Jump to content

[Suggestion] This is why I don't like Generik detection


Recommended Posts

Hello,

I have submitted over hundreds of virus samples to ESET. But there is still a fly in the ointment.

First of all, ESET should not rely on the Generik detection as it is an ambiguous detection.
If a sample does not have a correct detection name (proper analysis process), the sample will not be detected in the future as the detection will be removed from virus definition.

In addition, I have submitted a Cobalt Strike malware sample (VT) on November 11 last year [TRACK#61879A090160].

Quote

Thank you for your submission.
The detection of the threat is covered by the current version of detection engine.

38667bc3ad2dcef35a5f343a5073e3f2 - Generik.BARZRM trojan
834002efbb051925b860df65165b0682 - MSIL/TrojanDownloader.Agent.JJH trojan

Regards,

ESET Malware Response Team


It was analyzed as Generik.BARZRM trojan, probably processed automatically.
After 6 months, the sample is not detected. Therefore, I submitted it again to ESET for further analysis [TRACK#62947AF70248].
Now the final verdict was Win64/CobaltStrike.Beacon.A trojan and C2 is already dead.

Quote

Thank you for your submission.
The detection for this threat will be included in the next update of detection engine, expected version: 25351.

38667bc3ad2dcef35a5f343a5073e3f2.exe.vir - Win64/CobaltStrike.Beacon.A trojan

Regards,

ESET Malware Response Team

It is good to have Generik detection method as it has high priority for unknown malware that normally packed in VMProtect, NSIS packages and etc (upper layer), which is nice.
Unfortunately, it can be easily bypassed by hash.

I'm hoping ESET Research Lab can analyze it again, if the sample is already detected as Generik and submitted by users for further analysis.

Thank you.

Regards,
Ivan

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...