Jump to content
JxMcGeary

ESET Endpoint Security PDF/Phishing.A.Gen possible false positive?

Recommended Posts

We got a scan result of phishing.a.gen on a PDF on one of our users' hard drives this morning. The file appears to have been legitimate, but I'd like to upload it for analysis since I know that pdf/phishing.a.gen can be triggered as a detection any time a PDF contains links to what ESET considered phishing domains. I can see the file in quarantine in the ESET Security Management Center. How do I upload it for proper analysis, or other examination for possible false positives in the event that a domain in the PDF's links is falsely marked 'phishing'?

Share this post


Link to post
Share on other sites
Posted (edited)

Right button mouse click on the file in Quarantine and select "Submit for analysis" per the below screen shot:

Eset_Quatantine.thumb.png.99b46d3b66c06e8f34711f37c24afb66.png

 

Edited by itman

Share this post


Link to post
Share on other sites

Can't. Submit for analysis is grayed out. ESET appears to insist on deleting it even though it says it's in quarantine.

Share this post


Link to post
Share on other sites
Posted (edited)
2 hours ago, JxMcGeary said:

Submit for analysis is grayed out. ESET appears to insist on deleting it even though it says it's in quarantine.

My best guess is the submission from Quarantine must be done on the Endpoint device since it resides in Eset's Quarantine directory on that device.

Edited by itman

Share this post


Link to post
Share on other sites

I checked. Livegrid feedback's enabled. The instant I try to restore the file so I can upload it anywhere, ESET detects it again and deletes it again. I have had this happen both when restoring it on the machine itself and when restoring it from the security center.

 

'Upload' is apparently an option if I check the file in the security center rather than on the machine, but that asks for a Windows or SMB share to upload the file to, rather than giving me the option of uploading it to ESET. 

Share this post


Link to post
Share on other sites

These are the options that you are presented with when you right-click a file in quarantine:

image.png

You can temporarily pause protection in order to restore the file from quarantine and submit it to ESET.

Share this post


Link to post
Share on other sites

Okay, I was able to pause the protection and zip up the file, but before I submitted it I checked it out. It appears that ESET believes the one URL in the file points to a phishing site. The url in question points to https://www.mizuhoamericas.com , which is an investment banking site. Given that my company does legitimate business with Mizuho Americas, we believe this URL classification is a false positive.

 

I'll submit the zipped file shortly.

Share this post


Link to post
Share on other sites
35 minutes ago, JxMcGeary said:

The url in question points to https://www.mizuhoamericas.com , which is an investment banking site. Given that my company does legitimate business with Mizuho Americas, we believe this URL classification is a false positive.

Three other sources at VirusTotal also detect the web site. See below screen shot:

Eset_Phish.thumb.png.e3b3f282526582cacb7208b163a838e6.png

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...