Jump to content

[Suggestion] This is why I don't like Generik detection


Recommended Posts

Hello,

I have submitted over hundreds of virus samples to ESET. But there is still a fly in the ointment.

First of all, ESET should not rely on the Generik detection as it is an ambiguous detection.
If a sample does not have a correct detection name (proper analysis process), the sample will not be detected in the future as the detection will be removed from virus definition.

In addition, I have submitted a Cobalt Strike malware sample (VT) on November 11 last year [TRACK#61879A090160].

Quote

Thank you for your submission.
The detection of the threat is covered by the current version of detection engine.

38667bc3ad2dcef35a5f343a5073e3f2 - Generik.BARZRM trojan
834002efbb051925b860df65165b0682 - MSIL/TrojanDownloader.Agent.JJH trojan

Regards,

ESET Malware Response Team


It was analyzed as Generik.BARZRM trojan, probably processed automatically.
After 6 months, the sample is not detected. Therefore, I submitted it again to ESET for further analysis [TRACK#62947AF70248].
Now the final verdict was Win64/CobaltStrike.Beacon.A trojan and C2 is already dead.

Quote

Thank you for your submission.
The detection for this threat will be included in the next update of detection engine, expected version: 25351.

38667bc3ad2dcef35a5f343a5073e3f2.exe.vir - Win64/CobaltStrike.Beacon.A trojan

Regards,

ESET Malware Response Team

It is good to have Generik detection method as it has high priority for unknown malware that normally packed in VMProtect, NSIS packages and etc (upper layer), which is nice.
Unfortunately, it can be easily bypassed by hash.

I'm hoping ESET Research Lab can analyze it again, if the sample is already detected as Generik and submitted by users for further analysis.

Thank you.

Regards,
Ivan

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...