Jump to content

Archived

This topic is now archived and is closed to further replies.

0xDEADBEEF

Document Exploit Detection

Recommended Posts

Was wondering why ESET scan usually doesn't detect documents with exploit. For example this file (scan shows clean with 17430):

https://www.virustotal.com/#/file/84a7c1eac6e1a130cb66126fa48258e9c7c8b60a2a5fd0fcd564305775757641/detection

The exec of this sample in a virtual machine successfully download the payload and exec it through the equation editor exploit, and ESET detects the payload post-execution as FareIt using AMS. But I feel like detecting it at early stages is better?

Share this post


Link to post
Share on other sites

Hello @0xDEADBEEF

thank you for the report.

The detection for this samples has been already added.

It was not yet detected, when you posted this as it was not yet processed by the automated samples processing system.

In case you have an undetected samples or suspicious application, please send it to our research lab as described at https://support.eset.com/kb141/#SubmitFile 

Thank you, P.R.

Share this post


Link to post
Share on other sites
7 hours ago, 0xDEADBEEF said:

exec it through the equation editor exploit

This exploit was also patched a few months ago by Microsoft.

Share this post


Link to post
Share on other sites
2 hours ago, Peter Randziak said:

Hello @0xDEADBEEF

thank you for the report.

The detection for this samples has been already added.

It was not yet detected, when you posted this as it was not yet processed by the automated samples processing system.

In case you have an undetected samples or suspicious application, please send it to our research lab as described at https://support.eset.com/kb141/#SubmitFile 

Thank you, P.R.

thanks! originally I intended to ask if ESET has generic exploit detection like other vendors in VT as shown in that webpage. From the updated detection name, I can see what's happening

Share this post


Link to post
Share on other sites
33 minutes ago, itman said:

This exploit was also patched a few months ago by Microsoft.

yes... my test machine is still with old office 2007 :rolleyes: BTW this sample is spread through spam, so it is a "real-world" one

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×