Incompatibility between Eset and Office 365 Advanced Threat Protection with Dynamic Relay

[eclipse79 4]

Hello,

I would like to discuss about a possible incompatibility between Eset plugin for Outlook and Office Advanced Threat Protection with Dynamic relay.

What is dynamic relay

If a user receives a suspicious email with attachments, Office 365 delivers an email that has the original subject and text message BUT without attachments (that are scanned in cloud). This email contains an attached email in .msg format that represents a standard Office365 template with a list of scanning files.

When the scan is complete and if attachments are clean, the original email replaces the previous one.

What happens with Eset

Yesterday I received a notification about a worm contained in incoming email. This is the export of the events:

<?xml version="1.0" encoding="utf-8" ?>
<ESET>
  <LOG>
    <RECORD>
      <COLUMN NAME="Oggetto">da: Office 365 ATP con oggetto ATP Scan In Progress </COLUMN>
      <COLUMN NAME="Rilevamento">JS/Kryptik.BMZ trojan horse</COLUMN>
      <COLUMN NAME="Azione">conteneva file infetti</COLUMN>
      <COLUMN NAME="Informazione">Si è verificato un evento in seguito alla ricezione di un’e-mail da parte dell'applicazione: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE.</COLUMN>
      <COLUMN NAME="Hash"></COLUMN>
      <COLUMN NAME="Prima visualizzazione"></COLUMN>
    </RECORD>

    <RECORD>
      <COLUMN NAME="Oggetto">da: Office 365 ATP con oggetto ATP Scan In Progress  » MIME » ATT81479.htm.7397C898-8104-4E2E-8926-98082ABAE229.PendingScan</COLUMN>
      <COLUMN NAME="Rilevamento">JS/Kryptik.BMZ trojan horse</COLUMN>
      <COLUMN NAME="Azione">eliminato</COLUMN>
      <COLUMN NAME="Informazione"></COLUMN>
      <COLUMN NAME="Hash">3CDC6AD46BEF3A9DA6F7DC5519329B4EFC7BD53C</COLUMN>
      <COLUMN NAME="Prima visualizzazione"></COLUMN>
    </RECORD>
 </LOG>
</ESET>

 

The first problem

The subject reported in xml data is the same of the attached .msg Office 365 template, that should be safe. So I think that, if Eset detected a virus, the only explanation is that the worm has been not detected by Office 365 scan… the problem is that Eset should report the real name of attachment/email subject, not “ATP scan in progess” that is always safe (because it does not have NEVER infected files). This behavior makes hard to find the original infected email.

The second problem

Eset email policy is configured to move infected email in a specific folder. This folder is empty. So I have again no information about the original infected email.

I probably found it (I noticed an email received at the exact moment of detection), but it is a supposition: my user has 10 email accounts… it’s very hard to find infected emails in such cases.

My request: please, make Eset more compatible with Office 365 ATP function.

Thanks

Edited April 22, 2022 by eclipse79
title correction

[Peter Randziak 1,130]

Hello @eclipse79,

can you please try and let us know how it behaves with the new ESET plugin for Outlook?

https://forum.eset.com/topic/31777-new-outlook-plugin-beta/

Peter

[eclipse79 4]

3 minutes ago, Peter Randziak said:

Hello @eclipse79,

can you please try and let us know how it behaves with the new ESET plugin for Outlook?

https://forum.eset.com/topic/31777-new-outlook-plugin-beta/

Peter

Thank you for your quick reply.

I indeed will try, even if the contiditions that i described are difficult to reproduce...

I have Eset 9.0.2046.0 in a windows 11 64 bit. What installer should I use? I see ees_* and eea_* files.

Thanks

[Peter Randziak 1,130]

Hello @eclipse79

the EEA stands for ESET Endpoint Antivirus and EES for ESET Endpoint Security so I would recommend to install the product, you currently have.

If you have EEA and would like to try EES, let me know I can order you a business trial license for that.

Well I agree it might be not that easy to reproduce that... 😞 

Peter

[eclipse79 4]

33 minutes ago, Peter Randziak said:

Hello @eclipse79

the EEA stands for ESET Endpoint Antivirus and EES for ESET Endpoint Security so I would recommend to install the product, you currently have.

If you have EEA and would like to try EES, let me know I can order you a business trial license for that.

Well I agree it might be not that easy to reproduce that... 😞 

Peter

Thank you,

No need to start a trial, I have EES, thanks

[Peter Randziak 1,130]

Hello @eclipse79,

as the issue probably won't be easy to reproduce, I would recommend to enable the logging before the attempt for sure. So if you succeed (I hope you will 😉 ), we will have the logs for the dev team to check it.

On 3/21/2022 at 8:15 PM, Peter Randziak said:

if any issues will arise, we will need the user to enable diagnostic logging of this component whenever needed (see screen below), run Outlook (or other email client), wait for the issue to demonstrate, quit Outlook and disable diagnostic logging to avoid extensive log-recording for a longer time. The resulting log will be stored under C:\ProgramData\ESET\ESET Security\Diagnostics\MailPlugins.etl

Peter

[eclipse79 4]

On 4/25/2022 at 12:26 PM, Peter Randziak said:

Hello @eclipse79,

as the issue probably won't be easy to reproduce, I would recommend to enable the logging before the attempt for sure. So if you succeed (I hope you will 😉 ), we will have the logs for the dev team to check it.

Peter

I have an update on this thread. I found in Office 365 quarantine the original email and it contains an html attachment.

Office 365 dynamic delivery usually permits to access to a "safe version" of attachment that are currently scanned. My supposition is that the "safe version" of html... is not safe... (probably it contains malicious JS?). So, it's quite clear WHY Eset detects virus on "ATP scan in progress" email attachment.

What is not clear is: why this email has not moved in "Detected items" email folder in Outlook?

 

Edited May 12, 2022 by eclipse79