AnthonyQ

Hi @Marcos, another two samples missed by ESET: 1. Screen locker + MBR locker (https://www.virustotal.com/gui/file/afbf5da99b569974c5e8ccec0286cb4ed45401cce45b6f6c7f05a3d5565db7f0). Submitted yesterday but detection is still not added. Sandbox analysis: https://tria.ge/220613-b9zjwshcd5/behavioral1. 2. Suspicious backdoor (https://www.virustotal.com/gui/file/62e3529e3ed9fd63ca02f139e2ed564ad785e6d546bd402c3cd93ffa1c14d24b).

This sample is indeed corrupt (https://app.any.run/tasks/91032682-65d8-4ba5-9e93-8899b2d592d8/). Joe sandbox's results indicate this sample crashed during analysis. Other vendors may detect corrupt samples because they contain malicious code, which I don't think is a false positive.

Sure! For example, this ransomware (https://www.virustotal.com/gui/file/e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f). ESET's scanner couldn't detect it on 17/5/2022. So I executed it on VM. ESET's ransomware shield was triggered after several seconds, but 700+ test files were unfortunately encrypted. Another ransomware (https://www.virustotal.com/gui/file/11b7a09a345dc9f9f4e8f91211e4d4e05f7773ee34af0411dc6f30cc3dcbe32b). ESET's scanner couldn't detect it on 9/5/2022. So I executed it on VM. ESET's ransomware shield and deep behavior blocker were not triggered and test files were encrypted. Another example, this sample (https://www.virustotal.com/gui/file/6e3f4c2e85d7fb134f7ca95e0593e76447baed8c9e2def7ae94d88bad3257189), now detected as Win32/Agent.AEIU after submission. I ran this sample on VM and ESET's deep behavior inspection cannot block this malicious behavior.

I believe ESET's equivalent of Kaspersky's System Watcher module is Deep Behavior Inspection and Ransomware Shield. To be honest, in my testing, these two modules are not very effective against ransomware and other types of malware. The deep Behavior Inspection module has not been updated for several months, showing ESET focuses on signature detection instead of behavior blocking. Although this strategy is nothing wrong, I still hope ESET can further improve its behavior blocker module.

After more testing, I find that many JS script samples were unable to be automatically blocked and analyzed by LiveGuard. For example, this one (https://www.virustotal.com/gui/file/a608783f22317e2964b8adb03345a9ac995979f73c9dfc0d0d5d6a090af9da03), now detected as JS/TrojanDropper.Agent.OOM. --------------------- Another three typical malicious samples bypassed LiveGuard: 1. https://www.virustotal.com/gui/file/29170db2866b123a1dd16867b991bd098acdebe9a452d33c70825133b6b7f035 - backdoor, LiveGuard said it's safe, submitted via email and no detection is added for now. 2. https://www.virustotal.com/gui/file/7027e7c8ac1db327ff484f153b56767121d306264332418047b1c3bcb78613d3 - backdoor, LiveGuard said it's safe, now detected as Win32/Farfli.BPZ. 3. https://www.virustotal.com/gui/file/fd045d6533863dd5063b1d9fdead33834cd0af646f13845db2c3f4d9e50962ee - coinminer, LiveGuard said it's safe, now detected as MSIL/CoinMiner.BSO

LiveGuard just removed this IcedID sample with a very low VT detection rate. Considering it took more than 5 mins to display a result, I believed this sample has be examined by behavior analyzer. Maybe LiveGuard needs to improve its detection of script malware.

It's possible. --------------------------- Another vbs-based script trojan downloader bypassed LiveGuard: https://www.virustotal.com/gui/file/e083ccac5c920d2b3014872aa4a0a09d77f058ecf1db8325da7c865b111a254a. However, after I acutally ran it, ESET's AMSI scanner immediately detected it 🙃: 2022/5/24 21:56:57;AMSI scanner;e083ccac5c920d2b3014872aa4a0a09d77f058ecf1db8325da7c865b111a254a.vbs;VBS/TrojanDownloader.Agent.WYJ trojan

Currently, ESET (international version) flags all Flystudio-based software as PUA, and ESET (Chinese version) flags all unknown Flystudio-based software as safe, which might cause new Flystudio-based malware not to be blocked and analyzed by LiveGuard. That is the problem. -------------------------------- Another two backdoor (maybe CobaltStrike) samples were not detected by LiveGuard. I share the VT links for analysis by relevant teams. The samples have been submitted via email and detection is yet to be added. https://www.virustotal.com/gui/file/dac35a874ca47b8de8103ac84b2db9dea4e6b44f9ed2081fcd5bff1143a66d97 https://www.virustotal.com/gui/file/2e5364644255681ae085c113b6d88e4d3bc1db18d3ef8c06b8264194a39687e9

Exactly, "Win32/Packed.FlyStudio.AA" PUA detection is disabled for ESET products in Simplified Chinese versions. However, it cannot be ignored that there are a lot of malware (especially MBR killers, system destroyers, etc.) written in Flystudio language and mainly targeting Chinese users. Therefore, I would like ESET LiveGuard to be triggered when these Flystudio samples are downloaded to Chinese ESET users' computers and perform behavioral analysis in the cloud to fill the security holes. 🙂

The special thing about this ransomware is that it's written in Flystudio programming language (a Chinese programming language), which might be the reason why this sample was not uploaded to LiveGuard at the first place. Despite that, the ransomware-like behavior is quite obvious. So I want to know whether this sample has actually been executed in the LiveGuard sandbox... 🤔 I think so. Maybe another example of sandbox evasion, which ESET should address.

Hi @Marcos, I'd like to report another two malicious samples that bypassed LiveGuard for your teams' analysis. The first one is a ransomware written in Flystudio. This sample, when downloaded, was not automatically blocked by LiveGuard. So I submitted it to LiveGuard manually. Since I cannot view the result, about five mins later, the file was not removed by LiveGuard and I assumed LiveGuard had marked it as Clean. I then submitted it via email and the detection "Win32/Filecoder.OLA" was added in a timely manner, which is great. But why this obvious ransomware bypassed LiveGuard? The second one is a AsyncRAT loader. This sample was automatically analyzed by LiveGuard and confirmed to be Clean. I then ran this sample, and interestingly, ESET HTTP filter immediately blocked the connection due to the detection of MSIL/Agent.CFQ trojan (see logs below, translated). 2022/5/22 10:08:20; HTTP filter; File; hxxp://45[.41.240[.44/goonie/Runtime broker.exe;A Varient Of MSIL/ agent.cfq trojan;Connection terminated Thanks.

Just ran this script on my VM. ESET block the access immediately: 2022/5/20 21:34:37;hxxp://gotovacoil[.com/cname/Encrypted Client OG.jpg;Blocked;Internal Blacklist;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe;;;EEE0B7E9FDB295EA97C5F2E7C7BA3AC7F4085204 Maybe this script sample is sandbox-aware? 🤔

But I think it tried to access hxxp://gotovacoil[.com/cname/Encrypted%20Client%20OG.jpg, which has been blacklisted by ESET and many vendors. Also, ESET has recently added a detection for it. 🤔

That is a pity. Viewing results/verdict, I think, is essential and should not be an exclusive feature for LiveGuard Advanced. Yes. Someone from LiveGuard development team needs to investigate this issue. And in my opinion, if a sample exhibits sandbox-evasion-like behaviors, LiveGuard should not declare this sample is clean and safe.

Yep. In the future version of ESSP, users should be able to modify the detection threshold and choose which action to take based on maliciousness (Highly suspicious - Malicious: Quarantine; Suspicious: Ask users). I also hope there will be a dedicated window showing the details of LiveGuard, such as which file is currently being uploaded to the sandbox and the final verdict/status of each submission (I understand that detailed reports are not available in ESSP 🙂).

Yes, I noticed that. Actually ESET added signature detection hours ago. No, I haven't submitted via email. Maybe a malware analyst noticed this post or found this sample in the wild and added the detection. Looking at the logs, I find that this sample was submitted to LiveGuard at 16:16 (GMT +8) and safe verdict was sent back at 16:21. So basically it took 5 mins to analyze. I think suspicious behaviors should be shown in the sandbox environment. Still don't know why LiveGuard gave it a safe verdict.

Another case where LiveGuard said the sample was safe, but when I ran it on a VM, ESET blocked the C2. This Powershell-based Remcos sample was automatically submitted to LiveGuard after being downloaded. However, LiveGuard said it's safe to use. But, with the current blacklist database, ESET can actually block the C2, so I'm not sure why LiveGuard missed this sample.😂

Another two samples submitted earlier today but no detection is added. Sample 1: Netwire RAT with MD5: 5e08e6457dee689b9a11d1326d83d1a9 Sample 2: Rootkit/Proxy Changer (according to Kaspersky's detection name) with MD5: dacd2eebd7c903a79efcabfe11a65850

I tested it yesterday (15:08 GMT+8). The scanner failed to detect it. It is nice to see ESET is able to block it upon execution.

LiveGuard is still useful. Examples: 1. I tested this GuLoader, with very low VT detection rate (4/67). ESET scanner missed but LiveGuard detected it. 2. I tested this new variant of Magniber ransomware that is popular recently. ESET scanner missed but LiveGuard detected it. Without LiveGuard, users' files are very likely to be encrypted. Although LiveGuard did a good job at detecting this ransomware, I still hope ESET can create a generic detection for Magniber ransomware (like Kaspersky does), because there are many variants of it in the wild.

But the sandbox Zenbox on VT flags this file as: MALWARE STEALER TROJAN EVADER and accurately detects this malware. So perhaps ESET needs to improve LiveGuard. It's nice to see ESET has added a detection for it. Another example: I downloaded this Netwire sample (https://www.virustotal.com/gui/file/e82eb173325ee7fa787d4a3553ac250f0784a36bba695278889091ce84a2f38a). ESET's real-time scanner did not detect and remove this threat, LiveGuard was triggered, and sample was uploaded to the cloud sandbox. Then, I performed an on-demand scan and found that ESET is able to detect the component (> 7ZIP > cgB1AG4AMQAuAGUAeABlAA) inside it as A Variant Of Win32/Kryptik.FRHZ, and I chose retain. Several mins later, LiveGuard said it was safe to use this file...... I am shocked, as even the local-based ESET scanner is able to detect the harmful object inside this sample. Below is the screenshot of logs (in Chinese):

Maybe, the bat file downloaded is considered to be 100% clean by ESET local scanning engine, so the sample will not be uploaded to LiveGurad (https://support.eset.com/en/kb6569-eset-liveguard-advanced-faq). ------------------------------------------ I also have an issue with LiveGuard. I tested this sample (https://www.virustotal.com/gui/file/945a03df112866cd0d1da3b476f674aa81c556df2ceab354eb4ff545888e27f2). ESET scanner and LiveGuard fail to detect it. However, when I execute this sample on VM, ESET's ESET Deep Behavioral Inspection immediately blocked this sample (detected as BH/PSWFareit.1). Also, ESET's web protection can block the C2. So, it is wield that LiveGuard said this sample was safe to open.......

Even ESET online help documents support dark mode. ESET desktop products should support dark mode as well. 🙃

Just received a response from ESET malware response team informing that a detection has been added: "8b7252c0568dde4408033110bee56d99ec603d51a1c2b4008a6643ee904154ad.exe - JS/PSW.Discord.AS trojan". Also, the second website I reported has been blacklisted by ESET while the first one is still pending. In general, ESET malware response team is quick to respond to samples of undetected malware from common malware families, which is nice. I'm hoping that ESET malware response team will be able to respond more quickly to these uncommon threat submissions.

Hi, After compressed, this sample is only 29MB in size, which allows me to send it by email to ESET malware research team. Btw, I am using ESSP and I find that I can submit this sample (> 64 MB) to LiveGuard. Although LiveGuard said this sample was safe to use.