. Legitimate software using flystudio is so few that detecting all of them as PUA as english version does shouldn't be a big deal for ordinary users. BTW, another MBR locker ESET missed. SHA256: c050c6122d1ac7a59e0735b646a2543ebd13bbd8e2a602cafc13eaea0df341c8 I don't have this sample but I assume ESET might be able to get it. https://www.virustotal.com/#/file/c050c6122d1ac7a59e0735b646a2543ebd13bbd8e2a602cafc13eaea0df341c8/detection
  3. Is this file malicious or not

    cool. Two unrelated questions: 1) why currently ESET puts coinminer scripts in potentially unsafe application category that is by default to be off? 2) is there a way to enable PUA flystudio.packed detection on a zh-cn language endpoint client?
  4. Is this file malicious or not

    Sounds interesting
  5. Is this file malicious or not

    Alright, now I know how low the priority of GUI submission is. Thanks for the clarification. If the submitted sample through email is clean, will I get a feedback? How about very large samples that cannot be sent through email?
  6. If you turn on the detection of "potentially unsafe application", ESET will detect the miner script. Not sure why this is in "potentially unsafe" but not "potentially unwanted"
  7. Is this file malicious or not

    Does it mean the right click submission will not work???? I submitted the sample through right click menu with my email and description around Nov 8 11:00pm CST and it said the sample was submitted to eset.
  8. Is this file malicious or not

    There is a sampling bias here: the thing I have posted here is sort of uncommon case for ESET (<5% of the fresh new samples I collected personally) My personal experience is that, the more popular the threat is, the less likely it will slip through ESET's defense (assuming no glitches on their cloud backend ). Perhaps the LiveGrid and human analysis prioritize more popular threats first. For the sample in this thread, the reputation in LiveGrid is still unknown when I first got the sample, so I assume the exposure is still low to other endpoints. But of course, the reaction speed of this sample is way too slow from my personal view. In ordinary cases, the fresh samples I have encountered are usually at least blocked by LiveGrid. I have also seen cases that after ~20mins of my running of certain samples that bypassed the ESET, the LiveGrid started to blacklist the sample, which cannot be reflected on virustotal. But as you can see, no security solution is perfect. A false sense of being 100% secured will be disastrous when one encounter brand new samples which can quickly replicate to other machines (e.g. wannacry), unpopular samples (e.g. threats targeting countries where ESET has few endpoints deployed), custom made samples for specific targets (which are nearly impossible to exhibit malicious behavior in auto analysis pipeline), and other special cases which nearly no one can avoid (e.g. CCleaner incident) Since sometimes it is hard to know whether you are on the majority or minority side, the general guideline is to always be cautious when treating unknown files, mails, and websites, even with top tier antivirus products installed. And, my personal suggestion to ESET is that, I would like to see at least some feedback for the sample submission. I have never got feedback for my submission and sometimes felt frustrated. For the samples that are not flagged by ESET days after my submission, I was sometimes not sure if it is indeed clean, or simply didn't catch enough attention like the one in this thread.
  9. Is this file malicious or not

    Well at the same time BD and KIS reacted very rapidly after the initial exposure. ESET should be compared with top tier products. I would understand the slow response if there are some nuances in this sample though. Otherwise, two days after receiving the phishing mail is not very responsive anyway. It is even after the source of the malicious file, Mediafire, withdrawing the file from sharing due to malicious content.
  10. Is this file malicious or not

    Unfortunately no. I have tested the sample with ESET before submitting it, but it doesn't block anything during the whole execution. After submission I repeatedly scan the sample about every 8 hours but it is only after this afternoon does it start to detect this sample.
  11. Is this file malicious or not

    ah, generik detection, after two days of my submission
  12. Is this file malicious or not

    Hmm... If it is indeed malware, I'd be surprised that ESET still doesn't add detection days after the sample submission.
  13. Is this file malicious or not

    This originally comes from a potentially phishing mail (so social engineering wise, it is already suspicious enough) It is exhibiting some very suspicious behavior, like vbs drop, add autostart, query security products and UUID, and write files to sensitive paths... But I am not sure about if these are enough to be categorized as "malicious". Most detections of this file on VT are either machine learning/heur and generated by auto pipeline, no concrete signature detections so far though. On VT, the first detection is by Kaspersky, Bitdefender and Cyren, and then followed by avast and avira. I was waiting ESET's verdict for two days and we will see.
  14. SHA1:19eee9336a4527eb76cd2ac69321727f159ad057 I submitted this to eset yesterday but it is not added to the detection so far. Meanwhile the detection on VT is increasing. It is exhibiting some suspicious behavior but I feel it is a bit strange. Is this file malicious?
  15. v7 release info?

    Will HIPS wildcard be supported in v7?