SeriousHoax

Yeah, it needs to be analyzed manually. I don't need replies as long as submitted samples get added to the database. Well, I have waited 2 weeks which is long enough. Too long I would say.

I can only say what I experience myself. Talking about malware submission experience, I sent this sample to ESET more than 2 weeks ago on 12 August but neither I have heard back nor a signature has been created yet. LiveGuard gave it a safe verdict, but it's not safe. If possible, please improve the processing of samples submitted by users. VT link of the sample: VirusTotal - File - d468b56da07173c69423973b706924187e134d0baea07e2ef8e7b49afcd5aacd

He submitted samples many times before and got responses too, more or less, so I'm sure he knows how to send. I don't submit a lot, but even in my experience, it has been extremely bad for a while. I've tried different emails too a few times, but it didn't improve the experience much. Besides, I don't remember ESET ever adding phishing sites to their database that I submitted via that dedicated website. I've stopped submitting samples to ESET to not waste my time. Nowadays, the main way to make ESET add detection is to share VT links here on the forum.

You probably need to enable UPnP on your router.

Based on personal experience of @AnthonyQand myself on LiveGuard's not so stellar performance, it seems our home users LiveGuard only performs Level 1 analysis in the cloud that's described here: https://help.eset.com/elga/en-US/how_detection_layers_work.html Is this correct? I also had the chance to try out of ESET Endpoint, where the Level 2 or Level 4 (or both, I forgot which one) option was locked for license with more seats.

This is different, I think. Pico aka streaming update is different. For example, Avast's protection update is entirely based on tiny streaming updates, and they push a full signature update once or twice per day. ESET small signature size is probably related to its finely optimized engine. Someone official from ESET like Marcos or someone else might be able to give an accurate answer. But to answer OP's question, it's not related to the amount of signature. ESET's small signature size doesn't mean it detects less malware.

As itman said, no AV might be able to remove this UEFI threat since it's part of the hardware firmware. But I'm curious to know what other products actually consider this a malware. AVs that I'm sure has UEFI malware scanning capabilities are Microsoft Defender, Avast, Bitdefender and Kaspersky. Can you share the hash of the detected sample? It should be in the detection log.

This is what ESET says about it: https://support.eset.com/en/kb6567-you-receive-an-eset-uefi-detection

Very weird from ESET. I wonder what's the reason? F-Secure also detects it since it uses full Avira SDK (signature+cloud) but F-Secure's detection for some reason doesn't show up in VT most of the time. Edit: It's now detected as suspicious. So, a cloud aka LiveGrid block/stream update. I guess Marcos/someone else saw my comment and reacted promptly.

@MarcosCan you please check this sample? LiveGuard said it's safe, but it has 45 detections in VirusTotal. https://www.virustotal.com/gui/file/e4abd9b47864d4868de2945f573efe301dc77c00df865749b170dfb33e55a3f7/detection

Yeah, I did. It was sent, the file was blocked initially, and a verdict was received within a few minutes.

LiveGuard now gives this file a safe verdict.

It must be malicious. Kaspersky wasn't detecting it. Then I submitted to them an hour ago and got a reply with 20 minutes stating that it's a malware and detection will be added. Hello, New malicious software was found in the requested file. Its detection with verdict Trojan.Win64.Agentb.ktqd will be included in the next update. Thank you for your help. Best regards, Alexander Kryazhev, Malware Analyst So, if you still want to use this file even after detections from all these top AV vendors, then that's your choice. Use at own risk.

Outlook works, but still not a proper solution since many people just use Gmail. The best thing to do is to have a dedicated website for malware submission. Here's one example: https://submit.norton.com/

It doesn't work. Gmail doesn't let you attach any type of zip file if the file contains file types of the above-mentioned formats. If you encrypt file names of the zip, then it doesn't accept that either. This is a big problem. ESET really needs a dedicated website for submitting samples like almost all other vendors have. I don't understand how come they don't have any.

Once again, ESET didn't take part in the ransomware test done by AV-Test. This make it look like ESET is afraid to take part in this test because they know very well that their product is weak against ransomware. https://www.av-test.org/en/news/26-security-solutions-undergo-an-advanced-threat-protection-test-against-ransomware/

After further testing, it seems it's not a bug. Microsoft Defender service stays dormant when third party AV is installed with no CPU or disk usage. After system boot up almost all AV products takes a few minutes to register into Windows Security as the main AV. It seems Microsoft Defender acts as the main AV for those couple of minutes and even updates signatures when it can. When third party AV like ESET is registered into Windows Security, it automatically turns into a suspended state with low amount of ram and no CPU and disk usage. Maybe it's by design. Malware often tries to disable Microsoft Defender to get past its protection. So maybe Microsoft has made it hard to stop its services. Maybe now the service is designed to never shut off completely and instead becomes dormant when third party products are installed. Even tools like Defender Control can't shut it off for long. The service returns. Looks like that's how it's going to be from now on. Of course, I could be wrong. This is just my assumption based on my couple of days of experiments.

I noticed even when a third party AV is installed and registered on Windows Security in Windows 11 22H2 which is now available on the Beta and Release Preview channel, Microsoft Defender's Antimalware Service still keeps running. Looks like it kind of runs in a hibernation mode, but I do see it using CPU sometimes. It also updates definition a couple of minutes after system booting. It's not just with ESET. I tried another AV products, and it's the same result. I'm wondering if Microsoft has changed something regarding this? Is this going to be the norm now? Or is it up to the AV vendors to change something to permanently shut-off Defender? I guess ESET is already testing their products on 22H2 since it's already on the Release Preview build. Can you provide any info regarding this behavior? Without knowing the reason, it has become complicated for me to install ESET on 22H2 Release Preview build.

As the title says, it's a fake site that's being delivered through Google Ads. So it should be blocked by ESET to avoid users from visiting it. hxxps://afterburner-overclock.org/en/Afterburner.html The downloaded file is blocked by ESET by a Generik signature: https://www.virustotal.com/gui/file/b8bdd46efe5ef91bf17074e13a992e14729be9e4cab108fe43a1a8e32fd09da7

ESET blocked it after my submission here. But I agree with @peteyt. ESET should outright block it.

Ok, so ESET didn't detect it only for users living in China? That's interesting.

I think the issue is not the programing language. The problem is that this ransomware was not initially picked neither by ESET locally nor by the LiveGuard cloud sandbox which is a matter of concern. More so for customers who are paying extra for ESSP.

Submitted this to ESET yesterday but hasn't been added to the blacklist yet. Kaspersky have already added after my submission. hxxps://bitvex(.)org/ On the news: https://www.bleepingcomputer.com/news/security/elon-musk-deep-fakes-promote-new-cryptocurrency-scam/

It wasn't sent automatically. But when I manually did via ESET gui it was sent to LiveGuard. Before that, I submitted to the email. Another user I know also submitted, but nothing from ESET yet.

Tested it yesterday and today. Not working for me. Pre-release module didn't change the behavior on my system. The site generates a new file with different hash every single time. So the file that's being tested is not exactly the same. Every single downloaded file on my system is not being sent automatically to LiveGuard for some reason.