Jump to content

Recommended Posts

Hello,

I just made an experiment and I found out something funny. You can go on the steps to reproduce this.

 

  1. I downloaded the eicar test file. (it's an harmless file that should be detected as malware) Because ESET will delete it (and so it will directly after downloading) I deactivated real-time protection temporary.
  2. If you have it on your computer then you can go on. I wanted that ESS does not delete the file after I reactivated real-time protection, so I zipped this file with a password. (You can do this with a tool of your choice or you can download the already zipped file I attached). And because I don't wanted to remember a hard password I used only one space (" ") as the password. (this is important!)
  3. Now you can reactivate real-time protection. And now you can play with this ZIP file! Like we wanted the real-time protection don't recognize the maleware. Of course you must not unzip the eicar testfile, because then it of course will be detected.
  4. But now there comes the point! Now right click on the zip file and select "scan with ESS". It will be scanned and it will be detected! Although it's password protected! So it seems that ESET is cracking the password.

Funny. :D

But of course I take this seriously, so I did more test. I tested all both with ESS v7 and the beta of ESS 8 (there were no differences between the results) and every time I used the password " " (and only with this password it worked).

  • ZIP archive without encrypting filenames1 --> Realtime: Not detected, Scan: detected (<-- this we have just done)
  • RAR archive without encrypting filenames --> Realtime: Not detected, Scan: detected
  • RAR52 archive without encrypting filenames --> Realtime: Not detected, Scan: detected
  • RAR archive with encrypting filenames --> Realtime: Not detected, Scan: Not detected
  • RAR52 archive with encrypting filenames --> Realtime: Not detected, Scan: detected

So the only archive that ESET couldn't detect is the RAR archive with encrypted filenames. This all is a quite strange...

Here is also a screenshot from the Scan result (under ESS v8):

post-3952-0-03105500-1407683914_thumb.png

And for all who wants this I attached all the files I used.

 

Hints:

1: Encrypting filenames is not possible in ZIP archives.

2: This is a new RAR format.

For the compressing I used WinRAR 5.

eicar_testfile.zip

eicar_testfile_RAR5_filenamesEncrypted.rar

eicar_testfile_filenamesEncrypted.rar

eicar_testfile_RAR5.rar

eicar_testfile.rar

Edited by rugk
Link to comment
Share on other sites

Signature based detection relys on name and size and a few other things.
With archives you can see the files and data inside. You cant execute or write to it.
Eset sees whats inside and flags it.

Edited by Arakasi
Link to comment
Share on other sites

Hey, but these archives are password protected and I don't executed (or unzipped/unrared) them! I just scanned them in an one demand scan.

Also the filename(s) are in a few archives encrypted and I also added another textfile to the archives to change the filesize.

 

If you want to use my files you can download them.

 

You cant execute or write to it.

But only if you have the password, if it's encrypted!

Edited by rugk
Link to comment
Share on other sites

  • Administrators

It's not a rocket science to guess simple passwords :) I really don't want to talk more about this publicly as the forum is open for anybody who comes here.

Link to comment
Share on other sites

Yeah of course it's no problem. And why not talk about this? Quite all people know that simple passwords are simple too guess and the "bad guys" of course know this already.

 

And I also tried it with other simple passwords like "a", "password" or "1234" and nothing of these worked. Only " " worked! So that's no explanation.

It also don't explains the two "anomalies":

  • Why the RAR archive with encrypting filenames is not detected?
  • And why is it not detected by real-time protection?
Edited by rugk
Link to comment
Share on other sites

Please take it more seriously. I tried to make the post a bit funny, but however there is a a serious question behind it.

 

BTW: If you don't want to answer public, because you can leak things about how the scanning engine works, then you can also send me a PM.

I'm just interested about this strange thing! And I don't really think that you are trying to crack passwords during scanning, or do you?

Edited by rugk
Link to comment
Share on other sites

 

Yeah of course it's no problem. And why not talk about this? Quite all people know that simple passwords are simple too guess and the "bad guys" of course know this already.

Then "people" may take advantage of it if they know how ESET is able to do this.

 

ESET does not talk about how their engine works openly, or say how their heuristics works in detail, or anything similar concerning the products. It is all kept secret to the outside world.

Link to comment
Share on other sites

  • Administrators

Real-time protection doesn't scan inside archives (image the performance impact if it would scan x GB iso files upon each access). Files in (encrypted) archives are scanned by real-time protection upon extraction or execution.

Link to comment
Share on other sites

Yeah ok, but they don't have to say how their engine works.

I also don't think that it's the intention of ESET to scan password protected archives with the password " ". Hey, who is "securing" a file with this password?

 

Also the "people" would - if they want to encrypt some files - never use such a password. They are not stupid!

 

@Marcos: Thanks for your answer, so the one "mystery" is resolved now. Now there remain the other mystery(s)...

Edited by rugk
Link to comment
Share on other sites

You don't want to say more about this? OK, I understand this...
But on the other hand it's a bit sad...

Maybe this mystery must remain mysterious... :D :D

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...