Kristal 5 Posted July 22, 2022 Share Posted July 22, 2022 (edited) Here's infected file without archive and ESET detects it like A Variant Of MSIL/Agent.CFW. Here's the same infected file, but I archived it without password and ESET can't detect it. ESET says it's clean. But archive can't to heal the file, right? And a lot of other vendors flag it like malware and for them it doesn't matter this file is archived or not, and how many times it is archived. When will can ESET detect archived malwares? I mean archives without password. Edited July 22, 2022 by Kristal Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted July 22, 2022 Administrators Share Posted July 22, 2022 Did you right-click the file and chose to scan it with ESET? Of course, assuming that you didn't disable scanning of archives for the context menu scan profile. Real-time protection never scanned inside archives. Not in bigger archives on file access. Link to comment Share on other sites More sharing options...
Nevermind 8 Posted July 22, 2022 Share Posted July 22, 2022 You failed to mention that is like 10 archives inside each other. By default context menu scan scans only X levels of archive. Maximum is 20 so if u set it to 20 in settings, it will detect it. Not menioning realtime scan, it would be waste of time unpacking so many levels of arhive realtime New_Style_xd, peteyt and notimportant 3 Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted July 22, 2022 Administrators Share Posted July 22, 2022 Normally malware is not spread in archives nested that deep. If we come across such malware, we would definitely consider increasing the default nesting level to scan. Link to comment Share on other sites More sharing options...
Kristal 5 Posted July 22, 2022 Author Share Posted July 22, 2022 2 hours ago, Marcos said: Did you right-click the file and chose to scan it with ESET? Of course, assuming that you didn't disable scanning of archives for the context menu scan profile. Real-time protection never scanned inside archives. Not in bigger archives on file access. I use ESET Online Scanner. Scanning archives is turned on. 2 hours ago, Nevermind said: You failed to mention that is like 10 archives inside each other. By default context menu scan scans only X levels of archive. Maximum is 20 so if u set it to 20 in settings, it will detect it. Not menioning realtime scan, it would be waste of time unpacking so many levels of arhive realtime I use ESET Online Scanner. This tool doesn't have this setting. 1 hour ago, Marcos said: Normally malware is not spread in archives nested that deep. If we come across such malware, we would definitely consider increasing the default nesting level to scan. Creator of a malware can archived it on many many archives to hide it from ESET. And user can run .exe malware file without unarchiving and infect a system. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted July 22, 2022 Administrators Share Posted July 22, 2022 The ESET Online scanner doesn't contain features that could detected new malware otherwise detectable by an installed ESET product. Link to comment Share on other sites More sharing options...
Kristal 5 Posted July 22, 2022 Author Share Posted July 22, 2022 41 minutes ago, Marcos said: The ESET Online scanner doesn't contain features that could detected new malware otherwise detectable by an installed ESET product. Does VirusTotal use ESET Online Scanner or ESET product? Link to comment Share on other sites More sharing options...
New_Style_xd 62 Posted July 22, 2022 Share Posted July 22, 2022 1 minute ago, Kristal said: Does VirusTotal use ESET Online Scanner or ESET product? Uses Eset Product, as far as I know. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted July 22, 2022 Administrators Share Posted July 22, 2022 1 minute ago, New_Style_xd said: Uses Eset Product, as far as I know. They use the command line scanner ecls.exe so it's same as the online scanner in terms of detection. New_Style_xd 1 Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 359 Posted July 22, 2022 Most Valued Members Share Posted July 22, 2022 1 hour ago, Kristal said: Does VirusTotal use ESET Online Scanner or ESET product? I believe it uses signatures but AVs have stuff desiged to flag malware that doesn't have a signature yet. For example in Eset security premium eset has liveguard that sends new files not seen before for review and locks them while waiting for a verdict Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted July 22, 2022 Administrators Share Posted July 22, 2022 VirusTotal won't show detections by pico updates, LiveGrid/LiveGuard, script-scanner, behavioral, memory scanner / AMS detections, etc. Link to comment Share on other sites More sharing options...
Veremo 6 Posted July 22, 2022 Share Posted July 22, 2022 7 hours ago, Kristal said: user can run .exe malware file without unarchiving and infect a system Could you please elaborate what do you mean by that ? New_Style_xd 1 Link to comment Share on other sites More sharing options...
Nevermind 8 Posted July 23, 2022 Share Posted July 23, 2022 17 hours ago, Kristal said: And user can run .exe malware file without unarchiving and infect a system. Really? Im sure you would get a hefty sum of $ from Microsoft if you could tell them how to run file from archive w/o actually unarchiving it Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted July 23, 2022 Administrators Share Posted July 23, 2022 36 minutes ago, Nevermind said: Really? Im sure you would get a hefty sum of $ from Microsoft if you could tell them how to run file from archive w/o actually unarchiving it Maybe the OP meant that he can execute a file using a compression tool without extracting it first. However, even then the tool extracts the file to a temporary folder before execution. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 359 Posted July 24, 2022 Most Valued Members Share Posted July 24, 2022 On 7/23/2022 at 10:10 AM, Marcos said: Maybe the OP meant that he can execute a file using a compression tool without extracting it first. However, even then the tool extracts the file to a temporary folder before execution. And I presume this would get scanned by the AV Link to comment Share on other sites More sharing options...
itman 1,538 Posted July 24, 2022 Share Posted July 24, 2022 (edited) The question is if Eset can detect the latest incarnation of Qakbot? https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ Of note is this particular attack only works on Win 7 ver. of calc.exe: Quote It should be noted, that this DLL sideloading flaw no longer works in Windows 10 Calc.exe and later, which is why the threat actors bundle the Windows 7 version. https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/ Edited July 24, 2022 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted July 25, 2022 Administrators Share Posted July 25, 2022 In this topic we were not discussing detection of a particular malware but an already detected malware that is compressed more than 10 times. We concluded that no matter of how many times is compressed, it's always detected by real-time protection upon extraction from the archive. Re. the Quakbot, according to the IoC listed in the above article we detect it: 8760c4b4cc8fdcd144651d5ba02195d238950d3b70abd7d7e1e2d42b6bda9751.dll - a variant of Win32/Agent.AELN trojan c992296a35528b12b39052e8dedc74d42c6d96e5e63c0ac0ad9a5545ce4e8d7e.dll - a variant of Win32/Injector.ERPI trojan cb83a65a625a69bbae22d7dd87686dc2be8bd8a1f8bb40e318e20bc2a6c32a8e.html - JS/TrojanDropper.Agent.OSK trojan Link to comment Share on other sites More sharing options...
Recommended Posts