Jump to content

trojan passed by eset av


raven428

Recommended Posts

I have file with variant of win32/kryptik.brkv named skype_update_december2013_patch8686868.pdf.exe which selectively blocked by eset av with win7 64bit edition. I tried two versions: 5 and 7 with today virus definitions. the algorithm is next:

1. disable av;

2. extract this file from archive encrypted with password;

3. enable av;

4. trying to execute or open that file;

5. it passed by eset av and after executing system is infected.

6. no any reaction of eset av for this file while executing, opening to read or to edit;

 

eset av version 5 on 32bit windows xp service pack 2 also have issue with this file: it allow to open file and trying to block and remove it after system was already opened the file and when the system is already infected.

 

all test I made with default settings of eset av. what should I do or configure to defend my computers from this virus by eset av?

Edited by raven428
Link to comment
Share on other sites

  • Administrators

Disabling antvirus protection to run malware intentionally and then complain that the malware has infected the system sounds .... weird to say the least.

Link to comment
Share on other sites

Disabling antvirus protection to run malware intentionally and then complain that the malware has infected the system sounds .... weird to say the least.

may be you will try to read more carefully whole post before irrelevant irony? I disabled av only for test to extract file. I trying to access it after enabling av and waiting some time, even reboot the system. the eav ignoring any access to this file.

 

I payed money for product and I would like proper defend for my systems. now my home computers with installed eav was infected by this trojan and I look to buy other antivirus products, if you will provide support like this.

Link to comment
Share on other sites

  • Administrators

If the file is already detected (which probably is as you mentioned the name Win32/Kryptik.BRKV), v6 and v7 must detect it upon execution as they both already had advanced heuristics enabled on file execution. With older versions where this option was disabled by default, it was possible to get infected (e.g. if one disabled protection modules and downloaded malware). I'd suggest sending the file along with your product configuration exported to xml to ESET as per the instructions here.

Link to comment
Share on other sites

I have file with variant of win32/kryptik.brkv named skype_update_december2013_patch8686868.pdf.exe which selectively blocked by eset av with win7 64bit edition.

 

There you go ESET did it's job.

 

what should I do or configure to defend my computers from this virus by eset av?

 

1.Don't disable the AV, 2. Execute the malware, 3. Just to see if you will get infected or not.

 

now my home computers with installed eav was infected by this trojan

 

I wonder how? You just said that ESET prevented the infection in your first post, see first quote.

 

 I disabled av only for test to extract file

 

This sort of "test" is not a very good idea at all to do on your real system wich it sound like you did, they should be done in a secure environment like a VM where a possible infection won't matter and can be "wiped" out. 

 

On a positive note, you should be happy that you didn't execute a variant of some Ransomware or Cryptolocker.  :)

Link to comment
Share on other sites

  • Administrators

 

what should I do or configure to defend my computers from this virus by eset av?

 

1.Don't disable the AV, 2. Execute the malware, 3. Just to see if you will get infected or not.

 

I'd add - 2, Don't execute the malware on production systems :) If you want to do some tests, do them on isolated computers (physical or virtual) not containing confidential or important files.

Link to comment
Share on other sites

  • ESET Insiders

If I may put my $.2...

 

There is no 100% security - not in a real life, not in an IT life.

I believe AV industry is by far the most successful security IT branch - should other security branches have been such successful in stopping hack-attempts, we would have much safer environment.
 

Yet, if attacker has physical & Admin access to machine (Admin access would be enough) - I don't believe there is *any* security (not only AV) program that could stop even "kiddie-script" kind of attacks, not mentioning any serious malware-attempts.

 

So, yes - with physical & Admin access anyone can kill the machine in 5 seconds with, let's say, one-line batch script, no matter if it has 9 AV programs installed or none :-)

 

Tomo

Link to comment
Share on other sites

If the file is already detected (which probably is as you mentioned the name Win32/Kryptik.BRKV), v6 and v7 must detect it upon execution as they both already had advanced heuristics enabled on file execution. With older versions where this option was disabled by default, it was possible to get infected (e.g. if one disabled protection modules and downloaded malware). I'd suggest sending the file along with your product configuration exported to xml to ESET as per the instructions here.

 

Just looking for some clarification...

 

I checked my new version 7 install and verified that indeed, advanced heuristics on file execution are enabled by default.

 

I assume that the algorithms used for these choices (beginging with version 6) were greatly improved over version 5? I remember from the old NOD32 forum this being a big, sticky issue back then. Advanced heuristics on file execution were definitely not on by default back then. (Based on this thread, sounds like it's now an important thing to leave on!)

 

BTW, the help file bundled with version 7 explicitly says that advanced heuristics on file execution are disabled by default. You might wish to correct it...

Link to comment
Share on other sites

Yes in V7, Advanced Heuristics on execution is enabled by default.

 

And Advanced Heuristics during realtime scanning is disabled by default.

 

And IMO there's no real need to enable AH under real-time scanning. But it's important to keep it enabled for "on execution".

Edited by SweX
Link to comment
Share on other sites

  • 2 weeks later...
  • ESET Insiders

SweX, on 29 Dec 2013 - 12:38 PM, said:

Yes in V7, Advanced Heuristics on execution is enabled by default.

 

And Advanced Heuristics during realtime scanning is disabled by default.

 

And IMO there's no real need to enable AH under real-time scanning. But it's important to keep it enabled for "on execution".

This is true but I think there is a potential internall bug in the scanner modulle

 

Malware is detected without need of executing it-----even if you uncheck FileOpen scanning-

Edited by toxinon12345
Link to comment
Share on other sites

  • Administrators

This is true but I think there is a potential internal bug in the scanner module

Malware is detected without need of executing it-----even if you uncheck FileOpen scanning-

 

 

It is not clear what you mean by the internal bug. Please elaborate and provide step by step instructions how to reproduce it. Rather than bug I assume it must have been a misunderstanding of the options.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...