Why Doesn't Eset Add Detection For This Threat So Long?

[sky7 19]

 - xss.exe
https://www.virustotal.com/en/file/1cef89e21d000eaab69eab90c78a32adb0f1d10ed4e90c180d1b116d0e0b2ab4/analysis/1407790800/

I reported this file and I checked it later ESS 7.0.317.4 (vsd: 10233) didn't detect this.
I emailed again and ESS 7.0.317.4 (current vsd: 10238) still doesn't detect this.
 

Edited August 11, 2014 by sky7

[Marcos 5,091]

Probably because we hadn't received it until today? Looking at the VT results, most AVs detect it heuristically due to the packer used. We too recognize the packer but don't want to detect it as it could produce many false positives (apparently some vendors don't care about that). The sample will be looked at and a detection will be added if it actually turns out to be functional malware.

I would be more concerned about prevalent functional malware that is virtually detected only by ESET at VT 

[Arakasi 549]

Excellent response.

 

This is why ESET is superior to other vendors.

[sky7 19]

Probably because we hadn't received it until today? Looking at the VT results, most AVs detect it heuristically due to the packer used. We too recognize the packer but don't want to detect it as it could produce many false positives (apparently some vendors don't care about that). The sample will be looked at and a detection will be added if it actually turns out to be functional malware.

I would be more concerned about prevalent functional malware that is virtually detected only by ESET at VT 

 

It's good ESET doesn't just look at packer but I reported this 2 days ago and my second email was sent 21 hours ago and of course it is functional malware

- xss.exe

MD5 : 5bf42a43f4efc10c0fdf9f0a0379ee3e

 

[Marcos 5,091]

It's good ESET doesn't just look at packer but I reported this 2 days ago and my second email was sent 21 hours ago and of course it is functional malware

 

It was first delivered by email to ESET's malware lab just yesterday.

[sky7 19]

 

It's good ESET doesn't just look at packer but I reported this 2 days ago and my second email was sent 21 hours ago and of course it is functional malware

 

It was first delivered by email to ESET's malware lab just yesterday.

 

It's strange.

ESS 7.0.317.4 (vsd: 10240) detects xss.exe (MD5 : 5bf42a43f4efc10c0fdf9f0a0379ee3e) finally.

Threat name is "Win32/TrojanDropper.Agent.QRL"

It's not fast dealing (passed more than 6 updates Virus Signature database)

Unlike before, I don't receive any email from ESET Malware Response Team.

I always receive email from ESET Malware Response Team (as you know they send email when they add reported threat in vsd.)

Anyway ESET detects this malware now.

 

[Arakasi 549]

I don't always get e-mails back from the team, especially if multiple people submitted, they may just send one out to the first person that appears to them.

 

Also, ESET keeps a strict evaluation of submissions to ensure the low false positives that ESET retains, some vendors don't evaluate or examine and just add based off other vendors, have seen this many times.

 

ESET has a very nice malware research team and although they were not in haste for this particular variant, I would be interested in the origination of the file ?

 

Was it on a download site, through a drive-by js on a bad web server? Submitted from a malware pack ? Bundled in legitimate software etc ?

Is it in-the-wild ?

 

[rugk 397]

BTW: Here is the virus radar description of the threat: hxxp://www.virusradar.com/en/Win32_TrojanDropper.Agent.QRL/description

If you look at the statistics yet it not seems in the wild, but I don't know how quick the statistic is refreshed.

[Marcos 5,091]

Current stats show that it was detected on 1 user's computer during download. The malware wasn't found to be running on any computer worldwide at all.

[rugk 397]

Current stats show that it was detected on 1 user's computer during download. The malware wasn't found to be running on any computer worldwide at all.

Dangerous malware.

[sky7 19]

Current stats show that it was detected on 1 user's computer during download. The malware wasn't found to be running on any computer worldwide at all.

Maybe data based on ESET's Live Grid. Sometimes facts can be misleading.

I don't undervalue ESET Live Grid and don't want to argue about that. Anyway that's not true.

Most well known AVs detect this malware at this point so we don't need to say it's dangerous 'now'.

"The malware wasn't found to be running on any computer worldwide at all." It would be misleading

These days Cybercrime used to silently spread malware to computers for only number of days within a very short period of time (making hit-and-run guerrilla style attacks)

It is 'Trojan Dropper' that drop other malware files onto the compromised PC.

 

Edited August 12, 2014 by sky7

[Marcos 5,091]

"The malware wasn't found to be running on any computer worldwide at all." It would be misleading.

These days Cybercrime used to silently spread malware to computers for only number of days within a very short period of time (making hit-and-run guerrilla style attacks)

It is 'Trojan Dropper' that drop other malware files onto the compromised PC. Most well known AVs detect this malware at this point so we don't need to say it's dangerous 'now'.

 

It's not misleading at all. Out of all users with Live Grid enabled, it was downloaded only on one computer which I now confirm by looking at most current stats. The point is that a detection was added on the same day we received it.

On the contrary, there's quite a lot of dangerous malware including ransomware that is missed by almost all AV vendors but ESET and which is undetected even after > 24 hours.