AnthonyQ

I also submitted the sample in question to Symantec. And here are their findings: Upon further analysis and investigation we have determined that the following file(s) meet the necessary criteria to be detected by our products and, as such, the detection(s) cannot be revoked: File name: 09430fa20aac3815ba456f4644f41b41073d4994e538797c172c10a19f825b35 MD5: 7ACB4E45D3278C2E4CA04BF277ED4A74 SHA256: 09430FA20AAC3815BA456F4644F41B41073D4994E538797C172C10A19F825B35 Detection: Trojan.Gen.2 Therefore, I think this sample is definitely not a false positive.

Yeah! I can confirm these two files are now properly detected.

Hi, I wonder if the ESET research lab stopped processing malware sample submissions over the weekend. I've submitted the following undetected samples (neither scanner nor LiveGuard detected them) the day before yesterday (16/7/2022): https://www.virustotal.com/gui/file/4586118afeb988f5dd8eff89c44c0a9a155caf00788c40cd822debdf44f9e905 https://www.virustotal.com/gui/file/07eff9338b85bf43ec56ea6ee0efe5673849ed57707c1aa93c37eda75e4957e8 However, so far, no detection has been added. I understand that the processing time may take longer on weekends, but taking more than 24 hours to analyze is unacceptable.

Just out of curiosity, what does the "_AGen" suffix in detection name (e.g., A Variant Of Win64/Injector_AGen.AD trojan) mean? Does that mean the detection is created by something like an automated system? 🤔

I think an automated submission system can reduce labor costs, because this system can help merge duplicate sample submissions and automatically sort and process the samples that have been analyzed by an expert or are known to be harmless. And most importantly, it can improve the submission experience by enabling submitter to track the status of submission.

Submissions via the ESET GUI do not receive high priority and can take days or months to be processed by lab experts (in many cases, they won't be processed by lab experts). Last time, I submitted a suspicious Android sample via ESET GUI and got a reply after three months. 🤣

Seems like a detection from Avast engine, based on the detection name. Extract the quarantined sample and upload it here.

New firewall filtering mode: LiveGrid-based (reputation-based mode): Unlike automatic mode, reputation based mode uses reputation information from the LiveGrid. The firewall automatically allows trusted applications to make outbound connections and notifies users when unknown applications attempt to connect to the Internet.

Update: Upon checking, these samples are detected as Rootkit by ESET now.

Hi, I have submitted the following two malicious driver / rootkit samples to samples[at]eset.com for analysis: https://www.virustotal.com/gui/file/89512dc510da375ed93a2ad340de85b7db7faee1f0fe21c04189e85a140e4970 https://www.virustotal.com/gui/file/ccb8cfde53f6e66736d2b78555cc7aa443452a75e93f5f7818f673f9391d4caa But so far I haven't received any replies, and no detection has been added. Have these samples been processed? Or, ESET determines these samples are not malicious? Thanks.

In addition to India, ESET's local partner in China is also slow to respond to requests. In most cases, they won't reply at all.

Btw, the detection rate on VT is 25/67 now.

Well, that makes sense as well... Then ESET needs to remove that detection?

Interestingly, ESET finally added a detection, which I think makes sense because this script is dangerous in nature and definitely not clean.

I found this bat sample yesterday. I don't think it is clean because it disables multiple key functions of OS and renders PC unusable - it is actually very dangerous. But it may not meet some AV vendors' detection standard. Bitdefender adds detection after submission. Symantec said it is not malicious itself, but may be an artifact of a threat. Kaspersky seems to have blacklisted in the cloud based on sandbox analysis.

The main problems of LiveGuard are: Malware refuses to exhibit malicious behaviors in LiveGuard sandbox due to various reasons. Malware has been coded to exhibit malicious behaviors after a long period of time (long sleep). Malware does show its malicious behaviors, but LiveGuard sees no need for detection. For the 1st problem, after detecting potential Anti-VM/Anti-Sandbox functionality, LiveGuard should not declare that the sample is CLEAN. Instead, the sample should be marked as Suspicious and automatically sent to Research Lab for analysis. Meanwhile, LiveGuard should ask the users whether or not to open the file.

Using Joe sandbox or something like that might increase the FP rate, which goes against ESET's zero-FP philosophy. 🤣

Clearly, regarding LiveGuard, there is plenty room for improvement. Another dangerous script (https://www.virustotal.com/gui/file/7a0113a1b29f2047831d3989e1c76479782c6269473a3c6e212a8bfa32281b82) that was missed by ESET LiveGuard yesterday. Very obvious ransomware-like behavior, though this sample is not in-the-wild.

They are system files belonging to Windows 11 Insider Preview Build 25136. So generally everyone participating in the Windows Insider Program will have these two files on computer. Although installing 3rd party AV on beta version of OS is not recommended, these two samples are still harmless and legitimate system files and other famous AV products haven't incorrectly detected them.

Although it’s ESET forum, I still would like point it out that the latest version of Kaspersky is very light on system resource usage. In terms of deleting system files, it is ESET that has recently flagged system files as “Suspicious Object” (https://www.virustotal.com/gui/file/38e40668272b48b1502bfdd51667afe2a35e57ebaa47790a7a3a650663ff8bea; https://www.virustotal.com/gui/file/3669d83be517a0620259c71d4ad66211495ac3723e82bfa7ee5630c876a60ceb). This FP issue has been fixed after submission.

Agree. Apart from that, add sample submission function to Virusradar for convenient and traceable malware sample submission.

The FP rate is considered by AV-Comparative to classify tested products. A high enough FP rate will cause a product with a 100% block rate to be classified as "Tested". As such, Norton only got "Standard" award, even if it blocks all threats. However, let's look at products awarded "Adcanced+": They have very high protection rates yet very low FP rates.

I don't know if ESET is constantly collecting and analyzing undetected samples from VirusTotal. But I do notice that many competitors like Kaspersky, McAfee and Symantec do so. This practice can improve the detection rate. After I sent a fresh malware sample to VirusTotal, it would soon appear on Kaspersky's OpenTip with a sandbox analysis report, but at the same time, the LiveGrid reputation is still unavailable (blank).

This Joe sandbox report refers to another ransomware sample which is not corrupt and already detected by ESET as Win32/Filecoder.RagnarLocker.A.

You can run this sample on your VM to see if it's corrupt.