Jump to content

ESET Endpoint Security PDF/Phishing.A.Gen possible false positive?

JxMcGeary

By JxMcGeary
in Malware Finding and Cleaning

 Share

Recommended Posts

JxMcGeary

JxMcGeary 0

Posted
Posted

We got a scan result of phishing.a.gen on a PDF on one of our users' hard drives this morning. The file appears to have been legitimate, but I'd like to upload it for analysis since I know that pdf/phishing.a.gen can be triggered as a detection any time a PDF contains links to what ESET considered phishing domains. I can see the file in quarantine in the ESET Security Management Center. How do I upload it for proper analysis, or other examination for possible false positives in the event that a domain in the PDF's links is falsely marked 'phishing'?

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

Right button mouse click on the file in Quarantine and select "Submit for analysis" per the below screen shot:

Eset_Quatantine.thumb.png.99b46d3b66c06e8f34711f37c24afb66.png

 

Edited by itman
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted

Please check if you have the LiveGrid feedback system enabled in the advanced setup.

In order to submit a possible FP to ESET, I'd recommend following the instructions in this KB:
https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)
2 hours ago, JxMcGeary said:

Submit for analysis is grayed out. ESET appears to insist on deleting it even though it says it's in quarantine.

My best guess is the submission from Quarantine must be done on the Endpoint device since it resides in Eset's Quarantine directory on that device.

Edited by itman
Link to comment
Share on other sites
JxMcGeary

JxMcGeary 0

Posted
  • Author
Posted

I checked. Livegrid feedback's enabled. The instant I try to restore the file so I can upload it anywhere, ESET detects it again and deletes it again. I have had this happen both when restoring it on the machine itself and when restoring it from the security center.

 

'Upload' is apparently an option if I check the file in the security center rather than on the machine, but that asks for a Windows or SMB share to upload the file to, rather than giving me the option of uploading it to ESET. 

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted

These are the options that you are presented with when you right-click a file in quarantine:

image.png

You can temporarily pause protection in order to restore the file from quarantine and submit it to ESET.

Link to comment
Share on other sites
JxMcGeary

JxMcGeary 0

Posted
  • Author
Posted

Okay, I was able to pause the protection and zip up the file, but before I submitted it I checked it out. It appears that ESET believes the one URL in the file points to a phishing site. The url in question points to https://www.mizuhoamericas.com , which is an investment banking site. Given that my company does legitimate business with Mizuho Americas, we believe this URL classification is a false positive.

 

I'll submit the zipped file shortly.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted
35 minutes ago, JxMcGeary said:

The url in question points to https://www.mizuhoamericas.com , which is an investment banking site. Given that my company does legitimate business with Mizuho Americas, we believe this URL classification is a false positive.

Three other sources at VirusTotal also detect the web site. See below screen shot:

Eset_Phish.thumb.png.e3b3f282526582cacb7208b163a838e6.png

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...