rugk 397 Posted August 10, 2014 Share Posted August 10, 2014 (edited) Hello, I just made an experiment and I found out something funny. You can go on the steps to reproduce this. I downloaded the eicar test file. (it's an harmless file that should be detected as malware) Because ESET will delete it (and so it will directly after downloading) I deactivated real-time protection temporary. If you have it on your computer then you can go on. I wanted that ESS does not delete the file after I reactivated real-time protection, so I zipped this file with a password. (You can do this with a tool of your choice or you can download the already zipped file I attached). And because I don't wanted to remember a hard password I used only one space (" ") as the password. (this is important!) Now you can reactivate real-time protection. And now you can play with this ZIP file! Like we wanted the real-time protection don't recognize the maleware. Of course you must not unzip the eicar testfile, because then it of course will be detected. But now there comes the point! Now right click on the zip file and select "scan with ESS". It will be scanned and it will be detected! Although it's password protected! So it seems that ESET is cracking the password. Funny. But of course I take this seriously, so I did more test. I tested all both with ESS v7 and the beta of ESS 8 (there were no differences between the results) and every time I used the password " " (and only with this password it worked). ZIP archive without encrypting filenames1 --> Realtime: Not detected, Scan: detected (<-- this we have just done) RAR archive without encrypting filenames --> Realtime: Not detected, Scan: detected RAR52 archive without encrypting filenames --> Realtime: Not detected, Scan: detected RAR archive with encrypting filenames --> Realtime: Not detected, Scan: Not detected RAR52 archive with encrypting filenames --> Realtime: Not detected, Scan: detected So the only archive that ESET couldn't detect is the RAR archive with encrypted filenames. This all is a quite strange... Here is also a screenshot from the Scan result (under ESS v8): And for all who wants this I attached all the files I used. Hints: 1: Encrypting filenames is not possible in ZIP archives. 2: This is a new RAR format. For the compressing I used WinRAR 5. eicar_testfile.zip eicar_testfile_RAR5_filenamesEncrypted.rar eicar_testfile_filenamesEncrypted.rar eicar_testfile_RAR5.rar eicar_testfile.rar Edited August 10, 2014 by rugk Link to comment Share on other sites More sharing options...
Arakasi 549 Posted August 10, 2014 Share Posted August 10, 2014 (edited) Signature based detection relys on name and size and a few other things.With archives you can see the files and data inside. You cant execute or write to it.Eset sees whats inside and flags it. Edited August 11, 2014 by Arakasi Link to comment Share on other sites More sharing options...
rugk 397 Posted August 10, 2014 Author Share Posted August 10, 2014 (edited) Hey, but these archives are password protected and I don't executed (or unzipped/unrared) them! I just scanned them in an one demand scan. Also the filename(s) are in a few archives encrypted and I also added another textfile to the archives to change the filesize. If you want to use my files you can download them. You cant execute or write to it. But only if you have the password, if it's encrypted! Edited August 10, 2014 by rugk Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted August 10, 2014 Administrators Share Posted August 10, 2014 It's not a rocket science to guess simple passwords I really don't want to talk more about this publicly as the forum is open for anybody who comes here. Link to comment Share on other sites More sharing options...
rugk 397 Posted August 10, 2014 Author Share Posted August 10, 2014 (edited) Yeah of course it's no problem. And why not talk about this? Quite all people know that simple passwords are simple too guess and the "bad guys" of course know this already. And I also tried it with other simple passwords like "a", "password" or "1234" and nothing of these worked. Only " " worked! So that's no explanation. It also don't explains the two "anomalies": Why the RAR archive with encrypting filenames is not detected? And why is it not detected by real-time protection? Edited August 10, 2014 by rugk Link to comment Share on other sites More sharing options...
rugk 397 Posted August 10, 2014 Author Share Posted August 10, 2014 (edited) Please take it more seriously. I tried to make the post a bit funny, but however there is a a serious question behind it. BTW: If you don't want to answer public, because you can leak things about how the scanning engine works, then you can also send me a PM. I'm just interested about this strange thing! And I don't really think that you are trying to crack passwords during scanning, or do you? Edited August 10, 2014 by rugk Link to comment Share on other sites More sharing options...
SweX 871 Posted August 10, 2014 Share Posted August 10, 2014 Yeah of course it's no problem. And why not talk about this? Quite all people know that simple passwords are simple too guess and the "bad guys" of course know this already. Then "people" may take advantage of it if they know how ESET is able to do this. ESET does not talk about how their engine works openly, or say how their heuristics works in detail, or anything similar concerning the products. It is all kept secret to the outside world. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted August 10, 2014 Administrators Share Posted August 10, 2014 Real-time protection doesn't scan inside archives (image the performance impact if it would scan x GB iso files upon each access). Files in (encrypted) archives are scanned by real-time protection upon extraction or execution. Link to comment Share on other sites More sharing options...
rugk 397 Posted August 10, 2014 Author Share Posted August 10, 2014 (edited) Yeah ok, but they don't have to say how their engine works. I also don't think that it's the intention of ESET to scan password protected archives with the password " ". Hey, who is "securing" a file with this password? Also the "people" would - if they want to encrypt some files - never use such a password. They are not stupid! @Marcos: Thanks for your answer, so the one "mystery" is resolved now. Now there remain the other mystery(s)... Edited August 10, 2014 by rugk Link to comment Share on other sites More sharing options...
rugk 397 Posted August 11, 2014 Author Share Posted August 11, 2014 You don't want to say more about this? OK, I understand this...But on the other hand it's a bit sad... Maybe this mystery must remain mysterious... :D Link to comment Share on other sites More sharing options...
Recommended Posts