AnthonyQ
Members-
Posts
133 -
Joined
-
Last visited
-
Days Won
3
Everything posted by AnthonyQ
-
False positive detection (obfuscated file)
AnthonyQ replied to Joth's topic in Malware Finding and Cleaning
I also submitted the sample in question to Symantec. And here are their findings: Upon further analysis and investigation we have determined that the following file(s) meet the necessary criteria to be detected by our products and, as such, the detection(s) cannot be revoked: File name: 09430fa20aac3815ba456f4644f41b41073d4994e538797c172c10a19f825b35 MD5: 7ACB4E45D3278C2E4CA04BF277ED4A74 SHA256: 09430FA20AAC3815BA456F4644F41B41073D4994E538797C172C10A19F825B35 Detection: Trojan.Gen.2 Therefore, I think this sample is definitely not a false positive. -
Is ESET Research Lab closed on weekends?
AnthonyQ replied to AnthonyQ's topic in Malware Finding and Cleaning
Yeah! I can confirm these two files are now properly detected. -
Hi, I wonder if the ESET research lab stopped processing malware sample submissions over the weekend. I've submitted the following undetected samples (neither scanner nor LiveGuard detected them) the day before yesterday (16/7/2022): https://www.virustotal.com/gui/file/4586118afeb988f5dd8eff89c44c0a9a155caf00788c40cd822debdf44f9e905 https://www.virustotal.com/gui/file/07eff9338b85bf43ec56ea6ee0efe5673849ed57707c1aa93c37eda75e4957e8 However, so far, no detection has been added. I understand that the processing time may take longer on weekends, but taking more than 24 hours to analyze is unacceptable.
-
I think an automated submission system can reduce labor costs, because this system can help merge duplicate sample submissions and automatically sort and process the samples that have been analyzed by an expert or are known to be harmless. And most importantly, it can improve the submission experience by enabling submitter to track the status of submission.
-
Submissions via the ESET GUI do not receive high priority and can take days or months to be processed by lab experts (in many cases, they won't be processed by lab experts). Last time, I submitted a suspicious Android sample via ESET GUI and got a reply after three months. 🤣
-
Scheduled Scans
AnthonyQ replied to Aryeh Goretsky's topic in ESET Internet Security & ESET Smart Security Premium
New firewall filtering mode: LiveGrid-based (reputation-based mode): Unlike automatic mode, reputation based mode uses reputation information from the LiveGrid. The firewall automatically allows trusted applications to make outbound connections and notifies users when unknown applications attempt to connect to the Internet. -
Malicious driver samples submitted but not processed
AnthonyQ replied to AnthonyQ's topic in Malware Finding and Cleaning
Update: Upon checking, these samples are detected as Rootkit by ESET now. -
Hi, I have submitted the following two malicious driver / rootkit samples to samples[at]eset.com for analysis: https://www.virustotal.com/gui/file/89512dc510da375ed93a2ad340de85b7db7faee1f0fe21c04189e85a140e4970 https://www.virustotal.com/gui/file/ccb8cfde53f6e66736d2b78555cc7aa443452a75e93f5f7818f673f9391d4caa But so far I haven't received any replies, and no detection has been added. Have these samples been processed? Or, ESET determines these samples are not malicious? Thanks.
-
Database update and customer service
AnthonyQ replied to The_Eagle_007's topic in General Discussion
In addition to India, ESET's local partner in China is also slow to respond to requests. In most cases, they won't reply at all. -
av-comparatives rating
AnthonyQ replied to New_Style_xd's topic in ESET Internet Security & ESET Smart Security Premium
Btw, the detection rate on VT is 25/67 now. -
av-comparatives rating
AnthonyQ replied to New_Style_xd's topic in ESET Internet Security & ESET Smart Security Premium
Well, that makes sense as well... Then ESET needs to remove that detection? -
av-comparatives rating
AnthonyQ replied to New_Style_xd's topic in ESET Internet Security & ESET Smart Security Premium
Interestingly, ESET finally added a detection, which I think makes sense because this script is dangerous in nature and definitely not clean. -
av-comparatives rating
AnthonyQ replied to New_Style_xd's topic in ESET Internet Security & ESET Smart Security Premium
I found this bat sample yesterday. I don't think it is clean because it disables multiple key functions of OS and renders PC unusable - it is actually very dangerous. But it may not meet some AV vendors' detection standard. Bitdefender adds detection after submission. Symantec said it is not malicious itself, but may be an artifact of a threat. Kaspersky seems to have blacklisted in the cloud based on sandbox analysis. -
av-comparatives rating
AnthonyQ replied to New_Style_xd's topic in ESET Internet Security & ESET Smart Security Premium
The main problems of LiveGuard are: Malware refuses to exhibit malicious behaviors in LiveGuard sandbox due to various reasons. Malware has been coded to exhibit malicious behaviors after a long period of time (long sleep). Malware does show its malicious behaviors, but LiveGuard sees no need for detection. For the 1st problem, after detecting potential Anti-VM/Anti-Sandbox functionality, LiveGuard should not declare that the sample is CLEAN. Instead, the sample should be marked as Suspicious and automatically sent to Research Lab for analysis. Meanwhile, LiveGuard should ask the users whether or not to open the file. -
av-comparatives rating
AnthonyQ replied to New_Style_xd's topic in ESET Internet Security & ESET Smart Security Premium
Using Joe sandbox or something like that might increase the FP rate, which goes against ESET's zero-FP philosophy. 🤣 -
av-comparatives rating
AnthonyQ replied to New_Style_xd's topic in ESET Internet Security & ESET Smart Security Premium
Clearly, regarding LiveGuard, there is plenty room for improvement. Another dangerous script (https://www.virustotal.com/gui/file/7a0113a1b29f2047831d3989e1c76479782c6269473a3c6e212a8bfa32281b82) that was missed by ESET LiveGuard yesterday. Very obvious ransomware-like behavior, though this sample is not in-the-wild. -
av-comparatives rating
AnthonyQ replied to New_Style_xd's topic in ESET Internet Security & ESET Smart Security Premium
They are system files belonging to Windows 11 Insider Preview Build 25136. So generally everyone participating in the Windows Insider Program will have these two files on computer. Although installing 3rd party AV on beta version of OS is not recommended, these two samples are still harmless and legitimate system files and other famous AV products haven't incorrectly detected them. -
av-comparatives rating
AnthonyQ replied to New_Style_xd's topic in ESET Internet Security & ESET Smart Security Premium
Although it’s ESET forum, I still would like point it out that the latest version of Kaspersky is very light on system resource usage. In terms of deleting system files, it is ESET that has recently flagged system files as “Suspicious Object” (https://www.virustotal.com/gui/file/38e40668272b48b1502bfdd51667afe2a35e57ebaa47790a7a3a650663ff8bea; https://www.virustotal.com/gui/file/3669d83be517a0620259c71d4ad66211495ac3723e82bfa7ee5630c876a60ceb). This FP issue has been fixed after submission. -
Scheduled Scans
AnthonyQ replied to Aryeh Goretsky's topic in ESET Internet Security & ESET Smart Security Premium
Agree. Apart from that, add sample submission function to Virusradar for convenient and traceable malware sample submission. -
av-comparatives rating
AnthonyQ replied to New_Style_xd's topic in ESET Internet Security & ESET Smart Security Premium
The FP rate is considered by AV-Comparative to classify tested products. A high enough FP rate will cause a product with a 100% block rate to be classified as "Tested". As such, Norton only got "Standard" award, even if it blocks all threats. However, let's look at products awarded "Adcanced+": They have very high protection rates yet very low FP rates. -
av-comparatives rating
AnthonyQ replied to New_Style_xd's topic in ESET Internet Security & ESET Smart Security Premium
I don't know if ESET is constantly collecting and analyzing undetected samples from VirusTotal. But I do notice that many competitors like Kaspersky, McAfee and Symantec do so. This practice can improve the detection rate. After I sent a fresh malware sample to VirusTotal, it would soon appear on Kaspersky's OpenTip with a sandbox analysis report, but at the same time, the LiveGrid reputation is still unavailable (blank).