Jump to content

Eset Internet Security 14.1.20.0 just started quaratining a .VBS file that I created months ago.


Recommended Posts

Hello,

Eset Internet Security has just started to quarantine a .VBS file that I created months ago.  It says that the virus in the file is VBS/Runner.NOX Trojan.  I excluded the file from detection.  When I run a File Explorer context menu scan, the file is left alone.  When I run a scan on the hard drive itself, the file is quarantined.

This behavior started with detection engine 23295P installed on 5/14.  I am running the latest version of Windows 10 Pro 64 bit.

Your help is appreciated

Link to post
Share on other sites
  • Administrators

The detection covers VB scripts that load another script from a folder typical for malware, e.g. a subfolder in c:\users plus there are some other conditions for detection. I assume the best course of action would be creating a detection exclusion for the file. You can also report it as per https://support.eset.com/en/kb141 but I'm not sure if we we'll be able to something about it if we don't want to stop detecting actual malware that your file resembles.

Link to post
Share on other sites

Hello,

I manually put the file back in the original folder.  After replacing the file several times, I discovered that Eset is deleting the file every time I reboot.

Link to post
Share on other sites

Hello,

As I said earlier, I created a detection exclusion rule for the file.  On system boot Eset deletes the file.  On full hard drive scan the file is quarantined.

Link to post
Share on other sites

Hello,

The .VBS file was in the Users folder.  I created a new folder in the root of my C:\ drive and copied the file there.  I created a new detection rule.  Eset is no longer deleting the file.

 

Link to post
Share on other sites
Posted (edited)
4 hours ago, Ted Harris said:

I created a new folder in the root of my C:\ drive and copied the file there.  I created a new detection rule.  Eset is no longer deleting the file.

Which means that if malware did the same, it would bypass Eset detection. @Marcostake note.

I am also surprised Eset would throw an alert based on behavior in the original file location scenario. I would think additional file characteristics such as being packed, obfuscated, or encrypted would be secondary characteristics that would factor into the malicious determination. On the other hand if .vbs file execution originated from a MS Office executable; e.g. macro base malware payload, then absolute file blocked and quarantining would be appropriate.

Edited by itman
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...