Jump to content

Email trojan that can't be found/deleted.


Recommended Posts

Good morning everyone,

 

As per title above, today i opened my Outlook to be welcomed by the messages in pictures attached.

 

A trojan is detected, coming from a "reliable" contact whose message is not visible in the list of received messages and when i click on delete, the result is that the deletion is not possible. I am sure some of you has already seen this. The PC does not show any strange sign except for A) A single refusal to wake up from sleep yesterday (first time in 10 months) and despite the SSD startup is somewhat slow (but that was before too). Malwarebytes did not spot any issue.

Any clue?

Thanks in advance

Screenshot_5.jpg

Screenshot_6.jpg

Link to comment
Share on other sites

  • Administrators

Couldn't it be that you changed the cleaning level for email protection from "Remedy detection if safe, ask otherwise" to "Always ask the end user"?

Link to comment
Share on other sites

6 minutes ago, Marcos said:

Couldn't it be that you changed the cleaning level for email protection from "Remedy detection if safe, ask otherwise" to "Always ask the end user"?

ESET has the usual setup. No changes at all.

Link to comment
Share on other sites

Actually, i managed to make the message appear by clicking on "CANCEL" in the message "Error completing archive modification request". I am not sure whether ESET blocked even before it entered my mail box and therefore since it wasn't physically into it, i couldn't delete it. It's indeed a weird mechanism.

Link to comment
Share on other sites

4 minutes ago, Marcos said:

Does changing the cleaning level to "always remedy detection" for email protection work around the issue?

I did not need to do anything. When the error message upon my attempt to delete the infected mail appeared, this time i clicked "Cancel" instead of "Retry". At that point, the infected message was instantly downloaded in my inbox and i could delete it. Still, it is not a very optimal process.

PS: I do not even know where that option is in the AV UI. As we all know, it's quite a trip to get into all those menus and submenus so i do the job once, save the settings and reimport them on all my machines.

Edited by PassingBy
Link to comment
Share on other sites

Appears to me that Eset detected the malware in the .zip archive attached to the e-mail. Rather that deleting the entire e-mail w/attachment, Eset tried to delete only the archive. This delete attempt failed. Might be a permissions issue with the archive or something along this line.

What you can do is set Eset to delete the entire e-mail per the below screen shot. The downside of this is you won't know who sent the e-mail unless it is not correspondingly deleted on your e-mail provider server. On the other hand, the e-mail server will keep sending you the infected e-mail until it is deleted there.

Eset_email.thumb.png.aca3fbd85783074c2e4483006e22f613.png

Link to comment
Share on other sites

  • Administrators
1 hour ago, itman said:

Eset should fall-back to deleting the entire e-mail if the malicious archive cannot be deleted.

According to a reply from developers this should be addressed soon.

Link to comment
Share on other sites

12 hours ago, itman said:

Appears to me that Eset detected the malware in the .zip archive attached to the e-mail. Rather that deleting the entire e-mail w/attachment, Eset tried to delete only the archive. This delete attempt failed. Might be a permissions issue with the archive or something along this line.

What you can do is set Eset to delete the entire e-mail per the below screen shot. The downside of this is you won't know who sent the e-mail unless it is not correspondingly deleted on your e-mail provider server. On the other hand, the e-mail server will keep sending you the infected e-mail until it is deleted there.

Eset_email.thumb.png.aca3fbd85783074c2e4483006e22f613.png

Thanks for this Marcos, very insightful

On this: "The downside of this is you won't know who sent the e-mail unless it is not correspondingly deleted on your e-mail provider server"

 

That is a no go. It is important to see who is sending what. In this case, it is a shipping company i work with and their mails have always been clean (to my knowledge). This specific company is now in a blacklist. If i can't see who sends what, it is hard to adopt granular policies. I hope ESET finds a way to allow us to avoid the threat but see where it's coming from and what the threat is.

Thanks a lot for your time and the very clear answer.

 

 

 

Link to comment
Share on other sites

8 hours ago, itman said:

@Marcos I believe this scenario is something Eset needs to check out.

Eset should fall-back to deleting the entire e-mail if the malicious archive cannot be deleted.

I agree. Also, for the average user, when he clicks "Cancel" and the infected message pops up in his inbox, expect lots of queries in the tone of "Oh...the message was downloaded, am i infected now?". Addressing this in a clear, unequivocal way will actually avoid a lot of queries.

Link to comment
Share on other sites

  • Administrators
5 hours ago, PassingBy said:

Also, for the average user, when he clicks "Cancel" and the infected message pops up in his inbox...

My understanding is that it should work the way it used to before implementing partial cleaning in archives recently, ie. the attachment will be detected, removed automatically and the action will be logged in the Detection log with details.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...