Jump to content

ESET can't detect threats from archives


Recommended Posts

Here's infected file without archive and ESET detects it like A Variant Of MSIL/Agent.CFW.

Here's the same infected file, but I archived it without password and ESET can't detect it. ESET says it's clean. But archive can't to heal the file, right? And a lot of other vendors flag it like malware and for them it doesn't matter this file is archived or not, and how many times it is archived.

When will can ESET detect archived malwares? I mean archives without password.

Edited by Kristal
Link to comment
Share on other sites

  • Administrators

Did you right-click the file and chose to scan it with ESET? Of course, assuming that you didn't disable scanning of archives for the context menu scan profile.

Real-time protection never scanned inside archives. Not in bigger archives on file access.

Link to comment
Share on other sites

You failed to mention that is like 10 archives inside each other. By default context menu scan scans only X levels of archive. Maximum is 20 so if u set it to 20 in settings, it will detect it.

Not menioning realtime scan, it would be waste of time unpacking so many levels of arhive realtime

Link to comment
Share on other sites

  • Administrators

Normally malware is not spread in archives nested that deep. If we come across such malware, we would definitely consider increasing the default nesting level to scan.

Link to comment
Share on other sites

2 hours ago, Marcos said:

Did you right-click the file and chose to scan it with ESET? Of course, assuming that you didn't disable scanning of archives for the context menu scan profile.

Real-time protection never scanned inside archives. Not in bigger archives on file access.

I use ESET Online Scanner. Scanning archives is turned on.

2 hours ago, Nevermind said:

You failed to mention that is like 10 archives inside each other. By default context menu scan scans only X levels of archive. Maximum is 20 so if u set it to 20 in settings, it will detect it.

Not menioning realtime scan, it would be waste of time unpacking so many levels of arhive realtime

I use ESET Online Scanner. This tool doesn't have this setting.

1 hour ago, Marcos said:

Normally malware is not spread in archives nested that deep. If we come across such malware, we would definitely consider increasing the default nesting level to scan.

Creator of a malware can archived it on many many archives to hide it from ESET. And user can run .exe malware file without unarchiving and infect a system.

Link to comment
Share on other sites

  • Administrators

The ESET Online scanner doesn't contain features that could detected new malware otherwise detectable by an installed ESET product.

Link to comment
Share on other sites

41 minutes ago, Marcos said:

The ESET Online scanner doesn't contain features that could detected new malware otherwise detectable by an installed ESET product.

Does VirusTotal use ESET Online Scanner or ESET product?

Link to comment
Share on other sites

  • Administrators
1 minute ago, New_Style_xd said:

Uses Eset Product, as far as I know.

They use the command line scanner ecls.exe so it's same as the online scanner in terms of detection.

Link to comment
Share on other sites

  • Most Valued Members
1 hour ago, Kristal said:

Does VirusTotal use ESET Online Scanner or ESET product?

I believe it uses signatures but AVs have stuff desiged to flag malware that doesn't have a signature yet. For example in Eset security premium eset has liveguard that sends new files not seen before for review and locks them while waiting for a verdict

Link to comment
Share on other sites

  • Administrators

VirusTotal won't show detections by pico updates, LiveGrid/LiveGuard, script-scanner, behavioral, memory scanner / AMS detections, etc.

Link to comment
Share on other sites

7 hours ago, Kristal said:

user can run .exe malware file without unarchiving and infect a system

Could you please elaborate what do you mean by that ?

Link to comment
Share on other sites

17 hours ago, Kristal said:

 And user can run .exe malware file without unarchiving and infect a system.

Really? Im sure you would get a hefty sum of $ from Microsoft if you could tell them how to run file from archive w/o actually unarchiving it :)

Link to comment
Share on other sites

  • Administrators
36 minutes ago, Nevermind said:

Really? Im sure you would get a hefty sum of $ from Microsoft if you could tell them how to run file from archive w/o actually unarchiving it

Maybe the OP meant that he can execute a file using a compression tool without extracting it first. However, even then the tool extracts the file to a temporary folder before execution.

Link to comment
Share on other sites

  • Most Valued Members
On 7/23/2022 at 10:10 AM, Marcos said:

Maybe the OP meant that he can execute a file using a compression tool without extracting it first. However, even then the tool extracts the file to a temporary folder before execution.

And I presume this would get scanned by the AV

Link to comment
Share on other sites

The question is if Eset can detect the latest incarnation of Qakbot?

Eset_Qakbot.thumb.png.4e18c91b7ffc58ffb49ded7c3b49cb31.png

https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/

Of note is this particular attack only works on Win 7 ver. of calc.exe:

Quote

It should be noted, that this DLL sideloading flaw no longer works in Windows 10 Calc.exe and later, which is why the threat actors bundle the Windows 7 version.

https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/

Edited by itman
Link to comment
Share on other sites

  • Administrators

In this topic we were not discussing detection of a particular malware but an already detected malware that is compressed more than 10 times. We concluded that no matter of how many times is compressed, it's always detected by real-time protection upon extraction from the archive.

Re. the Quakbot, according to the IoC listed in the above article we detect it:

8760c4b4cc8fdcd144651d5ba02195d238950d3b70abd7d7e1e2d42b6bda9751.dll - a variant of Win32/Agent.AELN trojan
c992296a35528b12b39052e8dedc74d42c6d96e5e63c0ac0ad9a5545ce4e8d7e.dll - a variant of Win32/Injector.ERPI trojan
cb83a65a625a69bbae22d7dd87686dc2be8bd8a1f8bb40e318e20bc2a6c32a8e.html - JS/TrojanDropper.Agent.OSK trojan

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...