ESET do not resolve all the malware on the network

[Mauricio Osorio 1]

Hi guys,

We have a non minor issue with one of our enterprise clients. Turns out that we have been exporting from ESMC a report that shows actions taken by EES when it find malware, but it shows empty spaces on that report as you can see:

And my client is saying that the antimalware solution is not working.  We have told them that if he has not impact or issue related he has nothing to be worried about but it's not enough. He insist that it's an evidence that shows antivirus malfunction. 

Look this is pretty important because the client is evaluating whether to stay with ESET or if it changes its brand due to the fact that there is no specific answer from the local ESET support or its answers are denied by the client very easily about this matter.

How i can explain to my client? or is there a real issue?

i have attached full report, if you need some extra information please let us know.

Best Regards.

Informe Amenazas semanal subred ok.rar

[Marcos 5,074]

Please provide logs collected with ESET Log Collector where no action was logged for the 2 detections.

[itman 1,659]

This could be LimeRAT which has resurfaced again after a long hiatus. 

Of note is this malware uses the following exploit:

Quote

The new campaign designed to spread LimeRAT makes use of this technique, which was first spotted back in 2013 and presented at a Virus Bulletin conference. In order to pull off a successful attack, the hardcoded password -- assigned as CVE-2012-0158 -- is exploited. 

https://www.zdnet.com/article/limerat-malware-is-being-spread-through-velvetsweatshop-excel-encryption-technique/

Has the installation where this detection is occurring patched their devices against this exploit?

Detailed analysis of this exploit is here: https://www.sophos.com/en-us/medialibrary/PDFs/technical papers/CVE-2012-0158-An-Anatomy-of-a-Prolific-Exploit.PDF

LimeRAT installs a backdoor. What could be happening here is Eset is detecting the backdoor activity and blocking the activity initiated from the remote server connection. But Eset can't determine the source of the activity which is the backdoor. 

[Mauricio Osorio 1]

Hi @Marcos thanks for your reply.

In the attachment you will find the ESET Log Collector.

ees_logs.zip

[Marcos 5,074]

An action was actually taken according to the logs and attachments were cleaned:

PDF/Phishing.A.Gen trojan contained infected files a variant of MSIL/Kryptik.SXL trojan contained infected files a variant of MSIL/Kryptik.SXL trojan contained infected files

I've made a test and found out that separate records are generated for the parent email and each attachment. The parent email was delivered, hence no action was logged. However, the attachment was detected and cleaned (removed), hence the action pertaining to the attachment reads "deleted".

[Mauricio Osorio 1]

Thanks for your answer @Marcos,

For future cases where we must explain these records to this client or another, you may be able to teach us how we should search and find this evidence. Or if this is not possible, is there any KB that we can use to learn how to interpret these logs?

As you can see this is a weekly report, then these questions are going to come up very often and it is not very practical to upload them through this channel every time.

Again thank you for your answer.

Regards.

[Marcos 5,074]

I had to reproduce it myself to find out how threats in email attachments are reported to ESMC. The way they are reported may change with different versions of ESMC and maybe module updates could affect it as well.