Dakmp 0 Posted February 14, 2021 Share Posted February 14, 2021 (edited) A Windows shortcut to an URL is detected as "LNK/Agent.CH trojan 1" on my ESET Internet Security 14.0.22.0. However VirusTotal detection is none: https://www.virustotal.com/gui/file/cba004a4a9bc884ba1ba002b7a45c43823b75de1e23c19d1c840ada8dff61ab9/detection What is going on here? Anybody can take a look at the file? Also, the option "Restore and exclude from scanning" is greyed out. It happened to that several times already, why can't I just whitelist some files? SadeemPC.com_URL.zip Edited February 14, 2021 by Dakmp Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 14, 2021 Share Posted February 14, 2021 When performing a scan at VT, always verify the date the last analysis was done. The scan link reference you posted was two months old. I just rescanned with this result: Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 14, 2021 Share Posted February 14, 2021 Also, always take note of VT's detection relations analysis. As noted in the below in the below screenshot, how this detected URL is packaged is the primary determinate in its maliciousness: You can't restore it because Eset has removed it and deleted it from the archived download. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,072 Posted February 14, 2021 Administrators Share Posted February 14, 2021 I'd also add that VT uses a command-line on-demand scanner to scan files so threats that ESET detects on a machine where it is installed may not be always detected at VT. Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 14, 2021 Share Posted February 14, 2021 I will also make this comment. If it isn't obvious yet, any download containing sadeempc.com references, direct or indirect in it, most likely is malicious. Sadeempc.com is a known malware hosting web site. Also a brief analysis by me noted a lot of crack downloads containing sadeempc.com references in them. Cracked software downloads are currently the primary method malware is being distributed. Refer to my postings on this subject in the forum's General Discussion section. Link to comment Share on other sites More sharing options...
Dakmp 0 Posted February 17, 2021 Author Share Posted February 17, 2021 (edited) I understand that websites can provide malware downloads, but just a shortcut shouldn't be to blame, unless the shortcut itself install some malware or does something tricky on the system. Does it? Does the shortcut hack the registry or install "something"? Because looks like has more bytes than the shortcut should have. Edited February 17, 2021 by Dakmp Link to comment Share on other sites More sharing options...
Administrators Marcos 5,072 Posted February 17, 2021 Administrators Share Posted February 17, 2021 It's a shortcut to a blacklisted website, hence the detection. Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 17, 2021 Share Posted February 17, 2021 I will also add that .lnk references in Win autorun locations such as startup directories, registry run keys, or the like are as a rule, highly suspect. Link to comment Share on other sites More sharing options...
Recommended Posts