Jump to content

Today ESET disapoint me, I don't know if I can trust it anymore


Recommended Posts

Today we got an suspicious mail with a download link to a bill. I downloaded the file unter an isolated linux system and checked the file with eset for linux 4.0. ESET found a trojan. After that I tested the file with virustotal, 4/56 found the trojan too. But the bad thing is, ESET for Windows, with the same singature database as the linux eset didn't found the trojan.

I must say I'm very disapounted about ESET. How could it be, that one system found the trojan and the other not. 

Link to comment
Share on other sites

  • Administrators

You wrote that ESET detected the malware on your Linux system but not on VirusTotal. Well, we are not responsible for VirusTotal. VirusTotal, a subsiadiary of Google and formerly operated by HispaSec is in no way related to ESET except that they use our scanner and scan files with their own settings. Also it's not clear if you uploaded infected file as it might have been an Office document with the macro already cleaned. Although some scanners may detect it, we don't as it's innocuous in such form.

Please provide a link with VT scan results so that we can investigate what happened.

Link to comment
Share on other sites

No, the file was detected on the linux system, but on a windows system with ESET Endpoint Security it was not detected as an trojan.

I opened a ticket: Ticket#2016121530002184

On the linux system:

Quote

15.12.2016 18:35:54    Laden Echzeit-Dateischutz    Datei    /home/fred/Schreibtisch/frank_hager/frank_hager.scr    Variante von Win32/GenKryptik.ODA Trojaner    Gesäubert durch Löschen    fred    Ereignis beim Erstellen einer neuen Datei durch die Anwendung: /usr/lib/p7zip/7z (D8D108F4CC50C91AF31604440E7BAF7325044C38).
 

On the windows system:

Quote

Log
Log
Version der Signaturdatenbank: 14611 (20161215)
Datum: 15.12.2016  Uhrzeit: 19:07:09
Geprüfte Laufwerke, Ordner und Dateien: C:\Users\haa\Desktop\frank_hager.zip
Geprüfte Objekte: 2
Erkannte Bedrohungen: 0
Abgeschlossen: 19:07:09  Benötigte Zeit: 0 Sek. (00:00:00)
 

 

Edited by Clouseau219
Link to comment
Share on other sites

  • Administrators

Please provide a link to VirusTotal with scan results and also email the file in an archive protected with the password "infected" to samples@eset.com. I don't have access to the German ticketing system so there's no way for me to check it out quickly.

Link to comment
Share on other sites

  • Administrators

It seems that you've scanned different variants of the malware (Win32/Filecoder.MaktubLocker) with the same file name and you uploaded a newer variant to VT while you scanned an older one detected as Win32/GenKryptik.ODA on the Linux system.

In the mean time, a detection was added and it's now detected as well:

https://www.virustotal.com/en/file/22138bc6dca174bc223b641ca4a79e8472c4a1a5db55c093fd9e2b1c9a1aa59b/analysis/1481834110/

 

Baidu Win32.Trojan.WisdomEyes.16070401.9500.9990 20161207
CrowdStrike Falcon (ML) malicious_confidence_69% (W) 20161024
ESET-NOD32 Win32/Filecoder.MaktubLocker.B 20161215
Invincea generic.a 20161202
Qihoo-360 HEUR/QVM10.1.0000.Malware.Gen 20161215
It'd be good to note a hash of the file you scan (ideally name it by the hash) to make sure a comparison with other scans or files is correct.
Link to comment
Share on other sites

You misunderstand my problem. The problem I had was, that with the virus signature database 14611 eset for linux detected the trojan but with the same database (14611) eset for windows didn't detect the trojan. Now with 14612 Eset for windows detect the tronjan too. 

But thx for your help.

Edited by Clouseau219
Link to comment
Share on other sites

  • Administrators

I scanned your sample with ESET NOD32 Antivirus 4.0 BE for Linux with the signature database 14611 and the file wasn't detected. My assumption is that you provided me with a newer variant with the same file name that was first covered with the signature db 14612 but on Linux you scanned the older variant detected by 14611.

We can verify it after providing a hash of the files you've scanned.

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...