Jump to content

ESET Not detecting AutoIT


Recommended Posts

Dear All,

 

A customer File server was infiltrated with files in local drive E was hidden and folder replication with different directories

 

When we use ESET to perform on demand scan, we were unable to stop the folder replication, but the client said other AVs like

 

Malwarebytes and Windows defender was able to detect AutoIT malware before we quarantine it with ESET, we need analysis on Root Cause Analysis as demanded by the customer and how to stop the re-occurring infiltration and guide for future reference

 

Please see retrieved log  (ASANKO_GOLD_LOG 28.02.2020 ) on ESET FTP support folder

 

Anticipating your kind response

 

Regards

Link to post
Share on other sites
  • Most Valued Members
3 hours ago, mayowa said:

Dear All,

 

A customer File server was infiltrated with files in local drive E was hidden and folder replication with different directories

 

When we use ESET to perform on demand scan, we were unable to stop the folder replication, but the client said other AVs like

 

Malwarebytes and Windows defender was able to detect AutoIT malware before we quarantine it with ESET, we need analysis on Root Cause Analysis as demanded by the customer and how to stop the re-occurring infiltration and guide for future reference

 

Please see retrieved log  (ASANKO_GOLD_LOG 28.02.2020 ) on ESET FTP support folder

 

Anticipating your kind response

 

Regards

While possibly unrelated someone else was posting about auto.it the other day although they wanted to exclude it. If I'm correct it is classed as a PUA. Do you have PUA detection enabled? 

 

Link to post
Share on other sites
26 minutes ago, peteyt said:

While possibly unrelated someone else was posting about auto.it the other day although they wanted to exclude it. If I'm correct it is classed as a PUA. Do you have PUA detection enabled? 

 

Hello Peteyt,

The PUA was enabled on the file security and ESET maximum security policy fully integrated to endpoints but we are still faced with the issues list above 

Link to post
Share on other sites

I believe Eset's PUA detection of AutoIt only applies to attempted installations of it.

AutoIt is an interpretive language similar to Python. Unlike Python, the AutoIt interrupter is quite compact and is usually bundled in an .exe along with the malicious AutoIt script:

Quote

What is a “Compiled” AutoIT Executable?

A compiled AutoIT executable basically consists of two parts: a standalone AutoIT interpreter and the compiled script bytecode present as a resource in the PE file. The creators of AutoIT have taken some measures against easy decompilation and applied a form of compression and encryption on the bytecode. The decompression of the bytecode is performed by the compiled AutoIT binary before it is interpreted and executed.

https://unit42.paloaltonetworks.com/autoit-compiled-malware/

My guess is Eset's detection of a malicious AutoIt .exe would be the same as that for any other .exe; primarily by signature.

I suspect Windows Defender was able to detect this using its block-at-first-sight processing which submits any unknown process to its Azure cloud scanners which perform sandbox analysis of the process.

Additional AutoIt malware references:

https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-used-to-spread-malware-and-toolsets/

https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/

Edited by itman
Link to post
Share on other sites
54 minutes ago, Marcos said:

The executable is a legitimate Autoit, ie. not subject to detection.

Forgot to mention that both WD and MBAM are prone to false positives.

Link to post
Share on other sites
  • 3 weeks later...
On 3/5/2020 at 12:26 PM, peteyt said:

While possibly unrelated someone else was posting about auto.it the other day although they wanted to exclude it. If I'm correct it is classed as a PUA. Do you have PUA detection enabled? 

 

I only ended up exluding the files, not the entire PUA.

So any future treats of the AutoIt are still being detected.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...