raven428 0 Posted December 23, 2013 Share Posted December 23, 2013 (edited) I have file with variant of win32/kryptik.brkv named skype_update_december2013_patch8686868.pdf.exe which selectively blocked by eset av with win7 64bit edition. I tried two versions: 5 and 7 with today virus definitions. the algorithm is next: 1. disable av; 2. extract this file from archive encrypted with password; 3. enable av; 4. trying to execute or open that file; 5. it passed by eset av and after executing system is infected. 6. no any reaction of eset av for this file while executing, opening to read or to edit; eset av version 5 on 32bit windows xp service pack 2 also have issue with this file: it allow to open file and trying to block and remove it after system was already opened the file and when the system is already infected. all test I made with default settings of eset av. what should I do or configure to defend my computers from this virus by eset av? Edited December 23, 2013 by raven428 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,271 Posted December 23, 2013 Administrators Share Posted December 23, 2013 Disabling antvirus protection to run malware intentionally and then complain that the malware has infected the system sounds .... weird to say the least. Link to comment Share on other sites More sharing options...
raven428 0 Posted December 23, 2013 Author Share Posted December 23, 2013 Disabling antvirus protection to run malware intentionally and then complain that the malware has infected the system sounds .... weird to say the least. may be you will try to read more carefully whole post before irrelevant irony? I disabled av only for test to extract file. I trying to access it after enabling av and waiting some time, even reboot the system. the eav ignoring any access to this file. I payed money for product and I would like proper defend for my systems. now my home computers with installed eav was infected by this trojan and I look to buy other antivirus products, if you will provide support like this. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,271 Posted December 23, 2013 Administrators Share Posted December 23, 2013 If the file is already detected (which probably is as you mentioned the name Win32/Kryptik.BRKV), v6 and v7 must detect it upon execution as they both already had advanced heuristics enabled on file execution. With older versions where this option was disabled by default, it was possible to get infected (e.g. if one disabled protection modules and downloaded malware). I'd suggest sending the file along with your product configuration exported to xml to ESET as per the instructions here. Link to comment Share on other sites More sharing options...
SweX 871 Posted December 23, 2013 Share Posted December 23, 2013 I have file with variant of win32/kryptik.brkv named skype_update_december2013_patch8686868.pdf.exe which selectively blocked by eset av with win7 64bit edition. There you go ESET did it's job. what should I do or configure to defend my computers from this virus by eset av? 1.Don't disable the AV, 2. Execute the malware, 3. Just to see if you will get infected or not. now my home computers with installed eav was infected by this trojan I wonder how? You just said that ESET prevented the infection in your first post, see first quote. I disabled av only for test to extract file This sort of "test" is not a very good idea at all to do on your real system wich it sound like you did, they should be done in a secure environment like a VM where a possible infection won't matter and can be "wiped" out. On a positive note, you should be happy that you didn't execute a variant of some Ransomware or Cryptolocker. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,271 Posted December 23, 2013 Administrators Share Posted December 23, 2013 what should I do or configure to defend my computers from this virus by eset av? 1.Don't disable the AV, 2. Execute the malware, 3. Just to see if you will get infected or not. I'd add - 2, Don't execute the malware on production systems If you want to do some tests, do them on isolated computers (physical or virtual) not containing confidential or important files. Link to comment Share on other sites More sharing options...
ESET Insiders PodrskaNORT 17 Posted December 23, 2013 ESET Insiders Share Posted December 23, 2013 If I may put my $.2... There is no 100% security - not in a real life, not in an IT life. I believe AV industry is by far the most successful security IT branch - should other security branches have been such successful in stopping hack-attempts, we would have much safer environment. Yet, if attacker has physical & Admin access to machine (Admin access would be enough) - I don't believe there is *any* security (not only AV) program that could stop even "kiddie-script" kind of attacks, not mentioning any serious malware-attempts. So, yes - with physical & Admin access anyone can kill the machine in 5 seconds with, let's say, one-line batch script, no matter if it has 9 AV programs installed or none :-) Tomo Link to comment Share on other sites More sharing options...
HAN_NOD32 3 Posted December 29, 2013 Share Posted December 29, 2013 If the file is already detected (which probably is as you mentioned the name Win32/Kryptik.BRKV), v6 and v7 must detect it upon execution as they both already had advanced heuristics enabled on file execution. With older versions where this option was disabled by default, it was possible to get infected (e.g. if one disabled protection modules and downloaded malware). I'd suggest sending the file along with your product configuration exported to xml to ESET as per the instructions here. Just looking for some clarification... I checked my new version 7 install and verified that indeed, advanced heuristics on file execution are enabled by default. I assume that the algorithms used for these choices (beginging with version 6) were greatly improved over version 5? I remember from the old NOD32 forum this being a big, sticky issue back then. Advanced heuristics on file execution were definitely not on by default back then. (Based on this thread, sounds like it's now an important thing to leave on!) BTW, the help file bundled with version 7 explicitly says that advanced heuristics on file execution are disabled by default. You might wish to correct it... Link to comment Share on other sites More sharing options...
SweX 871 Posted December 29, 2013 Share Posted December 29, 2013 (edited) Yes in V7, Advanced Heuristics on execution is enabled by default. And Advanced Heuristics during realtime scanning is disabled by default. And IMO there's no real need to enable AH under real-time scanning. But it's important to keep it enabled for "on execution". Edited December 29, 2013 by SweX Link to comment Share on other sites More sharing options...
ESET Insiders toxinon12345 32 Posted January 9, 2014 ESET Insiders Share Posted January 9, 2014 (edited) SweX, on 29 Dec 2013 - 12:38 PM, said: Yes in V7, Advanced Heuristics on execution is enabled by default. And Advanced Heuristics during realtime scanning is disabled by default. And IMO there's no real need to enable AH under real-time scanning. But it's important to keep it enabled for "on execution". This is true but I think there is a potential internall bug in the scanner modulle Malware is detected without need of executing it-----even if you uncheck FileOpen scanning- Edited January 9, 2014 by toxinon12345 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,271 Posted January 9, 2014 Administrators Share Posted January 9, 2014 This is true but I think there is a potential internal bug in the scanner module Malware is detected without need of executing it-----even if you uncheck FileOpen scanning- It is not clear what you mean by the internal bug. Please elaborate and provide step by step instructions how to reproduce it. Rather than bug I assume it must have been a misunderstanding of the options. Link to comment Share on other sites More sharing options...
Recommended Posts