SeriousHoax
-
Posts
361 -
Joined
-
Last visited
-
Days Won
10
Posts posted by SeriousHoax
-
-
1 hour ago, Nightowl said:
ESET uses Pico updates which are very small updates to the modules/signatures in short times , which will not cause a big update after a while.
This is different, I think. Pico aka streaming update is different. For example, Avast's protection update is entirely based on tiny streaming updates, and they push a full signature update once or twice per day.
ESET small signature size is probably related to its finely optimized engine. Someone official from ESET like Marcos or someone else might be able to give an accurate answer.
But to answer OP's question, it's not related to the amount of signature. ESET's small signature size doesn't mean it detects less malware.
-
As itman said, no AV might be able to remove this UEFI threat since it's part of the hardware firmware.
But I'm curious to know what other products actually consider this a malware. AVs that I'm sure has UEFI malware scanning capabilities are Microsoft Defender, Avast, Bitdefender and Kaspersky.
Can you share the hash of the detected sample? It should be in the detection log.
-
This is what ESET says about it:
https://support.eset.com/en/kb6567-you-receive-an-eset-uefi-detection
-
45 minutes ago, itman said:
It now has 46 detections and Eset still doesn't detect it. The only other major AV not detecting it is F-Secure.
Very weird from ESET. I wonder what's the reason? F-Secure also detects it since it uses full Avira SDK (signature+cloud) but F-Secure's detection for some reason doesn't show up in VT most of the time.
Edit: It's now detected as suspicious. So, a cloud aka LiveGrid block/stream update. I guess Marcos/someone else saw my comment and reacted promptly.
-
@MarcosCan you please check this sample? LiveGuard said it's safe, but it has 45 detections in VirusTotal.
-
11 hours ago, itman said:
Did you verify that the file was actually sent to LiveGuard? The Eset Sent log entry should show a file of approx. 2.19 MB.
Yeah, I did. It was sent, the file was blocked initially, and a verdict was received within a few minutes.
-
40 minutes ago, itman said:
Eset still doesn't detect the above file at VT. I have a theory on what might be going on here.
At the time of your download, the file was previously submitted to Eset cloud. The file is still under evaluation by the VirusLab.
Since the file had been previously submitted, LiveGuard did not submit it again. LiveGuard however did query the Eset cloud for a status on this file and could not obtain one - safe or malicious. The file subsequently just sat in the cloud until it timed out.
If my theory is correct, Eset needs to return a suspicious verdict to the submitted device along the line of "Suspicious - currently under VirusLab review" and quarantine the file. Once the file verdict has been rendered and if its a safe one, Eset restores the file from quarantine; this part is where "the Eset rub" lies.
LiveGuard now gives this file a safe verdict.
-
It must be malicious. Kaspersky wasn't detecting it. Then I submitted to them an hour ago and got a reply with 20 minutes stating that it's a malware and detection will be added.
Hello, New malicious software was found in the requested file. Its detection with verdict Trojan.Win64.Agentb.ktqd will be included in the next update. Thank you for your help. Best regards, Alexander Kryazhev, Malware AnalystSo, if you still want to use this file even after detections from all these top AV vendors, then that's your choice. Use at own risk.
- notimportant, peteyt and itman
-
3
-
3 hours ago, Veremo said:
If gmail doesn't work for you.. just use different email provider (what about outlook.com ?)
Outlook works, but still not a proper solution since many people just use Gmail. The best thing to do is to have a dedicated website for malware submission.
Here's one example: https://submit.norton.com/
-
1 hour ago, itman said:
Refer to this Eset Knowledge base article: https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab . Of note:
It doesn't work. Gmail doesn't let you attach any type of zip file if the file contains file types of the above-mentioned formats. If you encrypt file names of the zip, then it doesn't accept that either. This is a big problem. ESET really needs a dedicated website for submitting samples like almost all other vendors have. I don't understand how come they don't have any.
-
Once again, ESET didn't take part in the ransomware test done by AV-Test. This make it look like ESET is afraid to take part in this test because they know very well that their product is weak against ransomware.
-
After further testing, it seems it's not a bug. Microsoft Defender service stays dormant when third party AV is installed with no CPU or disk usage. After system boot up almost all AV products takes a few minutes to register into Windows Security as the main AV. It seems Microsoft Defender acts as the main AV for those couple of minutes and even updates signatures when it can. When third party AV like ESET is registered into Windows Security, it automatically turns into a suspended state with low amount of ram and no CPU and disk usage.
Maybe it's by design. Malware often tries to disable Microsoft Defender to get past its protection. So maybe Microsoft has made it hard to stop its services. Maybe now the service is designed to never shut off completely and instead becomes dormant when third party products are installed. Even tools like Defender Control can't shut it off for long. The service returns. Looks like that's how it's going to be from now on.
Of course, I could be wrong. This is just my assumption based on my couple of days of experiments.
-
I noticed even when a third party AV is installed and registered on Windows Security in Windows 11 22H2 which is now available on the Beta and Release Preview channel, Microsoft Defender's Antimalware Service still keeps running. Looks like it kind of runs in a hibernation mode, but I do see it using CPU sometimes. It also updates definition a couple of minutes after system booting. It's not just with ESET. I tried another AV products, and it's the same result.
I'm wondering if Microsoft has changed something regarding this? Is this going to be the norm now? Or is it up to the AV vendors to change something to permanently shut-off Defender?
I guess ESET is already testing their products on 22H2 since it's already on the Release Preview build. Can you provide any info regarding this behavior? Without knowing the reason, it has become complicated for me to install ESET on 22H2 Release Preview build.
-
As the title says, it's a fake site that's being delivered through Google Ads. So it should be blocked by ESET to avoid users from visiting it.
hxxps://afterburner-overclock.org/en/Afterburner.html
The downloaded file is blocked by ESET by a Generik signature:
https://www.virustotal.com/gui/file/b8bdd46efe5ef91bf17074e13a992e14729be9e4cab108fe43a1a8e32fd09da7
-
22 hours ago, shocked said:
it's reported as potentially unwanted software.
by blacklist you mean block access to the website entirely?
ESET blocked it after my submission here. But I agree with @peteyt. ESET should outright block it.
-
9 minutes ago, Marcos said:
It indeed is. For many other users outside Chine this very sample would have been detected as @ApplicUnwnt.Win32/Packed.FlyStudio.AA even 5 years ago.
Ok, so ESET didn't detect it only for users living in China? That's interesting.
-
1 hour ago, Marcos said:
Correct. The sample had been detected as @ApplicUnwnt.Win32/Packed.FlyStudio.AA for years. The problem is that FlyStudio is a very popular scripting language in China so flagging every FlyStudio file would generate a huge number of false positives there.
I think the issue is not the programing language. The problem is that this ransomware was not initially picked neither by ESET locally nor by the LiveGuard cloud sandbox which is a matter of concern. More so for customers who are paying extra for ESSP.
-
Submitted this to ESET yesterday but hasn't been added to the blacklist yet. Kaspersky have already added after my submission.
On the news:
https://www.bleepingcomputer.com/news/security/elon-musk-deep-fakes-promote-new-cryptocurrency-scam/
-
2 hours ago, itman said:
Eset still doesn't detect it by signature . It's a Cobalt Strike beacon. Not good ...............
Was this uploaded to LiveGuard cloud upon download? If so, was the verdict safe?
-EDIT- My best guess at this point is Eset cloud would have returned a safe verdict based on a prior Joe's Sandbox analysis 48% malware confidence factor rendering:
It wasn't sent automatically. But when I manually did via ESET gui it was sent to LiveGuard. Before that, I submitted to the email. Another user I know also submitted, but nothing from ESET yet.
-
1 hour ago, itman said:
Tested it yesterday and today. Not working for me. Pre-release module didn't change the behavior on my system.
15 minutes ago, New_Style_xd said:From what I've seen you have the same file being tested. you have to check if the file is really with problems. because for @itman it worked.
Take the test again.The site generates a new file with different hash every single time. So the file that's being tested is not exactly the same. Every single downloaded file on my system is not being sent automatically to LiveGuard for some reason.
-
It seems even the pre-release update didn't fix the LiveGuard issue for me. When I download the file from here: https://demo.wd.microsoft.com/page/BAFS ESSP don't automatically send it. But right-clicking the file shows that the file is blocked and ESET only sends it when I try to open the file. Also tested with another malware that was in a zip file. Upon extracting, it wasn't automatically sent to LiveGuard. Maybe because LiveGuard already seen it before or part of this bug? I don't know. I submitted this sample to ESET but got no reply and no detection was added. Don't know if it's corrupted or not. Detected by many other products:
VirusTotal - File - e6a97492f6c1163dfd77113ad51992f5388a9442cf0388a174302948ea90f609
-
5 minutes ago, itman said:
The domain is hosting SEOSpam malware. Refer to this Quttera report: https://quttera.com/detailed_report/tinyurl.is
Are these all loaded on their homepage?
-
12 minutes ago, Marcos said:
Hard to say what it does, it's heavily obfuscated. ESET is not the only AV to detect it.
https://www.virustotal.com/gui/file/f039f277d215ea89643d6790eaf0c238e4ec93d98f5ac3727a060ce56f766fa6
Yeah, I have seen that too. Interesting. But as far as I know, none of these AV which has detected it has HTTPS scanning in their home product, so they won't detect the script in the browser like ESET.
But anyway, as I asked, Is there a way to make ESET block the script on the site but still let me visit it?
-
Hello! So, ESET detects a script loaded on this site: "https://tinyurl.is/AnVh?sport=soccer" and completely blocks me from accessing it.
What type of script is this one and how dangerous is this?
Kaspersky's analyst responded that the URL contains some links to sports site which are not malicious and the attached html file like this one: VirusTotal - File - 6b5d20a1e7ec6df5e6fe384cdf77add1c0dc9207dceb738c0106f13bba9750a4 doesn't contain any malicious code. Though it has quite a few detections on VT. Bitdefender added after my submission and seems to be a bad hash-based signature.
Anyway, is it anything serious? Is there a way to make ESET block the script but still let me visit the website? I tried the found malware is ignored exception. It lets me visit the site, but ESET don't block anything on the site.
LiveGuard can automatically block a suspicious file but cannot upload it to the cloud
in ESET Internet Security & ESET Smart Security Premium
Posted
Based on personal experience of @AnthonyQand myself on LiveGuard's not so stellar performance, it seems our home users LiveGuard only performs Level 1 analysis in the cloud that's described here: https://help.eset.com/elga/en-US/how_detection_layers_work.html
Is this correct?
I also had the chance to try out of ESET Endpoint, where the Level 2 or Level 4 (or both, I forgot which one) option was locked for license with more seats.