Is this file malicious or not

[Marcos 5,074]

1, Most likely because it's also used for legitimate purposes with user's consent.

2, I don't know of such limitation. If it's there, then it's not possible to remove it other than by installing another language version.

[0xDEADBEEF 43]

5 minutes ago, Marcos said:

1, Most likely because it's also used for legitimate purposes with user's consent.

2, I don't know of such limitation. If it's there, then it's not possible to remove it other than by installing another language version.

I really hope zh-cn clients can detect flystudio.packed (or at least provide a switch if FP is a concern). Threat of this category is very popular in China but zh-cn and zh-tw version clients don't detect this category in PUA. Legitimate software using flystudio is so few that detecting all of them as PUA as english version does shouldn't be a big deal for ordinary users.

BTW, another MBR locker ESET missed.

SHA256: c050c6122d1ac7a59e0735b646a2543ebd13bbd8e2a602cafc13eaea0df341c8

I don't have this sample but I assume ESET might be able to get it. https://www.virustotal.com/#/file/c050c6122d1ac7a59e0735b646a2543ebd13bbd8e2a602cafc13eaea0df341c8/detection

Edited November 12, 2017 by 0xDEADBEEF

[Marcos 5,074]

1 minute ago, 0xDEADBEEF said:

BTW, another MBR locker SHA256: c050c6122d1ac7a59e0735b646a2543ebd13bbd8e2a602cafc13eaea0df341c8

It's a password-protected gzip. I was unable to find the correct password and scan the exe file inside.

[0xDEADBEEF 43]

1 minute ago, Marcos said:

It's a password-protected gzip. I was unable to find the correct password and scan the exe file inside.

hmm, alright I will submit it if I get a unzipped sample

Plus I hope ESET can consider putting coinminer detection in potentially unwanted category. "Potentially unsafe" is sometimes too annoying but "potentially unwanted" is tolerable. There are a lot of users who don't want to have detection as strict as "potentially unsafe" but still want to block miner scripts.

[itman 1,659]

4 hours ago, Marcos said:

detection engineer replied 20 minutes later that the detection would be added in the next update.

Problem is my Eset  sig. update cycles are 3 hour intervals minimum. Hopefully, the .exe/s in question are immediately added to LiveGrid's blacklist.

[illumination 5]

To rely on signatures is a very serious mistake. None of the AV's on the market can keep up with zero days and signatures, submitting a few here and there on a daily basis helps, but it is barely scratching the surface when it comes to amount of new/modified files showing up daily. To be concerned if whether they are added the first day or 5th day they are in the wild and so forth, is a waste of energy. This is why most suites/AV's have extra modules. As pointed out earlier in this thread, if the HIPS is configured correctly, it will stop this file. Also most of us have removed and or stopped using Java some time ago and many of us supplement our suites with another security product "just in case", not to mention those of us with enough time in this field, realize that counting on security products period, thinking we are 100% safe, is the biggest mistake of it all, and rely more so on regular back ups and images to secure our content and be better prepared.

Edited November 12, 2017 by illumination

[novice 20]

"As pointed out earlier in this thread, if the HIPS is configured correctly, it will stop this file"

So, do you expect a regular user to configure the HIPS correctly , in order to be protected by a paid antivirus?????

In all ESET versions the HIPS is blank, waiting to be "configured correctly" by the user.....

I never understand why HIPS is not coming with the rules preconfigured and give the user the opportunity to select or not a specific rule. 

[illumination 5]

24 minutes ago, John Alex said:

I never understand why HIPS is not coming with the rules preconfigured and give the user the opportunity to select or not a specific rule. 

The above underlined, is exactly what "interactive mode" in hips is for, to allow the user to pick/define the rules. 

 

As for the average users, most of them could care less about how their product works, and will not spend the time to learn it. This goes for all products. Most of them will not even attempt a manual scan, or update, they just want to use their computers with no inconvenience.  

None of the top name AV's hit 100% with zero days, as they simply can not. New samples/modifications come out daily in large amounts, they need to be seen in the wild before the AV industry can get their hands on them, analyze them, and make the necessary signatures to push, this means they have hit systems/ or been discovered online before they are even known to exist. 

Today, an AV is not enough, you need AV's/full suites with other modules and or anti exes, SRP "software Restriction Policy" applications, ect in order to combat this. It is totally up to the user of their systems to learn to use the products they have, and none of these products come preconfigured for max protection out of the box, they are all set basically at minimum protection levels for that above convenience of consumers. 

 

 The saying, you can not protect a user from themselves is quite relevant here.  

[peteyt 393]

10 hours ago, John Alex said:

"As pointed out earlier in this thread, if the HIPS is configured correctly, it will stop this file"

So, do you expect a regular user to configure the HIPS correctly , in order to be protected by a paid antivirus?????

In all ESET versions the HIPS is blank, waiting to be "configured correctly" by the user.....

I never understand why HIPS is not coming with the rules preconfigured and give the user the opportunity to select or not a specific rule. 

 

10 hours ago, illumination said:

The above underlined, is exactly what "interactive mode" in hips is for, to allow the user to pick/define the rules. 

 

As for the average users, most of them could care less about how their product works, and will not spend the time to learn it. This goes for all products. Most of them will not even attempt a manual scan, or update, they just want to use their computers with no inconvenience.  

None of the top name AV's hit 100% with zero days, as they simply can not. New samples/modifications come out daily in large amounts, they need to be seen in the wild before the AV industry can get their hands on them, analyze them, and make the necessary signatures to push, this means they have hit systems/ or been discovered online before they are even known to exist. 

Today, an AV is not enough, you need AV's/full suites with other modules and or anti exes, SRP "software Restriction Policy" applications, ect in order to combat this. It is totally up to the user of their systems to learn to use the products they have, and none of these products come preconfigured for max protection out of the box, they are all set basically at minimum protection levels for that above convenience of consumers. 

 

 The saying, you can not protect a user from themselves is quite relevant here.  

It's important to note eset doesn't want to cause issues by giving users choices by default. If eset set it to alert users to anything remotely suspicious by default it would require users to decide if it was safe or not. Without a defenition there's a bit of guess work as suspicious looking stuff could be false positives. A lot of users wouldn't know what to do and so could end up blocking something safe.

I've heard that eset might be adding an application control feature at some point in the future. Not really sure what this will add