Jump to content

Why Doesn't Eset Add Detection For This Threat So Long?


sky7
 Share

Recommended Posts

 - xss.exe
https://www.virustotal.com/en/file/1cef89e21d000eaab69eab90c78a32adb0f1d10ed4e90c180d1b116d0e0b2ab4/analysis/1407790800/

I reported this file and I checked it later ESS 7.0.317.4 (vsd: 10233) didn't detect this.
I emailed again and ESS 7.0.317.4 (current vsd: 10238) still doesn't detect this.
 

Edited by sky7
Link to comment
Share on other sites

  • Administrators

Probably because we hadn't received it until today? Looking at the VT results, most AVs detect it heuristically due to the packer used. We too recognize the packer but don't want to detect it as it could produce many false positives (apparently some vendors don't care about that). The sample will be looked at and a detection will be added if it actually turns out to be functional malware.

I would be more concerned about prevalent functional malware that is virtually detected only by ESET at VT  :)

Link to comment
Share on other sites

Probably because we hadn't received it until today? Looking at the VT results, most AVs detect it heuristically due to the packer used. We too recognize the packer but don't want to detect it as it could produce many false positives (apparently some vendors don't care about that). The sample will be looked at and a detection will be added if it actually turns out to be functional malware.

I would be more concerned about prevalent functional malware that is virtually detected only by ESET at VT  :)

 

It's good ESET doesn't just look at packer but I reported this 2 days ago and my second email was sent 21 hours ago and of course it is functional malware

- xss.exe

MD5 : 5bf42a43f4efc10c0fdf9f0a0379ee3e

 

Link to comment
Share on other sites

  • Administrators
It's good ESET doesn't just look at packer but I reported this 2 days ago and my second email was sent 21 hours ago and of course it is functional malware

 

It was first delivered by email to ESET's malware lab just yesterday.

Link to comment
Share on other sites

 

It's good ESET doesn't just look at packer but I reported this 2 days ago and my second email was sent 21 hours ago and of course it is functional malware

 

It was first delivered by email to ESET's malware lab just yesterday.

 

It's strange.

ESS 7.0.317.4 (vsd: 10240) detects xss.exe (MD5 : 5bf42a43f4efc10c0fdf9f0a0379ee3e) finally.

Threat name is "Win32/TrojanDropper.Agent.QRL"

It's not fast dealing (passed more than 6 updates Virus Signature database)

Unlike before, I don't receive any email from ESET Malware Response Team.

I always receive email from ESET Malware Response Team (as you know they send email when they add reported threat in vsd.)

Anyway ESET detects this malware now.

 

Link to comment
Share on other sites

I don't always get e-mails back from the team, especially if multiple people submitted, they may just send one out to the first person that appears to them.

 

Also, ESET keeps a strict evaluation of submissions to ensure the low false positives that ESET retains, some vendors don't evaluate or examine and just add based off other vendors, have seen this many times.

 

ESET has a very nice malware research team and although they were not in haste for this particular variant, I would be interested in the origination of the file ?

 

Was it on a download site, through a drive-by js on a bad web server? Submitted from a malware pack ? Bundled in legitimate software etc ?

Is it in-the-wild ?

 

:)

Link to comment
Share on other sites

  • Administrators

Current stats show that it was detected on 1 user's computer during download. The malware wasn't found to be running on any computer worldwide at all.

Link to comment
Share on other sites

Current stats show that it was detected on 1 user's computer during download. The malware wasn't found to be running on any computer worldwide at all.

Dangerous malware. :D

Link to comment
Share on other sites

Current stats show that it was detected on 1 user's computer during download. The malware wasn't found to be running on any computer worldwide at all.

Maybe data based on ESET's Live Grid. Sometimes facts can be misleading.

I don't undervalue ESET Live Grid and don't want to argue about that. Anyway that's not true.

Most well known AVs detect this malware at this point so we don't need to say it's dangerous 'now'.

"The malware wasn't found to be running on any computer worldwide at all." It would be misleading

These days Cybercrime used to silently spread malware to computers for only number of days within a very short period of time (making hit-and-run guerrilla style attacks)

It is 'Trojan Dropper' that drop other malware files onto the compromised PC.

 

Edited by sky7
Link to comment
Share on other sites

  • Administrators

"The malware wasn't found to be running on any computer worldwide at all." It would be misleading.

These days Cybercrime used to silently spread malware to computers for only number of days within a very short period of time (making hit-and-run guerrilla style attacks)

It is 'Trojan Dropper' that drop other malware files onto the compromised PC. Most well known AVs detect this malware at this point so we don't need to say it's dangerous 'now'.

 

It's not misleading at all. Out of all users with Live Grid enabled, it was downloaded only on one computer which I now confirm by looking at most current stats. The point is that a detection was added on the same day we received it.

On the contrary, there's quite a lot of dangerous malware including ransomware that is missed by almost all AV vendors but ESET and which is undetected even after > 24 hours.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...