Differences between EAV and "VirusTotal ESET" detection

[John999 3]

I wonder why EAV blocks some URL's (with a Java Script warning or trojan) but those URL's, when checked thru VirusTotal, show that "ESET" find clean.

I am talking, for example, about these two (the first is a p*rn site)

https://watchmdh.to/
hxxp://depositfiles.com/

 

The ESET "engine" inside VirusTotal is different?

[Marcos 4,694]

That's because on VirusTotal you check if a website is blacklisted by AV vendors while AVs scan the actual html code to determine if it's malicious.

[rotaru 10]

12 hours ago, Marcos said:

That's because on VirusTotal you check if a website is blacklisted by AV vendors while AVs scan the actual html code to determine if it's malicious.

That could be, however from 91 vendors none detected the sites as malicious.

Hard to be lieve that ESET is so special to be the only one detecting something......

[Marcos 4,694]

There's an obfuscated JS on the website which is detected and is most likely responsible for pop-up advertisements:

[rotaru 10]

1 hour ago, Marcos said:

There's an obfuscated JS on the website which is detected and is most likely responsible for pop-up advertisements:

I am not an expert, so I searched the internet:

"Obfuscation can be used to hide the business logic from outside world and also obfuscation will reduce the size of the file drastically so data transfer between server and client will be fast."

Also :

"A research that analyzed over 10,000 samples of diverse malicious software written in JavaScript concluded that roughly 26% of it is obfuscated to evade detection and analysis."

 

This doesn't mean that every obfuscated JS is malicious.

An user getting this pop up will go to search on Virus Total , only to find ZERO detection , including from ESET.

So, what is the user supposed to do????

 

[Marcos 4,694]

28 minutes ago, rotaru said:

This doesn't mean that every obfuscated JS is malicious.

I agree. There is probably no AV that detects every obfuscated JS, otherwise they would have tons of FPs.

Above I also wrote: ... is most likely responsible for pop-up advertisements

[rotaru 10]

11 hours ago, Marcos said:

I agree. There is probably no AV that detects every obfuscated JS, otherwise they would have tons of FPs.

Above I also wrote: ... is most likely responsible for pop-up advertisements

So, again, what is a regular user supposed to do?

ESET says is malicious , Virus Total has ZERO detection from 91 vendors.

[John999 3]

From Marcos reply I understood that is VirusTotal that gives a misleading information, since URLS's are not "scanned" but only compared to vendor's blacklists, and blacklisting is not a real time task.

[Marcos 4,694]

1 hour ago, John999 said:

From Marcos reply I understood that is VirusTotal that gives a misleading information, since URLS's are not "scanned" but only compared to vendor's blacklists, and blacklisting is not a real time task.

Correct. I'd only add that blacklisting a url takes only about 5 minutes until it takes effect in VirusTotal. In this case the url is not blacklisted but the JavaScript is detected when the actual html code is scanned. Scanning a URL at VirusTotal doesn't scan actual html content on the website unlike Quttera does and only compares the url with vendors' url blacklists.

[rotaru 10]

42 minutes ago, Marcos said:

but the JavaScript is detected when the actual html code is scanned

 

 

43 minutes ago, Marcos said:

the actual html code is scanned

Again , scanning the URL for "obfuscated JS" adds ZERO value to malware detection, so why is implemented by ESET????

[LesRMed 16]

Because it can be used for malicious reasons. Better safe than sorry. 

[itman 1,538]

This statement needs further clarification;

On 12/22/2022 at 3:33 AM, Marcos said:

There's an obfuscated JS on the website which is detected and is most likely responsible for pop-up advertisements

Browsers have options to block pop-ups.

Pop-up ads although a nuisance are not necessarily malicious.

Browsers have extension/add-ons that will block ads.

Whether JavaScript code being processed by a browser is obfuscated per se is immaterial. It is only material if the JavaScript code after being de-obfuscated is determined to contain malicious code. Therefore in this instance, did the JavaScript code contain malware or perform activities that are suspicious enough to warrant blocking of the URL?

[itman 1,538]

On 12/21/2022 at 12:44 PM, John999 said:

I am talking, for example, about these two (the first is a p*rn site)

https://watchmdh.to/
hxxp://depositfiles.com/

Also of note is I have Firefox set to use HTTPS connection by default.

Eset does not block access to https://depositfiles.com/.

[Marcos 4,694]

1 hour ago, John999 said:

May I ask Marcos to tell me what is exactly the problem with depositfiles.com?

I don't know what detection you got. I got an alert about JS/Adware.Agent.AU when clicking an ad on their website. The detection is correct.