0xDEADBEEF 43 Posted June 1, 2018 Share Posted June 1, 2018 I've noticed ESET detects Tencent IM's installer as Tencent.O PUA. May I ask what's the reason for ESET to categorize it as PUA? Link to the installer: https://dldir1.qq.com/qqfile/qq/TIM2.2.0/23808/TIM2.2.0.exe Link to comment Share on other sites More sharing options...
itman 1,786 Posted June 1, 2018 Share Posted June 1, 2018 Eset also doesn't like Tencent's Spectre test. It flags it as JS/Exploit.Spectre; most likely due to its running of the Spectre POC code. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted June 1, 2018 Author Share Posted June 1, 2018 5 hours ago, itman said: Eset also doesn't like Tencent's Spectre test. It flags it as JS/Exploit.Spectre; most likely due to its running of the Spectre POC code. hmm, was wondering what kind of signature is extracted from that exploit script BTW I am curious about the malicious behaviors of this Tencent.O. Since it is a very popular IM software in China, I don't think ESET will detect this without a good reason. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,399 Posted June 2, 2018 Administrators Share Posted June 2, 2018 Tencent has been detected as PUA since 2015. Since it was not me who analyzed it, I don't know what's exactly wrong with it. However, the detection was created by an experienced PUA engineer so there was definitely something that makes it PUA. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted June 2, 2018 Author Share Posted June 2, 2018 12 minutes ago, Marcos said: Tencent has been detected as PUA since 2015. Since it was not me who analyzed it, I don't know what's exactly wrong with it. However, the detection was created by an experienced PUA engineer so there was definitely something that makes it PUA. I appreciate if ESET can disclose some detailed reasons behind this detection. It can help me evaluate whether to whitelist this software or not (and the truth is most Chinese users simply whitelist this detection... therefore knowing the reason serves as a better justification for not whitelisting this PUA ) Link to comment Share on other sites More sharing options...
Recommended Posts