Jump to content

Archived

This topic is now archived and is closed to further replies.

Mauricio Osorio

ESET do not resolve all the malware on the network

Recommended Posts

Hi guys,

We have a non minor issue with one of our enterprise clients. Turns out that we have been exporting from ESMC a report that shows actions taken by EES when it find malware, but it shows empty spaces on that report as you can see:

image.thumb.png.0b90e7065f6b16f4dafb81f48c3582dd.png

And my client is saying that the antimalware solution is not working.  We have told them that if he has not impact or issue related he has nothing to be worried about but it's not enough. He insist that it's an evidence that shows antivirus malfunction. 

Look this is pretty important because the client is evaluating whether to stay with ESET or if it changes its brand due to the fact that there is no specific answer from the local ESET support or its answers are denied by the client very easily about this matter.

How i can explain to my client? or is there a real issue?

i have attached full report, if you need some extra information please let us know.

Best Regards.

Informe Amenazas semanal subred ok.rar

Share this post


Link to post
Share on other sites

Please provide logs collected with ESET Log Collector where no action was logged for the 2 detections.

Share this post


Link to post
Share on other sites

This could be LimeRAT which has resurfaced again after a long hiatus. 

Of note is this malware uses the following exploit:

Quote

The new campaign designed to spread LimeRAT makes use of this technique, which was first spotted back in 2013 and presented at a Virus Bulletin conference. In order to pull off a successful attack, the hardcoded password -- assigned as CVE-2012-0158 -- is exploited. 

https://www.zdnet.com/article/limerat-malware-is-being-spread-through-velvetsweatshop-excel-encryption-technique/

Has the installation where this detection is occurring patched their devices against this exploit?

Detailed analysis of this exploit is here: https://www.sophos.com/en-us/medialibrary/PDFs/technical papers/CVE-2012-0158-An-Anatomy-of-a-Prolific-Exploit.PDF

LimeRAT installs a backdoor. What could be happening here is Eset is detecting the backdoor activity and blocking the activity initiated from the remote server connection. But Eset can't determine the source of the activity which is the backdoor. 

Share this post


Link to post
Share on other sites

An action was actually taken according to the logs and attachments were cleaned:

PDF/Phishing.A.Gen trojan contained infected files
a variant of MSIL/Kryptik.SXL trojan contained infected files
a variant of MSIL/Kryptik.SXL trojan contained infected files
 
   

I've made a test and found out that separate records are generated for the parent email and each attachment. The parent email was delivered, hence no action was logged. However, the attachment was detected and cleaned (removed), hence the action pertaining to the attachment reads "deleted".

image.png

Share this post


Link to post
Share on other sites

Thanks for your answer @Marcos,

For future cases where we must explain these records to this client or another, you may be able to teach us how we should search and find this evidence. Or if this is not possible, is there any KB that we can use to learn how to interpret these logs?

As you can see this is a weekly report, then these questions are going to come up very often and it is not very practical to upload them through this channel every time.

Again thank you for your answer.

Regards.

Share this post


Link to post
Share on other sites

I had to reproduce it myself to find out how threats in email attachments are reported to ESMC. The way they are reported may change with different versions of ESMC and maybe module updates could affect it as well.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...