Jump to content

Why ESET flagging password-protected files as "Detection" ?


Recommended Posts

Today I renewed my ESET Internet Security license and upgraded to 12.1.31.0 . During system startup I noticed performance improvement. I am not sure there are really any optimizations at this stage or not.

I performed a full scan but now 22 password-protected files were marked "Detections". The previous version was not marking this.

Why a password-protected file is a Detection?

 

Link to comment
Share on other sites

  • Administrators

Please clarify what you mean by that password protected file is a detection. It's obviously not, ie. password protected files are not detected and cleaned like malware.

Link to comment
Share on other sites

To begin with, password protected files are almost always archives as your screen shot shows.

I checked a few of my 12.0.31 scan logs and see the same "error - password-protected file" associated with know password protected archive files. So this status is not unique to the new 12.1.31 version. I started seeing these log entries when I changed Eset's default Smart Scan profile ThreatSense settings to scan archive files. In previous Eset versions, the Smart Scan profile did not scan archive files. Note that it is impossible for Eset to open a password protected file. Hence the message shown in the log although I personally believe the message should be a warning.

One possible explanation as to why "error - password-protected file" message is now showing in ver. 12.1.31 scan log is Eset might have changed the default Smart Scan profile to now scan archive files?

Also in my scan logs with these messages, I show zero detections. It appears Eset is flagging a password protected file, script.dat, within an archive as suspicious. Normally, the entire archive is password protected. I also would treat this as suspicious since its a great way to hide malware within an installer for example.

Edited by itman
Link to comment
Share on other sites

  • Administrators

In v12.1 we changed the way how PUAs are treated. Before any unhandled detection was displayed in red which used to raise concerns and users tend to think they were infected even if only PUAs were detected. Now PUAs detection are only yellow. I see your point; we will internally discuss the colors for errors and PUA detections.

Link to comment
Share on other sites

Ideally, password-protected file should be marked "Could not scan" instead of Detection and quarantined. Flagging as "Detection" unnecessary raises concern.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...