AndyfromIMPACT 0 Posted May 31, 2018 Share Posted May 31, 2018 Hi everyone, we are an MSP who recently took on a client that currently has ESET deployed on their workstations. We have been receiving an alert from ESET saying that it found a threat on a workstation, but we cannot determine anything from the log that it posted. The log is attached below and we do see where the scanner looks through different file paths and marks some files as "archive damaged - the file could not be extracted." This doesn't really tell us anything, and ESET returns with no infections found if we manually kick off a scan. esetlog.txt Link to comment Share on other sites More sharing options...
ESET Staff JamesR 52 Posted June 1, 2018 ESET Staff Share Posted June 1, 2018 Using Notepad++ and Regex I was able to strip down all the irrelevant errors and attached the filtered log to this post. All the "archived damaged" and other errors can be ignored as they happen on all computers because ESET will try to treat each file it scans as an archive and will log when it fails to treat it as an archive. The only threat found was this: name="C:\Users\dcombs\Downloads\10.23_request.doc � ZIP � word/vbaProject.bin", threat="VBA/TrojanDownloader.Agent.EVX trojan", action="unable to clean", info="" It might be a good idea to turn on strict cleaning for your scans. This would lead to ESET attempting to delete the file when cleaning of the file is not possible. If you are wanting to see about having improved cleaning for this sample, then you would need to generate an ESET Log Collector log (aka ELC) and submit it to samples@eset.com. Use this KB to download and run ELC and ensure you select "Threat Detection" in the drop down list for ELC: https://support.eset.com/kb3466/ This KB can be used as a reference for submitting samples: https://support.eset.com/kb141/ esetlog_filtered.txt Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted June 1, 2018 Administrators Share Posted June 1, 2018 "Unable to clean" is reported also in cases with insufficient privileges or if the file has been moved before ESET could clean it which could be this case given the folder name C:\Users\dcombs\Downloads. We'd need to get a Procmon log with advanced output enabled from the time when ESET is attempting to clean it as well as logs gathered by ELC as advised above by JamesR. "Archive damaged" messages are reported on archives that are either damaged or they are extremely large. Check if the size of the archives is in GB. Link to comment Share on other sites More sharing options...
Recommended Posts