What Does Eset Do With Suspicious Files?

[itman 1,720]

I recently ran a compressed malware test here: https://www.fortinet.com/offers/test-your-system-malware-detection-capabilities.html . Eset scored 17/18 only failing the password protected archive test. It actually did detect it as suspicious and submitted it via LiveGrid to Eset's servers for further analysis. Fortinet rated Eset as excellent in archive protection.

Eset's quarantine file showed 17 archive detections. The "suspicious" password protected archive never hit my disk as best as I can determine; it definitely was not in my designated download directory. However, it appears the submitted suspicious file was never recorded as resolved locally since there was no entry for it in the quarantine file. If I didn't have LiveGrid logging enabled, I would have never known the file had been detected and submitted.

It appears that Eset servers do not communicate back to the submission source the malicious status of suspicious files? Perhaps only in the instance where the file is physically present on the submitter's device? 

Edited June 1, 2018 by itman

[Marcos 5,168]

Files evaluated by ESET products as suspicious for whatever reason (e.g. they look similar to known malware) are replicated automatically after they are submitted. If they turn out to be malicious, a detection is added either automatically or manually by detection engineers. Such file is also blacklisted in LiveGrid if possible so that all users with LiveGrid enabled can benefit from it and be protected within a few minutes.

As for manual submissions, if we spot a suspicious file submitted manually via the built-in form, we check it. However, since there are too many irrelevant files submitted (clean files, media files, etc.), we don't recommend using this way for submitting suspicious files. Instead, please follow the instructions at https://support.eset.com/kb141.

[itman 1,720]

1 hour ago, Marcos said:

Files evaluated by ESET products as suspicious for whatever reason (e.g. they look similar to known malware) are replicated automatically after they are submitted. If they turn out to be malicious, a detection is added either automatically or manually by detection engineers. Such file is also blacklisted in LiveGrid if possible so that all users with LiveGrid enabled can benefit from it and be protected within a few minutes.

I already knew this.

I will just assume in the scenario I posted, LiveGrid processing upon resolution will delete the local copy of the submitted file and that's the end of it. 

[Marcos 5,168]

Quote

I will just assume in the scenario I posted, LiveGrid processing upon resolution will delete the local copy of the submitted file and that's the end of it.

If a submitted file becomes detected, e.g.due to being blacklisted in LiveGrid or because a detection was added, it will be cleaned like any other malware.

Unlike the LiveGrid feedback system, in case of ESET Dynamic Threat Defense technology the client will receive a response with scan results from ESET minutes after samples were submitted, run in ESET's sandboxed environment and their dangerousness was evaluated also using machine learning techniques. EDTD will be provided as an additional service and will be included in Endpoint and server products v7+.

As for the sample that wasn't detected and you submitted it, please provide me with its hash.

 

[Daedalus 16]

3 hours ago, Marcos said:

As for the sample that wasn't detected and you submitted it, please provide me with its hash.

See hxxp://metal.fortiguard.com/tests/

ESET is not handling this test well: Passworded ZIP - ZIP test file

 

[Marcos 5,168]

I'm sorry but the archive is password protected. Without knowing the password, neither humans nor AV scanners can scan inside password protected archives. If we were to brute force the password, it could take more than a day for a 6-char. password provided that 500,000 passwords were tried per second.

[itman 1,720]

8 hours ago, Marcos said:

As for the sample that wasn't detected and you submitted it, please provide me with its hash.

It was submitted automatically upon detection. Hence, I cannot provide its hash:

Again, all I am stating is that there is no record of this detection other than the above event log entry. I assume this is so because the file was never physically present on my PC. Eset captured the file in the download stage via web filtering. Since it was a password protected file, it appears Eset's analysis servers couldn't do much with it other than discard it. I state this since there is no record of the file being eventually placed in Eset's quarantine file on my PC.

My question was and remains is what if this was a valid password protected file that was indeed not malicious? I believe how this should work is the file is placed into quarantine. Then when Eset's analysis servers determine the file is safe, it is auto removed from quarantine and restored to its original download location. Also by being placed into quarantine originally, the user would have the ability to remove it if it was a false positive detection by Eset. 

Edited June 2, 2018 by itman

[itman 1,720]

For anyone concerned about Eset not detecting malware within a password protected archive, that is of no concern. It would detect the malware when the password was entered and the files were extracted from the archive.

The Fortinet test was specifically addressed to detection of malware in compressed archives only.

[0xDEADBEEF 43]

9 hours ago, Marcos said:

EDTD will be provided as an additional service and will be included in Endpoint and server products v7+

Is there an ETA for EDTD being available in v7 product?

[Marcos 5,168]

59 minutes ago, 0xDEADBEEF said:

Is there an ETA for EDTD being available in v7 product?

I'd say very soon. It will require a special license for activation since it will be provided as an extra paid service.