Jump to content

Differences between EAV and "VirusTotal ESET" detection

John Dow

By John Dow
in ESET NOD32 Antivirus

 Share
Go to solution Solved by Marcos,

Recommended Posts

John Dow

John Dow 4

Posted
Posted

I wonder why EAV blocks some URL's (with a Java Script warning or trojan) but those URL's, when checked thru VirusTotal, show that "ESET" find clean.

I am talking, for example, about these two (the first is a p*rn site) 

https://watchmdh.to/
hxxp://depositfiles.com/

 

The ESET "engine" inside VirusTotal is different?

Link to comment
Share on other sites
rotaru

rotaru 10

Posted
Posted
12 hours ago, Marcos said:

That's because on VirusTotal you check if a website is blacklisted by AV vendors while AVs scan the actual html code to determine if it's malicious.

That could be, however from 91 vendors none detected the sites as malicious.

Hard to be lieve that ESET is so special to be the only one detecting something......

Link to comment
Share on other sites
rotaru

rotaru 10

Posted
Posted
1 hour ago, Marcos said:

There's an obfuscated JS on the website which is detected and is most likely responsible for pop-up advertisements:

image.png

I am not an expert, so I searched the internet:

"Obfuscation can be used to hide the business logic from outside world and also obfuscation will reduce the size of the file drastically so data transfer between server and client will be fast."

Also :

"A research that analyzed over 10,000 samples of diverse malicious software written in JavaScript concluded that roughly 26% of it is obfuscated to evade detection and analysis."

 

This doesn't mean that every obfuscated JS is malicious.

An user getting this pop up will go to search on Virus Total , only to find ZERO detection , including from ESET.

So, what is the user supposed to do????

 

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted
28 minutes ago, rotaru said:

This doesn't mean that every obfuscated JS is malicious.

I agree. There is probably no AV that detects every obfuscated JS, otherwise they would have tons of FPs.

Above I also wrote: ... is most likely responsible for pop-up advertisements

Link to comment
Share on other sites
rotaru

rotaru 10

Posted
Posted
11 hours ago, Marcos said:

I agree. There is probably no AV that detects every obfuscated JS, otherwise they would have tons of FPs.

Above I also wrote: ... is most likely responsible for pop-up advertisements

So, again, what is a regular user supposed to do?

ESET says is malicious , Virus Total has ZERO detection from 91 vendors.

Link to comment
Share on other sites
John Dow

John Dow 4

Posted
  • Author
Posted

From Marcos reply I understood that is VirusTotal that gives a misleading information, since URLS's are not "scanned" but only compared to vendor's blacklists, and blacklisting is not a real time task.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted
1 hour ago, John999 said:

From Marcos reply I understood that is VirusTotal that gives a misleading information, since URLS's are not "scanned" but only compared to vendor's blacklists, and blacklisting is not a real time task.

Correct. I'd only add that blacklisting a url takes only about 5 minutes until it takes effect in VirusTotal. In this case the url is not blacklisted but the JavaScript is detected when the actual html code is scanned. Scanning a URL at VirusTotal doesn't scan actual html content on the website unlike Quttera does and only compares the url with vendors' url blacklists.

Link to comment
Share on other sites
rotaru

rotaru 10

Posted
Posted
42 minutes ago, Marcos said:

but the JavaScript is detected when the actual html code is scanned

 

 

43 minutes ago, Marcos said:

the actual html code is scanned

Again , scanning the URL for "obfuscated JS" adds ZERO value to malware detection, so why is implemented by ESET????

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted

This statement needs further clarification;

On 12/22/2022 at 3:33 AM, Marcos said:

There's an obfuscated JS on the website which is detected and is most likely responsible for pop-up advertisements

Browsers have options to block pop-ups.

Pop-up ads although a nuisance are not necessarily malicious.

Browsers have extension/add-ons that will block ads.

Whether JavaScript code being processed by a browser is obfuscated per se is immaterial. It is only material if the JavaScript code after being de-obfuscated is determined to contain malicious code. Therefore in this instance, did the JavaScript code contain malware or perform activities that are suspicious enough to warrant blocking of the URL?

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted
On 12/21/2022 at 12:44 PM, John999 said:

I am talking, for example, about these two (the first is a p*rn site) 

https://watchmdh.to/
hxxp://depositfiles.com/

Also of note is I have Firefox set to use HTTPS connection by default.

Eset does not block access to https://depositfiles.com/.

Link to comment
Share on other sites
  • 2 months later...
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted
1 hour ago, John999 said:

May I ask Marcos to tell me what is exactly the problem with depositfiles.com?

I don't know what detection you got. I got an alert about JS/Adware.Agent.AU when clicking an ad on their website. The detection is correct.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...