Jump to content

Archived

This topic is now archived and is closed to further replies.

AndyfromIMPACT

Infection Alert - Log Results Are not Clear

Recommended Posts

Hi everyone, we are an MSP who recently took on a client that currently has ESET deployed on their workstations. We have been receiving an alert from ESET saying that it found a threat on a workstation, but we cannot determine anything from the log that it posted. The log is attached below and we do see where the scanner looks through different file paths and marks some files as "archive damaged - the file could not be extracted." This doesn't really tell us anything, and ESET returns with no infections found if we manually kick off a scan. 

esetlog.txt

Share this post


Link to post
Share on other sites

Using Notepad++ and Regex I was able to strip down all the irrelevant errors and attached the filtered log to this post.  All the "archived damaged" and other errors can be ignored as they happen on all computers because ESET will try to treat each file it scans as an archive and will log when it fails to treat it as an archive.

The only threat found was this:

name="C:\Users\dcombs\Downloads\10.23_request.doc � ZIP � word/vbaProject.bin", threat="VBA/TrojanDownloader.Agent.EVX trojan", action="unable to clean", info=""

It might be a good idea to turn on strict cleaning for your scans.  This would lead to ESET attempting to delete the file when cleaning of the file is not possible.

If you are wanting to see about having improved cleaning for this sample, then you would need to generate an ESET Log Collector log (aka ELC) and submit it to samples@eset.com.

Use this KB to download and run ELC and ensure you select "Threat Detection" in the drop down list for ELChttps://support.eset.com/kb3466/

This KB can be used as a reference for submitting samples: https://support.eset.com/kb141/

esetlog_filtered.txt

Share this post


Link to post
Share on other sites

"Unable to clean" is reported also in cases with insufficient privileges or if the file has been moved before ESET could clean it which could be this case given the folder name C:\Users\dcombs\Downloads.

We'd need to get a Procmon log with advanced output enabled from the time when ESET is attempting to clean it as well as logs gathered by ELC as advised above by JamesR.

"Archive damaged" messages are reported on archives that are either damaged or they are extremely large. Check if the size of the archives is in GB.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×