AnthonyQ

Although it’s ESET forum, I still would like point it out that the latest version of Kaspersky is very light on system resource usage. In terms of deleting system files, it is ESET that has recently flagged system files as “Suspicious Object” (https://www.virustotal.com/gui/file/38e40668272b48b1502bfdd51667afe2a35e57ebaa47790a7a3a650663ff8bea; https://www.virustotal.com/gui/file/3669d83be517a0620259c71d4ad66211495ac3723e82bfa7ee5630c876a60ceb). This FP issue has been fixed after submission.

Agree. Apart from that, add sample submission function to Virusradar for convenient and traceable malware sample submission.

The FP rate is considered by AV-Comparative to classify tested products. A high enough FP rate will cause a product with a 100% block rate to be classified as "Tested". As such, Norton only got "Standard" award, even if it blocks all threats. However, let's look at products awarded "Adcanced+": They have very high protection rates yet very low FP rates.

I don't know if ESET is constantly collecting and analyzing undetected samples from VirusTotal. But I do notice that many competitors like Kaspersky, McAfee and Symantec do so. This practice can improve the detection rate. After I sent a fresh malware sample to VirusTotal, it would soon appear on Kaspersky's OpenTip with a sandbox analysis report, but at the same time, the LiveGrid reputation is still unavailable (blank).

This Joe sandbox report refers to another ransomware sample which is not corrupt and already detected by ESET as Win32/Filecoder.RagnarLocker.A.

You can run this sample on your VM to see if it's corrupt.

Hi @Marcos, another two samples missed by ESET: 1. Screen locker + MBR locker (https://www.virustotal.com/gui/file/afbf5da99b569974c5e8ccec0286cb4ed45401cce45b6f6c7f05a3d5565db7f0). Submitted yesterday but detection is still not added. Sandbox analysis: https://tria.ge/220613-b9zjwshcd5/behavioral1. 2. Suspicious backdoor (https://www.virustotal.com/gui/file/62e3529e3ed9fd63ca02f139e2ed564ad785e6d546bd402c3cd93ffa1c14d24b).

This sample is indeed corrupt (https://app.any.run/tasks/91032682-65d8-4ba5-9e93-8899b2d592d8/). Joe sandbox's results indicate this sample crashed during analysis. Other vendors may detect corrupt samples because they contain malicious code, which I don't think is a false positive.

Sure! For example, this ransomware (https://www.virustotal.com/gui/file/e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f). ESET's scanner couldn't detect it on 17/5/2022. So I executed it on VM. ESET's ransomware shield was triggered after several seconds, but 700+ test files were unfortunately encrypted. Another ransomware (https://www.virustotal.com/gui/file/11b7a09a345dc9f9f4e8f91211e4d4e05f7773ee34af0411dc6f30cc3dcbe32b). ESET's scanner couldn't detect it on 9/5/2022. So I executed it on VM. ESET's ransomware shield and deep behavior blocker were not triggered and test files were encrypted. Another example, this sample (https://www.virustotal.com/gui/file/6e3f4c2e85d7fb134f7ca95e0593e76447baed8c9e2def7ae94d88bad3257189), now detected as Win32/Agent.AEIU after submission. I ran this sample on VM and ESET's deep behavior inspection cannot block this malicious behavior.

I believe ESET's equivalent of Kaspersky's System Watcher module is Deep Behavior Inspection and Ransomware Shield. To be honest, in my testing, these two modules are not very effective against ransomware and other types of malware. The deep Behavior Inspection module has not been updated for several months, showing ESET focuses on signature detection instead of behavior blocking. Although this strategy is nothing wrong, I still hope ESET can further improve its behavior blocker module.

After more testing, I find that many JS script samples were unable to be automatically blocked and analyzed by LiveGuard. For example, this one (https://www.virustotal.com/gui/file/a608783f22317e2964b8adb03345a9ac995979f73c9dfc0d0d5d6a090af9da03), now detected as JS/TrojanDropper.Agent.OOM. --------------------- Another three typical malicious samples bypassed LiveGuard: 1. https://www.virustotal.com/gui/file/29170db2866b123a1dd16867b991bd098acdebe9a452d33c70825133b6b7f035 - backdoor, LiveGuard said it's safe, submitted via email and no detection is added for now. 2. https://www.virustotal.com/gui/file/7027e7c8ac1db327ff484f153b56767121d306264332418047b1c3bcb78613d3 - backdoor, LiveGuard said it's safe, now detected as Win32/Farfli.BPZ. 3. https://www.virustotal.com/gui/file/fd045d6533863dd5063b1d9fdead33834cd0af646f13845db2c3f4d9e50962ee - coinminer, LiveGuard said it's safe, now detected as MSIL/CoinMiner.BSO

LiveGuard just removed this IcedID sample with a very low VT detection rate. Considering it took more than 5 mins to display a result, I believed this sample has be examined by behavior analyzer. Maybe LiveGuard needs to improve its detection of script malware.

It's possible. --------------------------- Another vbs-based script trojan downloader bypassed LiveGuard: https://www.virustotal.com/gui/file/e083ccac5c920d2b3014872aa4a0a09d77f058ecf1db8325da7c865b111a254a. However, after I acutally ran it, ESET's AMSI scanner immediately detected it 🙃: 2022/5/24 21:56:57;AMSI scanner;e083ccac5c920d2b3014872aa4a0a09d77f058ecf1db8325da7c865b111a254a.vbs;VBS/TrojanDownloader.Agent.WYJ trojan

Currently, ESET (international version) flags all Flystudio-based software as PUA, and ESET (Chinese version) flags all unknown Flystudio-based software as safe, which might cause new Flystudio-based malware not to be blocked and analyzed by LiveGuard. That is the problem. -------------------------------- Another two backdoor (maybe CobaltStrike) samples were not detected by LiveGuard. I share the VT links for analysis by relevant teams. The samples have been submitted via email and detection is yet to be added. https://www.virustotal.com/gui/file/dac35a874ca47b8de8103ac84b2db9dea4e6b44f9ed2081fcd5bff1143a66d97 https://www.virustotal.com/gui/file/2e5364644255681ae085c113b6d88e4d3bc1db18d3ef8c06b8264194a39687e9

Exactly, "Win32/Packed.FlyStudio.AA" PUA detection is disabled for ESET products in Simplified Chinese versions. However, it cannot be ignored that there are a lot of malware (especially MBR killers, system destroyers, etc.) written in Flystudio language and mainly targeting Chinese users. Therefore, I would like ESET LiveGuard to be triggered when these Flystudio samples are downloaded to Chinese ESET users' computers and perform behavioral analysis in the cloud to fill the security holes. 🙂

The special thing about this ransomware is that it's written in Flystudio programming language (a Chinese programming language), which might be the reason why this sample was not uploaded to LiveGuard at the first place. Despite that, the ransomware-like behavior is quite obvious. So I want to know whether this sample has actually been executed in the LiveGuard sandbox... 🤔 I think so. Maybe another example of sandbox evasion, which ESET should address.

Hi @Marcos, I'd like to report another two malicious samples that bypassed LiveGuard for your teams' analysis. The first one is a ransomware written in Flystudio. This sample, when downloaded, was not automatically blocked by LiveGuard. So I submitted it to LiveGuard manually. Since I cannot view the result, about five mins later, the file was not removed by LiveGuard and I assumed LiveGuard had marked it as Clean. I then submitted it via email and the detection "Win32/Filecoder.OLA" was added in a timely manner, which is great. But why this obvious ransomware bypassed LiveGuard? The second one is a AsyncRAT loader. This sample was automatically analyzed by LiveGuard and confirmed to be Clean. I then ran this sample, and interestingly, ESET HTTP filter immediately blocked the connection due to the detection of MSIL/Agent.CFQ trojan (see logs below, translated). 2022/5/22 10:08:20; HTTP filter; File; hxxp://45[.41.240[.44/goonie/Runtime broker.exe;A Varient Of MSIL/ agent.cfq trojan;Connection terminated Thanks.

Just ran this script on my VM. ESET block the access immediately: 2022/5/20 21:34:37;hxxp://gotovacoil[.com/cname/Encrypted Client OG.jpg;Blocked;Internal Blacklist;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe;;;EEE0B7E9FDB295EA97C5F2E7C7BA3AC7F4085204 Maybe this script sample is sandbox-aware? 🤔

But I think it tried to access hxxp://gotovacoil[.com/cname/Encrypted%20Client%20OG.jpg, which has been blacklisted by ESET and many vendors. Also, ESET has recently added a detection for it. 🤔

That is a pity. Viewing results/verdict, I think, is essential and should not be an exclusive feature for LiveGuard Advanced. Yes. Someone from LiveGuard development team needs to investigate this issue. And in my opinion, if a sample exhibits sandbox-evasion-like behaviors, LiveGuard should not declare this sample is clean and safe.

Yep. In the future version of ESSP, users should be able to modify the detection threshold and choose which action to take based on maliciousness (Highly suspicious - Malicious: Quarantine; Suspicious: Ask users). I also hope there will be a dedicated window showing the details of LiveGuard, such as which file is currently being uploaded to the sandbox and the final verdict/status of each submission (I understand that detailed reports are not available in ESSP 🙂).

Yes, I noticed that. Actually ESET added signature detection hours ago. No, I haven't submitted via email. Maybe a malware analyst noticed this post or found this sample in the wild and added the detection. Looking at the logs, I find that this sample was submitted to LiveGuard at 16:16 (GMT +8) and safe verdict was sent back at 16:21. So basically it took 5 mins to analyze. I think suspicious behaviors should be shown in the sandbox environment. Still don't know why LiveGuard gave it a safe verdict.

Another case where LiveGuard said the sample was safe, but when I ran it on a VM, ESET blocked the C2. This Powershell-based Remcos sample was automatically submitted to LiveGuard after being downloaded. However, LiveGuard said it's safe to use. But, with the current blacklist database, ESET can actually block the C2, so I'm not sure why LiveGuard missed this sample.😂

Another two samples submitted earlier today but no detection is added. Sample 1: Netwire RAT with MD5: 5e08e6457dee689b9a11d1326d83d1a9 Sample 2: Rootkit/Proxy Changer (according to Kaspersky's detection name) with MD5: dacd2eebd7c903a79efcabfe11a65850

I tested it yesterday (15:08 GMT+8). The scanner failed to detect it. It is nice to see ESET is able to block it upon execution.