ESET can't detect threats from archives

[Kristal 5]

Here's infected file without archive and ESET detects it like A Variant Of MSIL/Agent.CFW.

Here's the same infected file, but I archived it without password and ESET can't detect it. ESET says it's clean. But archive can't to heal the file, right? And a lot of other vendors flag it like malware and for them it doesn't matter this file is archived or not, and how many times it is archived.

When will can ESET detect archived malwares? I mean archives without password.

Edited July 22, 2022 by Kristal

[Marcos 5,074]

Did you right-click the file and chose to scan it with ESET? Of course, assuming that you didn't disable scanning of archives for the context menu scan profile.

Real-time protection never scanned inside archives. Not in bigger archives on file access.

[Nevermind 8]

You failed to mention that is like 10 archives inside each other. By default context menu scan scans only X levels of archive. Maximum is 20 so if u set it to 20 in settings, it will detect it.

Not menioning realtime scan, it would be waste of time unpacking so many levels of arhive realtime

[Marcos 5,074]

Normally malware is not spread in archives nested that deep. If we come across such malware, we would definitely consider increasing the default nesting level to scan.

[Kristal 5]

2 hours ago, Marcos said:

Did you right-click the file and chose to scan it with ESET? Of course, assuming that you didn't disable scanning of archives for the context menu scan profile.

Real-time protection never scanned inside archives. Not in bigger archives on file access.

I use ESET Online Scanner. Scanning archives is turned on.

2 hours ago, Nevermind said:

You failed to mention that is like 10 archives inside each other. By default context menu scan scans only X levels of archive. Maximum is 20 so if u set it to 20 in settings, it will detect it.

Not menioning realtime scan, it would be waste of time unpacking so many levels of arhive realtime

I use ESET Online Scanner. This tool doesn't have this setting.

1 hour ago, Marcos said:

Normally malware is not spread in archives nested that deep. If we come across such malware, we would definitely consider increasing the default nesting level to scan.

Creator of a malware can archived it on many many archives to hide it from ESET. And user can run .exe malware file without unarchiving and infect a system.

[Marcos 5,074]

The ESET Online scanner doesn't contain features that could detected new malware otherwise detectable by an installed ESET product.

[Kristal 5]

41 minutes ago, Marcos said:

The ESET Online scanner doesn't contain features that could detected new malware otherwise detectable by an installed ESET product.

Does VirusTotal use ESET Online Scanner or ESET product?

[New_Style_xd 69]

1 minute ago, Kristal said:

Does VirusTotal use ESET Online Scanner or ESET product?

Uses Eset Product, as far as I know.

[Marcos 5,074]

1 minute ago, New_Style_xd said:

Uses Eset Product, as far as I know.

They use the command line scanner ecls.exe so it's same as the online scanner in terms of detection.

[peteyt 393]

1 hour ago, Kristal said:

Does VirusTotal use ESET Online Scanner or ESET product?

I believe it uses signatures but AVs have stuff desiged to flag malware that doesn't have a signature yet. For example in Eset security premium eset has liveguard that sends new files not seen before for review and locks them while waiting for a verdict

[Marcos 5,074]

VirusTotal won't show detections by pico updates, LiveGrid/LiveGuard, script-scanner, behavioral, memory scanner / AMS detections, etc.

[Veremo 6]

7 hours ago, Kristal said:

user can run .exe malware file without unarchiving and infect a system

Could you please elaborate what do you mean by that ?

[Nevermind 8]

17 hours ago, Kristal said:

 And user can run .exe malware file without unarchiving and infect a system.

Really? Im sure you would get a hefty sum of $ from Microsoft if you could tell them how to run file from archive w/o actually unarchiving it

[Marcos 5,074]

36 minutes ago, Nevermind said:

Really? Im sure you would get a hefty sum of $ from Microsoft if you could tell them how to run file from archive w/o actually unarchiving it

Maybe the OP meant that he can execute a file using a compression tool without extracting it first. However, even then the tool extracts the file to a temporary folder before execution.

[peteyt 393]

On 7/23/2022 at 10:10 AM, Marcos said:

Maybe the OP meant that he can execute a file using a compression tool without extracting it first. However, even then the tool extracts the file to a temporary folder before execution.

And I presume this would get scanned by the AV

[itman 1,659]

The question is if Eset can detect the latest incarnation of Qakbot?

https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/

Of note is this particular attack only works on Win 7 ver. of calc.exe:

Quote

It should be noted, that this DLL sideloading flaw no longer works in Windows 10 Calc.exe and later, which is why the threat actors bundle the Windows 7 version.

https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/

Edited July 24, 2022 by itman

[Marcos 5,074]

In this topic we were not discussing detection of a particular malware but an already detected malware that is compressed more than 10 times. We concluded that no matter of how many times is compressed, it's always detected by real-time protection upon extraction from the archive.

Re. the Quakbot, according to the IoC listed in the above article we detect it:

8760c4b4cc8fdcd144651d5ba02195d238950d3b70abd7d7e1e2d42b6bda9751.dll - a variant of Win32/Agent.AELN trojan
c992296a35528b12b39052e8dedc74d42c6d96e5e63c0ac0ad9a5545ce4e8d7e.dll - a variant of Win32/Injector.ERPI trojan
cb83a65a625a69bbae22d7dd87686dc2be8bd8a1f8bb40e318e20bc2a6c32a8e.html - JS/TrojanDropper.Agent.OSK trojan