Jump to content

Incompatibility between Eset and Office 365 Advanced Threat Protection with Dynamic Relay


Recommended Posts

Hello,

I would like to discuss about a possible incompatibility between Eset plugin for Outlook and Office Advanced Threat Protection with Dynamic relay.

What is dynamic relay

If a user receives a suspicious email with attachments, Office 365 delivers an email that has the original subject and text message BUT without attachments (that are scanned in cloud). This email contains an attached email in .msg format that represents a standard Office365 template with a list of scanning files.

When the scan is complete and if attachments are clean, the original email replaces the previous one.

What happens with Eset

Yesterday I received a notification about a worm contained in incoming email. This is the export of the events:

<?xml version="1.0" encoding="utf-8" ?>
<ESET>
  <LOG>
    <RECORD>
      <COLUMN NAME="Oggetto">da: Office 365 ATP con oggetto ATP Scan In Progress </COLUMN>
      <COLUMN NAME="Rilevamento">JS/Kryptik.BMZ trojan horse</COLUMN>
      <COLUMN NAME="Azione">conteneva file infetti</COLUMN>
      <COLUMN NAME="Informazione">Si è verificato un evento in seguito alla ricezione di un’e-mail da parte dell'applicazione: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE.</COLUMN>
      <COLUMN NAME="Hash"></COLUMN>
      <COLUMN NAME="Prima visualizzazione"></COLUMN>
    </RECORD>

    <RECORD>
      <COLUMN NAME="Oggetto">da: Office 365 ATP con oggetto ATP Scan In Progress  » MIME » ATT81479.htm.7397C898-8104-4E2E-8926-98082ABAE229.PendingScan</COLUMN>
      <COLUMN NAME="Rilevamento">JS/Kryptik.BMZ trojan horse</COLUMN>
      <COLUMN NAME="Azione">eliminato</COLUMN>
      <COLUMN NAME="Informazione"></COLUMN>
      <COLUMN NAME="Hash">3CDC6AD46BEF3A9DA6F7DC5519329B4EFC7BD53C</COLUMN>
      <COLUMN NAME="Prima visualizzazione"></COLUMN>
    </RECORD>
 </LOG>
</ESET>

 

The first problem

The subject reported in xml data is the same of the attached .msg Office 365 template, that should be safe. So I think that, if Eset detected a virus, the only explanation is that the worm has been not detected by Office 365 scan… the problem is that Eset should report the real name of attachment/email subject, not “ATP scan in progess” that is always safe (because it does not have NEVER infected files). This behavior makes hard to find the original infected email.

The second problem

Eset email policy is configured to move infected email in a specific folder. This folder is empty. So I have again no information about the original infected email.

I probably found it (I noticed an email received at the exact moment of detection), but it is a supposition: my user has 10 email accounts… it’s very hard to find infected emails in such cases.

My request: please, make Eset more compatible with Office 365 ATP function.

Thanks

Edited by eclipse79
title correction
Link to comment
Share on other sites

  • eclipse79 changed the title to Incompatibility between Eset and Office 365 Advanced Threat Protection with Dynamic Relay
3 minutes ago, Peter Randziak said:

Hello @eclipse79,

can you please try and let us know how it behaves with the new ESET plugin for Outlook?

https://forum.eset.com/topic/31777-new-outlook-plugin-beta/

Peter

Thank you for your quick reply.

I indeed will try, even if the contiditions that i described are difficult to reproduce...

I have Eset 9.0.2046.0 in a windows 11 64 bit. What installer should I use? I see ees_* and eea_* files.

Thanks

Link to comment
Share on other sites

  • ESET Moderators

Hello @eclipse79

the EEA stands for ESET Endpoint Antivirus and EES for ESET Endpoint Security so I would recommend to install the product, you currently have.

If you have EEA and would like to try EES, let me know I can order you a business trial license for that.

Well I agree it might be not that easy to reproduce that... 😞 

Peter

Link to comment
Share on other sites

33 minutes ago, Peter Randziak said:

Hello @eclipse79

the EEA stands for ESET Endpoint Antivirus and EES for ESET Endpoint Security so I would recommend to install the product, you currently have.

If you have EEA and would like to try EES, let me know I can order you a business trial license for that.

Well I agree it might be not that easy to reproduce that... 😞 

Peter

Thank you,

No need to start a trial, I have EES, thanks

Link to comment
Share on other sites

  • ESET Moderators

Hello @eclipse79,

as the issue probably won't be easy to reproduce, I would recommend to enable the logging before the attempt for sure. So if you succeed (I hope you will 😉 ), we will have the logs for the dev team to check it.

On 3/21/2022 at 8:15 PM, Peter Randziak said:

if any issues will arise, we will need the user to enable diagnostic logging of this component whenever needed (see screen below), run Outlook (or other email client), wait for the issue to demonstrate, quit Outlook and disable diagnostic logging to avoid extensive log-recording for a longer time. The resulting log will be stored under C:\ProgramData\ESET\ESET Security\Diagnostics\MailPlugins.etlLogging.png

Peter

Link to comment
Share on other sites

  • 3 weeks later...
Posted (edited)
On 4/25/2022 at 12:26 PM, Peter Randziak said:

Hello @eclipse79,

as the issue probably won't be easy to reproduce, I would recommend to enable the logging before the attempt for sure. So if you succeed (I hope you will 😉 ), we will have the logs for the dev team to check it.

Peter

I have an update on this thread. I found in Office 365 quarantine the original email and it contains an html attachment.

Office 365 dynamic delivery usually permits to access to a "safe version" of attachment that are currently scanned. My supposition is that the "safe version" of html... is not safe... (probably it contains malicious JS?). So, it's quite clear WHY Eset detects virus on "ATP scan in progress" email attachment.

What is not clear is: why this email has not moved in "Detected items" email folder in Outlook?

 

Edited by eclipse79
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...