PassingBy 5 Posted October 22, 2020 Share Posted October 22, 2020 Good morning everyone, As per title above, today i opened my Outlook to be welcomed by the messages in pictures attached. A trojan is detected, coming from a "reliable" contact whose message is not visible in the list of received messages and when i click on delete, the result is that the deletion is not possible. I am sure some of you has already seen this. The PC does not show any strange sign except for A) A single refusal to wake up from sleep yesterday (first time in 10 months) and despite the SSD startup is somewhat slow (but that was before too). Malwarebytes did not spot any issue. Any clue? Thanks in advance Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted October 22, 2020 Administrators Share Posted October 22, 2020 Couldn't it be that you changed the cleaning level for email protection from "Remedy detection if safe, ask otherwise" to "Always ask the end user"? Link to comment Share on other sites More sharing options...
PassingBy 5 Posted October 22, 2020 Author Share Posted October 22, 2020 6 minutes ago, Marcos said: Couldn't it be that you changed the cleaning level for email protection from "Remedy detection if safe, ask otherwise" to "Always ask the end user"? ESET has the usual setup. No changes at all. Link to comment Share on other sites More sharing options...
PassingBy 5 Posted October 22, 2020 Author Share Posted October 22, 2020 And it's still there. Welcomes me each time i click on that specific email account. Link to comment Share on other sites More sharing options...
PassingBy 5 Posted October 22, 2020 Author Share Posted October 22, 2020 Actually, i managed to make the message appear by clicking on "CANCEL" in the message "Error completing archive modification request". I am not sure whether ESET blocked even before it entered my mail box and therefore since it wasn't physically into it, i couldn't delete it. It's indeed a weird mechanism. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted October 22, 2020 Administrators Share Posted October 22, 2020 Does changing the cleaning level to "always remedy detection" for email protection work around the issue? Link to comment Share on other sites More sharing options...
PassingBy 5 Posted October 22, 2020 Author Share Posted October 22, 2020 (edited) 4 minutes ago, Marcos said: Does changing the cleaning level to "always remedy detection" for email protection work around the issue? I did not need to do anything. When the error message upon my attempt to delete the infected mail appeared, this time i clicked "Cancel" instead of "Retry". At that point, the infected message was instantly downloaded in my inbox and i could delete it. Still, it is not a very optimal process. PS: I do not even know where that option is in the AV UI. As we all know, it's quite a trip to get into all those menus and submenus so i do the job once, save the settings and reimport them on all my machines. Edited October 22, 2020 by PassingBy Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 22, 2020 Share Posted October 22, 2020 Appears to me that Eset detected the malware in the .zip archive attached to the e-mail. Rather that deleting the entire e-mail w/attachment, Eset tried to delete only the archive. This delete attempt failed. Might be a permissions issue with the archive or something along this line. What you can do is set Eset to delete the entire e-mail per the below screen shot. The downside of this is you won't know who sent the e-mail unless it is not correspondingly deleted on your e-mail provider server. On the other hand, the e-mail server will keep sending you the infected e-mail until it is deleted there. Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 22, 2020 Share Posted October 22, 2020 @Marcos I believe this scenario is something Eset needs to check out. Eset should fall-back to deleting the entire e-mail if the malicious archive cannot be deleted. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted October 22, 2020 Administrators Share Posted October 22, 2020 1 hour ago, itman said: Eset should fall-back to deleting the entire e-mail if the malicious archive cannot be deleted. According to a reply from developers this should be addressed soon. Link to comment Share on other sites More sharing options...
PassingBy 5 Posted October 23, 2020 Author Share Posted October 23, 2020 12 hours ago, itman said: Appears to me that Eset detected the malware in the .zip archive attached to the e-mail. Rather that deleting the entire e-mail w/attachment, Eset tried to delete only the archive. This delete attempt failed. Might be a permissions issue with the archive or something along this line. What you can do is set Eset to delete the entire e-mail per the below screen shot. The downside of this is you won't know who sent the e-mail unless it is not correspondingly deleted on your e-mail provider server. On the other hand, the e-mail server will keep sending you the infected e-mail until it is deleted there. Thanks for this Marcos, very insightful On this: "The downside of this is you won't know who sent the e-mail unless it is not correspondingly deleted on your e-mail provider server" That is a no go. It is important to see who is sending what. In this case, it is a shipping company i work with and their mails have always been clean (to my knowledge). This specific company is now in a blacklist. If i can't see who sends what, it is hard to adopt granular policies. I hope ESET finds a way to allow us to avoid the threat but see where it's coming from and what the threat is. Thanks a lot for your time and the very clear answer. Link to comment Share on other sites More sharing options...
PassingBy 5 Posted October 23, 2020 Author Share Posted October 23, 2020 8 hours ago, itman said: @Marcos I believe this scenario is something Eset needs to check out. Eset should fall-back to deleting the entire e-mail if the malicious archive cannot be deleted. I agree. Also, for the average user, when he clicks "Cancel" and the infected message pops up in his inbox, expect lots of queries in the tone of "Oh...the message was downloaded, am i infected now?". Addressing this in a clear, unequivocal way will actually avoid a lot of queries. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted October 23, 2020 Administrators Share Posted October 23, 2020 5 hours ago, PassingBy said: Also, for the average user, when he clicks "Cancel" and the infected message pops up in his inbox... My understanding is that it should work the way it used to before implementing partial cleaning in archives recently, ie. the attachment will be detected, removed automatically and the action will be logged in the Detection log with details. Link to comment Share on other sites More sharing options...
Recommended Posts