Jump to content

Recommended Posts

Hi,

Eset got all excited about about a file on my system when moving some old data around yesterday. Which, if it is a trojan threat, means I need to let a few others who will have downloaded the same file know. But... I rather suspect it's a false positive. Can anyone help please?

The file in question is one that I downloaded from a private forum (which I run, although I wasn't the one to create the file or upload it to the forum) and is an PDF document with rules of our organisation.

It's been on my system (and the forum - and presumably a sizeable subset of the forum's member's computers) for the last 18 months without any issue until yesterday.

Detection only gave me the option of deleting the file, so I cannot submit for analysis, but the malware allegedly found was PDF/Phishing.A.Gen trojan (see screenshot snippet attached below of the error message - this one from checking the forum where the original was held - forum webaddy obfuscated for reasons of confidentiality).

Now given the amount of time involved since the file was downloaded, and the fact that neither ESS9 nor malwarebytes finds anything else on my computer - nor has anyone else reported any issues - and the nature of the content of the file, it seems very unlikely that this is a real positive.

Before I start to worry all others who may be affected by this into wasting as much time as I have myself on something that I suspect isn't an issue, is there any way of confirming a) what a PDF/Phishing.A.Gen trojan is (it doesn't have a definition in the ESET threat database info - as far as I can see...) and b) if it really is an issue, or as I now suspect, just a false positive.

Many thanks in advance for your help.

ESS-PDF-Phishing-Gen-A-Trojan-error.jpg

Edited by notanotherdisplayname24get
Link to post
Share on other sites

Errm, except, as I said, the only option it gave me was delete. So as it initially seemed dangerous, that was all I could do. And so did!

Which means I don't have a copy of the file... Doh...

So I guess there's nothing I can do without that, other than....

...ask again what the Phishing.Gen.A threat is.

(I couldn't find it on the threat list on the Eset site. It doesn't seem high risk to me, but before I demote it to not worth worrying others (on the forum that held the file) about I'd really like to know a bit more about the threat to make a sensible decision on that. And there seems to be very little anywhere online about it.)

Link to post
Share on other sites

Many thanks for the suggestion itman.

But I suspect it isn't that. As the PDF was uploaded as a direct attachment to our forum for our members to then download. So no email links involved! Eset was querying the file itself not any link to it.

Has anyone got any info on what the PDF/Phishing.A.Gen threat is (particularly when it's not an email link to a file but the file itself)

Link to post
Share on other sites

My colleague only has an older version of the file (and originally it was just a word file - sent in error to samples at - sorry - please ignore that one!). I'll see if any of my other colleagues has that particular one now I'm pretty sure it's a false positive and send if I can get them to send it to me (assuming eset will allow it to be forwarded...)

Link to post
Share on other sites
  • Administrators

Before cleaning / deleting a detected file, a copy of the original file is put to quarantine. Do you have your ESET quarantine empty and therefore it's not possible to restore the file?

Link to post
Share on other sites
  • Administrators

Even if the alert says "Cleaned by deleting", a copy of the original file is put to quarantine. I can't find the file in our ticketing system with samples sent to samples[at]eset.com. Please send it to me via a personal message.

Link to post
Share on other sites

Marcus - can't find a way of extracting it from quarantine to send - other than right clicking and send for analysis, which I did, but from your previous msg seems not to have reached your system? Any suggestions on how to send via PM - sorry if I'm being dim here!

itman - thanks, but as I said, the file didn't come via email. It was downloaded from a totally legit source (a private forum with only a few members within the board it was posted to) and is an internal PDF document that was created by one of those few forum members. Only they should have access to it, so defo not a phishing email!

Link to post
Share on other sites
  • 4 weeks later...
  • 2 months later...
  • Administrators
2 hours ago, Bert van Wijk said:

Exact same problem here. Send my file from the quarantine to the viruslab. Waiting for reply.

How did you submit the file to ESET? I was unable to find any pdf that has been submitted recently.

Link to post
Share on other sites
  • 2 weeks later...
  • 3 months later...

I just saw this forum after searching for topics on this Virus ( PDF/Phishing.A.Gen trojan ).  Got two alerts (one a few weeks before the other)regarding it and scanned (multiple scanning engines) with no results.  Looked in the indicated location and nothing was found.  Go another alert two days after the last alert.

This time we discovered that in the Windows/temp folder pdf files with similar names are being generated and deleted in about second (not enough time to scan them -  have a video of this process).  We also discovered that if Outlook is closed the auto-generation stops.  I tried removing Office and re-installing it, but this did not work.  I ended up having to rebuild the system.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...