JxMcGeary 0 Posted August 15, 2020 Posted August 15, 2020 We got a scan result of phishing.a.gen on a PDF on one of our users' hard drives this morning. The file appears to have been legitimate, but I'd like to upload it for analysis since I know that pdf/phishing.a.gen can be triggered as a detection any time a PDF contains links to what ESET considered phishing domains. I can see the file in quarantine in the ESET Security Management Center. How do I upload it for proper analysis, or other examination for possible false positives in the event that a domain in the PDF's links is falsely marked 'phishing'?
itman 1,801 Posted August 15, 2020 Posted August 15, 2020 (edited) Right button mouse click on the file in Quarantine and select "Submit for analysis" per the below screen shot: Edited August 15, 2020 by itman
JxMcGeary 0 Posted August 16, 2020 Author Posted August 16, 2020 Can't. Submit for analysis is grayed out. ESET appears to insist on deleting it even though it says it's in quarantine.
Administrators Marcos 5,450 Posted August 16, 2020 Administrators Posted August 16, 2020 Please check if you have the LiveGrid feedback system enabled in the advanced setup. In order to submit a possible FP to ESET, I'd recommend following the instructions in this KB:https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab
itman 1,801 Posted August 16, 2020 Posted August 16, 2020 (edited) 2 hours ago, JxMcGeary said: Submit for analysis is grayed out. ESET appears to insist on deleting it even though it says it's in quarantine. My best guess is the submission from Quarantine must be done on the Endpoint device since it resides in Eset's Quarantine directory on that device. Edited August 16, 2020 by itman
JxMcGeary 0 Posted August 17, 2020 Author Posted August 17, 2020 I checked. Livegrid feedback's enabled. The instant I try to restore the file so I can upload it anywhere, ESET detects it again and deletes it again. I have had this happen both when restoring it on the machine itself and when restoring it from the security center. 'Upload' is apparently an option if I check the file in the security center rather than on the machine, but that asks for a Windows or SMB share to upload the file to, rather than giving me the option of uploading it to ESET.
Administrators Marcos 5,450 Posted August 17, 2020 Administrators Posted August 17, 2020 These are the options that you are presented with when you right-click a file in quarantine: You can temporarily pause protection in order to restore the file from quarantine and submit it to ESET.
JxMcGeary 0 Posted August 18, 2020 Author Posted August 18, 2020 Okay, I was able to pause the protection and zip up the file, but before I submitted it I checked it out. It appears that ESET believes the one URL in the file points to a phishing site. The url in question points to https://www.mizuhoamericas.com , which is an investment banking site. Given that my company does legitimate business with Mizuho Americas, we believe this URL classification is a false positive. I'll submit the zipped file shortly.
itman 1,801 Posted August 18, 2020 Posted August 18, 2020 35 minutes ago, JxMcGeary said: The url in question points to https://www.mizuhoamericas.com , which is an investment banking site. Given that my company does legitimate business with Mizuho Americas, we believe this URL classification is a false positive. Three other sources at VirusTotal also detect the web site. See below screen shot:
Recommended Posts