Jump to content

Recommended Posts

Posted

We got a scan result of phishing.a.gen on a PDF on one of our users' hard drives this morning. The file appears to have been legitimate, but I'd like to upload it for analysis since I know that pdf/phishing.a.gen can be triggered as a detection any time a PDF contains links to what ESET considered phishing domains. I can see the file in quarantine in the ESET Security Management Center. How do I upload it for proper analysis, or other examination for possible false positives in the event that a domain in the PDF's links is falsely marked 'phishing'?

Posted (edited)

Right button mouse click on the file in Quarantine and select "Submit for analysis" per the below screen shot:

Eset_Quatantine.thumb.png.99b46d3b66c06e8f34711f37c24afb66.png

 

Edited by itman
Posted

Can't. Submit for analysis is grayed out. ESET appears to insist on deleting it even though it says it's in quarantine.

Posted (edited)
2 hours ago, JxMcGeary said:

Submit for analysis is grayed out. ESET appears to insist on deleting it even though it says it's in quarantine.

My best guess is the submission from Quarantine must be done on the Endpoint device since it resides in Eset's Quarantine directory on that device.

Edited by itman
Posted

I checked. Livegrid feedback's enabled. The instant I try to restore the file so I can upload it anywhere, ESET detects it again and deletes it again. I have had this happen both when restoring it on the machine itself and when restoring it from the security center.

 

'Upload' is apparently an option if I check the file in the security center rather than on the machine, but that asks for a Windows or SMB share to upload the file to, rather than giving me the option of uploading it to ESET. 

  • Administrators
Posted

These are the options that you are presented with when you right-click a file in quarantine:

image.png

You can temporarily pause protection in order to restore the file from quarantine and submit it to ESET.

Posted

Okay, I was able to pause the protection and zip up the file, but before I submitted it I checked it out. It appears that ESET believes the one URL in the file points to a phishing site. The url in question points to https://www.mizuhoamericas.com , which is an investment banking site. Given that my company does legitimate business with Mizuho Americas, we believe this URL classification is a false positive.

 

I'll submit the zipped file shortly.

Posted
35 minutes ago, JxMcGeary said:

The url in question points to https://www.mizuhoamericas.com , which is an investment banking site. Given that my company does legitimate business with Mizuho Americas, we believe this URL classification is a false positive.

Three other sources at VirusTotal also detect the web site. See below screen shot:

Eset_Phish.thumb.png.e3b3f282526582cacb7208b163a838e6.png

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...