0xDEADBEEF 43 Posted May 23, 2018 Share Posted May 23, 2018 (edited) Was wondering why ESET scan usually doesn't detect documents with exploit. For example this file (scan shows clean with 17430): https://www.virustotal.com/#/file/84a7c1eac6e1a130cb66126fa48258e9c7c8b60a2a5fd0fcd564305775757641/detection The exec of this sample in a virtual machine successfully download the payload and exec it through the equation editor exploit, and ESET detects the payload post-execution as FareIt using AMS. But I feel like detecting it at early stages is better? Edited May 23, 2018 by 0xDEADBEEF Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,171 Posted May 23, 2018 ESET Moderators Share Posted May 23, 2018 Hello @0xDEADBEEF, thank you for the report. The detection for this samples has been already added. It was not yet detected, when you posted this as it was not yet processed by the automated samples processing system. In case you have an undetected samples or suspicious application, please send it to our research lab as described at https://support.eset.com/kb141/#SubmitFile Thank you, P.R. Link to comment Share on other sites More sharing options...
itman 1,752 Posted May 23, 2018 Share Posted May 23, 2018 7 hours ago, 0xDEADBEEF said: exec it through the equation editor exploit This exploit was also patched a few months ago by Microsoft. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted May 23, 2018 Author Share Posted May 23, 2018 2 hours ago, Peter Randziak said: Hello @0xDEADBEEF, thank you for the report. The detection for this samples has been already added. It was not yet detected, when you posted this as it was not yet processed by the automated samples processing system. In case you have an undetected samples or suspicious application, please send it to our research lab as described at https://support.eset.com/kb141/#SubmitFile Thank you, P.R. thanks! originally I intended to ask if ESET has generic exploit detection like other vendors in VT as shown in that webpage. From the updated detection name, I can see what's happening Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted May 23, 2018 Author Share Posted May 23, 2018 (edited) 33 minutes ago, itman said: This exploit was also patched a few months ago by Microsoft. yes... my test machine is still with old office 2007 BTW this sample is spread through spam, so it is a "real-world" one Edited May 23, 2018 by 0xDEADBEEF Link to comment Share on other sites More sharing options...
Recommended Posts