Jump to content
mayowa

ESET Not detecting AutoIT

Recommended Posts

Dear All,

 

A customer File server was infiltrated with files in local drive E was hidden and folder replication with different directories

 

When we use ESET to perform on demand scan, we were unable to stop the folder replication, but the client said other AVs like

 

Malwarebytes and Windows defender was able to detect AutoIT malware before we quarantine it with ESET, we need analysis on Root Cause Analysis as demanded by the customer and how to stop the re-occurring infiltration and guide for future reference

 

Please see retrieved log  (ASANKO_GOLD_LOG 28.02.2020 ) on ESET FTP support folder

 

Anticipating your kind response

 

Regards

Share this post


Link to post
Share on other sites
3 hours ago, mayowa said:

Dear All,

 

A customer File server was infiltrated with files in local drive E was hidden and folder replication with different directories

 

When we use ESET to perform on demand scan, we were unable to stop the folder replication, but the client said other AVs like

 

Malwarebytes and Windows defender was able to detect AutoIT malware before we quarantine it with ESET, we need analysis on Root Cause Analysis as demanded by the customer and how to stop the re-occurring infiltration and guide for future reference

 

Please see retrieved log  (ASANKO_GOLD_LOG 28.02.2020 ) on ESET FTP support folder

 

Anticipating your kind response

 

Regards

While possibly unrelated someone else was posting about auto.it the other day although they wanted to exclude it. If I'm correct it is classed as a PUA. Do you have PUA detection enabled? 

 

Share this post


Link to post
Share on other sites
26 minutes ago, peteyt said:

While possibly unrelated someone else was posting about auto.it the other day although they wanted to exclude it. If I'm correct it is classed as a PUA. Do you have PUA detection enabled? 

 

Hello Peteyt,

The PUA was enabled on the file security and ESET maximum security policy fully integrated to endpoints but we are still faced with the issues list above 

Share this post


Link to post
Share on other sites
Posted (edited)

I believe Eset's PUA detection of AutoIt only applies to attempted installations of it.

AutoIt is an interpretive language similar to Python. Unlike Python, the AutoIt interrupter is quite compact and is usually bundled in an .exe along with the malicious AutoIt script:

Quote

What is a “Compiled” AutoIT Executable?

A compiled AutoIT executable basically consists of two parts: a standalone AutoIT interpreter and the compiled script bytecode present as a resource in the PE file. The creators of AutoIT have taken some measures against easy decompilation and applied a form of compression and encryption on the bytecode. The decompression of the bytecode is performed by the compiled AutoIT binary before it is interpreted and executed.

https://unit42.paloaltonetworks.com/autoit-compiled-malware/

My guess is Eset's detection of a malicious AutoIt .exe would be the same as that for any other .exe; primarily by signature.

I suspect Windows Defender was able to detect this using its block-at-first-sight processing which submits any unknown process to its Azure cloud scanners which perform sandbox analysis of the process.

Additional AutoIt malware references:

https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-used-to-spread-malware-and-toolsets/

https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/

Edited by itman

Share this post


Link to post
Share on other sites

The executable is a legitimate Autoit, ie. not subject to detection. I've replied to your email a couple of hours ago.

Share this post


Link to post
Share on other sites
54 minutes ago, Marcos said:

The executable is a legitimate Autoit, ie. not subject to detection.

Forgot to mention that both WD and MBAM are prone to false positives.

Share this post


Link to post
Share on other sites
On 3/5/2020 at 12:26 PM, peteyt said:

While possibly unrelated someone else was posting about auto.it the other day although they wanted to exclude it. If I'm correct it is classed as a PUA. Do you have PUA detection enabled? 

 

I only ended up exluding the files, not the entire PUA.

So any future treats of the AutoIt are still being detected.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...