eclipse79 4 Posted April 22, 2022 Share Posted April 22, 2022 (edited) Hello, I would like to discuss about a possible incompatibility between Eset plugin for Outlook and Office Advanced Threat Protection with Dynamic relay. What is dynamic relay If a user receives a suspicious email with attachments, Office 365 delivers an email that has the original subject and text message BUT without attachments (that are scanned in cloud). This email contains an attached email in .msg format that represents a standard Office365 template with a list of scanning files. When the scan is complete and if attachments are clean, the original email replaces the previous one. What happens with Eset Yesterday I received a notification about a worm contained in incoming email. This is the export of the events: <?xml version="1.0" encoding="utf-8" ?> <ESET> <LOG> <RECORD> <COLUMN NAME="Oggetto">da: Office 365 ATP con oggetto ATP Scan In Progress </COLUMN> <COLUMN NAME="Rilevamento">JS/Kryptik.BMZ trojan horse</COLUMN> <COLUMN NAME="Azione">conteneva file infetti</COLUMN> <COLUMN NAME="Informazione">Si è verificato un evento in seguito alla ricezione di un’e-mail da parte dell'applicazione: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE.</COLUMN> <COLUMN NAME="Hash"></COLUMN> <COLUMN NAME="Prima visualizzazione"></COLUMN> </RECORD> <RECORD> <COLUMN NAME="Oggetto">da: Office 365 ATP con oggetto ATP Scan In Progress » MIME » ATT81479.htm.7397C898-8104-4E2E-8926-98082ABAE229.PendingScan</COLUMN> <COLUMN NAME="Rilevamento">JS/Kryptik.BMZ trojan horse</COLUMN> <COLUMN NAME="Azione">eliminato</COLUMN> <COLUMN NAME="Informazione"></COLUMN> <COLUMN NAME="Hash">3CDC6AD46BEF3A9DA6F7DC5519329B4EFC7BD53C</COLUMN> <COLUMN NAME="Prima visualizzazione"></COLUMN> </RECORD> </LOG> </ESET> The first problem The subject reported in xml data is the same of the attached .msg Office 365 template, that should be safe. So I think that, if Eset detected a virus, the only explanation is that the worm has been not detected by Office 365 scan… the problem is that Eset should report the real name of attachment/email subject, not “ATP scan in progess” that is always safe (because it does not have NEVER infected files). This behavior makes hard to find the original infected email. The second problem Eset email policy is configured to move infected email in a specific folder. This folder is empty. So I have again no information about the original infected email. I probably found it (I noticed an email received at the exact moment of detection), but it is a supposition: my user has 10 email accounts… it’s very hard to find infected emails in such cases. My request: please, make Eset more compatible with Office 365 ATP function. Thanks Edited April 22, 2022 by eclipse79 title correction Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,177 Posted April 22, 2022 ESET Moderators Share Posted April 22, 2022 Hello @eclipse79, can you please try and let us know how it behaves with the new ESET plugin for Outlook? https://forum.eset.com/topic/31777-new-outlook-plugin-beta/ Peter Link to comment Share on other sites More sharing options...
eclipse79 4 Posted April 22, 2022 Author Share Posted April 22, 2022 3 minutes ago, Peter Randziak said: Hello @eclipse79, can you please try and let us know how it behaves with the new ESET plugin for Outlook? https://forum.eset.com/topic/31777-new-outlook-plugin-beta/ Peter Thank you for your quick reply. I indeed will try, even if the contiditions that i described are difficult to reproduce... I have Eset 9.0.2046.0 in a windows 11 64 bit. What installer should I use? I see ees_* and eea_* files. Thanks Peter Randziak 1 Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,177 Posted April 22, 2022 ESET Moderators Share Posted April 22, 2022 Hello @eclipse79 the EEA stands for ESET Endpoint Antivirus and EES for ESET Endpoint Security so I would recommend to install the product, you currently have. If you have EEA and would like to try EES, let me know I can order you a business trial license for that. Well I agree it might be not that easy to reproduce that... 😞 Peter Link to comment Share on other sites More sharing options...
eclipse79 4 Posted April 22, 2022 Author Share Posted April 22, 2022 33 minutes ago, Peter Randziak said: Hello @eclipse79 the EEA stands for ESET Endpoint Antivirus and EES for ESET Endpoint Security so I would recommend to install the product, you currently have. If you have EEA and would like to try EES, let me know I can order you a business trial license for that. Well I agree it might be not that easy to reproduce that... 😞 Peter Thank you, No need to start a trial, I have EES, thanks Peter Randziak 1 Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,177 Posted April 25, 2022 ESET Moderators Share Posted April 25, 2022 Hello @eclipse79, as the issue probably won't be easy to reproduce, I would recommend to enable the logging before the attempt for sure. So if you succeed (I hope you will 😉 ), we will have the logs for the dev team to check it. On 3/21/2022 at 8:15 PM, Peter Randziak said: if any issues will arise, we will need the user to enable diagnostic logging of this component whenever needed (see screen below), run Outlook (or other email client), wait for the issue to demonstrate, quit Outlook and disable diagnostic logging to avoid extensive log-recording for a longer time. The resulting log will be stored under C:\ProgramData\ESET\ESET Security\Diagnostics\MailPlugins.etl Peter Link to comment Share on other sites More sharing options...
eclipse79 4 Posted May 12, 2022 Author Share Posted May 12, 2022 (edited) On 4/25/2022 at 12:26 PM, Peter Randziak said: Hello @eclipse79, as the issue probably won't be easy to reproduce, I would recommend to enable the logging before the attempt for sure. So if you succeed (I hope you will 😉 ), we will have the logs for the dev team to check it. Peter I have an update on this thread. I found in Office 365 quarantine the original email and it contains an html attachment. Office 365 dynamic delivery usually permits to access to a "safe version" of attachment that are currently scanned. My supposition is that the "safe version" of html... is not safe... (probably it contains malicious JS?). So, it's quite clear WHY Eset detects virus on "ATP scan in progress" email attachment. What is not clear is: why this email has not moved in "Detected items" email folder in Outlook? Edited May 12, 2022 by eclipse79 Link to comment Share on other sites More sharing options...
Recommended Posts