Eset, Are You Cracking Passwords? ;)

[rugk 397]

Hello,

I just made an experiment and I found out something funny. You can go on the steps to reproduce this.

 

1. I downloaded the eicar test file. (it's an harmless file that should be detected as malware) Because ESET will delete it (and so it will directly after downloading) I deactivated real-time protection temporary.
2. If you have it on your computer then you can go on. I wanted that ESS does not delete the file after I reactivated real-time protection, so I zipped this file with a password. (You can do this with a tool of your choice or you can download the already zipped file I attached). And because I don't wanted to remember a hard password I used only one space (" ") as the password. (this is important!)
3. Now you can reactivate real-time protection. And now you can play with this ZIP file! Like we wanted the real-time protection don't recognize the maleware. Of course you must not unzip the eicar testfile, because then it of course will be detected.
4. But now there comes the point! Now right click on the zip file and select "scan with ESS". It will be scanned and it will be detected! Although it's password protected! So it seems that ESET is cracking the password.

Funny.

But of course I take this seriously, so I did more test. I tested all both with ESS v7 and the beta of ESS 8 (there were no differences between the results) and every time I used the password " " (and only with this password it worked).

• ZIP archive without encrypting filenames¹ --> Realtime: Not detected, Scan: detected (<-- this we have just done)
• RAR archive without encrypting filenames --> Realtime: Not detected, Scan: detected
• RAR5² archive without encrypting filenames --> Realtime: Not detected, Scan: detected
• RAR archive with encrypting filenames --> Realtime: Not detected, Scan: Not detected
• RAR5² archive with encrypting filenames --> Realtime: Not detected, Scan: detected

So the only archive that ESET couldn't detect is the RAR archive with encrypted filenames. This all is a quite strange...

Here is also a screenshot from the Scan result (under ESS v8):

And for all who wants this I attached all the files I used.

 

Hints:

1: Encrypting filenames is not possible in ZIP archives.

2: This is a new RAR format.

For the compressing I used WinRAR 5.

eicar_testfile.zip

eicar_testfile_RAR5_filenamesEncrypted.rar

eicar_testfile_filenamesEncrypted.rar

eicar_testfile_RAR5.rar

eicar_testfile.rar

Edited August 10, 2014 by rugk

[Arakasi 549]

Signature based detection relys on name and size and a few other things.
With archives you can see the files and data inside. You cant execute or write to it.
Eset sees whats inside and flags it.

Edited August 11, 2014 by Arakasi

[rugk 397]

Hey, but these archives are password protected and I don't executed (or unzipped/unrared) them! I just scanned them in an one demand scan.

Also the filename(s) are in a few archives encrypted and I also added another textfile to the archives to change the filesize.

 

If you want to use my files you can download them.

 

You cant execute or write to it.

But only if you have the password, if it's encrypted!

Edited August 10, 2014 by rugk

[Marcos 5,074]

It's not a rocket science to guess simple passwords I really don't want to talk more about this publicly as the forum is open for anybody who comes here.

[rugk 397]

Yeah of course it's no problem. And why not talk about this? Quite all people know that simple passwords are simple too guess and the "bad guys" of course know this already.

 

And I also tried it with other simple passwords like "a", "password" or "1234" and nothing of these worked. Only " " worked! So that's no explanation.

It also don't explains the two "anomalies":

• Why the RAR archive with encrypting filenames is not detected?
• And why is it not detected by real-time protection?

Edited August 10, 2014 by rugk

[rugk 397]

Please take it more seriously. I tried to make the post a bit funny, but however there is a a serious question behind it.

 

BTW: If you don't want to answer public, because you can leak things about how the scanning engine works, then you can also send me a PM.

I'm just interested about this strange thing! And I don't really think that you are trying to crack passwords during scanning, or do you?

Edited August 10, 2014 by rugk

[SweX 871]

 

Yeah of course it's no problem. And why not talk about this? Quite all people know that simple passwords are simple too guess and the "bad guys" of course know this already.

Then "people" may take advantage of it if they know how ESET is able to do this.

 

ESET does not talk about how their engine works openly, or say how their heuristics works in detail, or anything similar concerning the products. It is all kept secret to the outside world.

[Marcos 5,074]

Real-time protection doesn't scan inside archives (image the performance impact if it would scan x GB iso files upon each access). Files in (encrypted) archives are scanned by real-time protection upon extraction or execution.

[rugk 397]

Yeah ok, but they don't have to say how their engine works.

I also don't think that it's the intention of ESET to scan password protected archives with the password " ". Hey, who is "securing" a file with this password?

 

Also the "people" would - if they want to encrypt some files - never use such a password. They are not stupid!

 

@Marcos: Thanks for your answer, so the one "mystery" is resolved now. Now there remain the other mystery(s)...

Edited August 10, 2014 by rugk

[rugk 397]

You don't want to say more about this? OK, I understand this...
But on the other hand it's a bit sad...

Maybe this mystery must remain mysterious... :D