Clouseau219 0 Posted December 15, 2016 Share Posted December 15, 2016 Today we got an suspicious mail with a download link to a bill. I downloaded the file unter an isolated linux system and checked the file with eset for linux 4.0. ESET found a trojan. After that I tested the file with virustotal, 4/56 found the trojan too. But the bad thing is, ESET for Windows, with the same singature database as the linux eset didn't found the trojan. I must say I'm very disapounted about ESET. How could it be, that one system found the trojan and the other not. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,919 Posted December 15, 2016 Administrators Share Posted December 15, 2016 You wrote that ESET detected the malware on your Linux system but not on VirusTotal. Well, we are not responsible for VirusTotal. VirusTotal, a subsiadiary of Google and formerly operated by HispaSec is in no way related to ESET except that they use our scanner and scan files with their own settings. Also it's not clear if you uploaded infected file as it might have been an Office document with the macro already cleaned. Although some scanners may detect it, we don't as it's innocuous in such form. Please provide a link with VT scan results so that we can investigate what happened. Link to comment Share on other sites More sharing options...
Clouseau219 0 Posted December 15, 2016 Author Share Posted December 15, 2016 (edited) No, the file was detected on the linux system, but on a windows system with ESET Endpoint Security it was not detected as an trojan. I opened a ticket: Ticket#2016121530002184 On the linux system: Quote 15.12.2016 18:35:54 Laden Echzeit-Dateischutz Datei /home/fred/Schreibtisch/frank_hager/frank_hager.scr Variante von Win32/GenKryptik.ODA Trojaner Gesäubert durch Löschen fred Ereignis beim Erstellen einer neuen Datei durch die Anwendung: /usr/lib/p7zip/7z (D8D108F4CC50C91AF31604440E7BAF7325044C38). On the windows system: Quote Log Log Version der Signaturdatenbank: 14611 (20161215) Datum: 15.12.2016 Uhrzeit: 19:07:09 Geprüfte Laufwerke, Ordner und Dateien: C:\Users\haa\Desktop\frank_hager.zip Geprüfte Objekte: 2Erkannte Bedrohungen: 0 Abgeschlossen: 19:07:09 Benötigte Zeit: 0 Sek. (00:00:00) Edited December 15, 2016 by Clouseau219 Link to comment Share on other sites More sharing options...
Administrators Marcos 4,919 Posted December 15, 2016 Administrators Share Posted December 15, 2016 Please provide a link to VirusTotal with scan results and also email the file in an archive protected with the password "infected" to samples@eset.com. I don't have access to the German ticketing system so there's no way for me to check it out quickly. Link to comment Share on other sites More sharing options...
Clouseau219 0 Posted December 15, 2016 Author Share Posted December 15, 2016 Link: https://www.virustotal.com/de/url/c77862b65805d4f48c926b530dc59e98d4de00cb988c46377b8ee824b1de016e/analysis/1481823580/ and https://www.virustotal.com/de/file/d437d10d3e768f3641acbd560ea690394f4299c9bf48ed7574db03bccb5a2efa/analysis/1481823585/ I have send the zip to samples@eset.com Link to comment Share on other sites More sharing options...
Administrators Marcos 4,919 Posted December 15, 2016 Administrators Share Posted December 15, 2016 It seems that you've scanned different variants of the malware (Win32/Filecoder.MaktubLocker) with the same file name and you uploaded a newer variant to VT while you scanned an older one detected as Win32/GenKryptik.ODA on the Linux system. In the mean time, a detection was added and it's now detected as well: https://www.virustotal.com/en/file/22138bc6dca174bc223b641ca4a79e8472c4a1a5db55c093fd9e2b1c9a1aa59b/analysis/1481834110/ Baidu Win32.Trojan.WisdomEyes.16070401.9500.9990 20161207 CrowdStrike Falcon (ML) malicious_confidence_69% (W) 20161024 ESET-NOD32 Win32/Filecoder.MaktubLocker.B 20161215 Invincea generic.a 20161202 Qihoo-360 HEUR/QVM10.1.0000.Malware.Gen 20161215 It'd be good to note a hash of the file you scan (ideally name it by the hash) to make sure a comparison with other scans or files is correct. Link to comment Share on other sites More sharing options...
Clouseau219 0 Posted December 15, 2016 Author Share Posted December 15, 2016 (edited) You misunderstand my problem. The problem I had was, that with the virus signature database 14611 eset for linux detected the trojan but with the same database (14611) eset for windows didn't detect the trojan. Now with 14612 Eset for windows detect the tronjan too. But thx for your help. Edited December 15, 2016 by Clouseau219 Link to comment Share on other sites More sharing options...
Administrators Marcos 4,919 Posted December 15, 2016 Administrators Share Posted December 15, 2016 I scanned your sample with ESET NOD32 Antivirus 4.0 BE for Linux with the signature database 14611 and the file wasn't detected. My assumption is that you provided me with a newer variant with the same file name that was first covered with the signature db 14612 but on Linux you scanned the older variant detected by 14611. We can verify it after providing a hash of the files you've scanned. Link to comment Share on other sites More sharing options...
Recommended Posts