Jump to content

Differences between EAV and "VirusTotal ESET" detection


John999
 Share

Go to solution Solved by Marcos,

Recommended Posts

I wonder why EAV blocks some URL's (with a Java Script warning or trojan) but those URL's, when checked thru VirusTotal, show that "ESET" find clean.

I am talking, for example, about these two (the first is a p*rn site)

https://watchmdh.to/
hxxp://depositfiles.com/

 

The ESET "engine" inside VirusTotal is different?

Link to comment
Share on other sites

12 hours ago, Marcos said:

That's because on VirusTotal you check if a website is blacklisted by AV vendors while AVs scan the actual html code to determine if it's malicious.

That could be, however from 91 vendors none detected the sites as malicious.

Hard to be lieve that ESET is so special to be the only one detecting something......

Link to comment
Share on other sites

1 hour ago, Marcos said:

There's an obfuscated JS on the website which is detected and is most likely responsible for pop-up advertisements:

image.png

I am not an expert, so I searched the internet:

"Obfuscation can be used to hide the business logic from outside world and also obfuscation will reduce the size of the file drastically so data transfer between server and client will be fast."

Also :

"A research that analyzed over 10,000 samples of diverse malicious software written in JavaScript concluded that roughly 26% of it is obfuscated to evade detection and analysis."

 

This doesn't mean that every obfuscated JS is malicious.

An user getting this pop up will go to search on Virus Total , only to find ZERO detection , including from ESET.

So, what is the user supposed to do????

 

Link to comment
Share on other sites

  • Administrators
28 minutes ago, rotaru said:

This doesn't mean that every obfuscated JS is malicious.

I agree. There is probably no AV that detects every obfuscated JS, otherwise they would have tons of FPs.

Above I also wrote: ... is most likely responsible for pop-up advertisements

Link to comment
Share on other sites

11 hours ago, Marcos said:

I agree. There is probably no AV that detects every obfuscated JS, otherwise they would have tons of FPs.

Above I also wrote: ... is most likely responsible for pop-up advertisements

So, again, what is a regular user supposed to do?

ESET says is malicious , Virus Total has ZERO detection from 91 vendors.

Link to comment
Share on other sites

From Marcos reply I understood that is VirusTotal that gives a misleading information, since URLS's are not "scanned" but only compared to vendor's blacklists, and blacklisting is not a real time task.

Link to comment
Share on other sites

  • Administrators
1 hour ago, John999 said:

From Marcos reply I understood that is VirusTotal that gives a misleading information, since URLS's are not "scanned" but only compared to vendor's blacklists, and blacklisting is not a real time task.

Correct. I'd only add that blacklisting a url takes only about 5 minutes until it takes effect in VirusTotal. In this case the url is not blacklisted but the JavaScript is detected when the actual html code is scanned. Scanning a URL at VirusTotal doesn't scan actual html content on the website unlike Quttera does and only compares the url with vendors' url blacklists.

Link to comment
Share on other sites

42 minutes ago, Marcos said:

but the JavaScript is detected when the actual html code is scanned

 

 

43 minutes ago, Marcos said:

the actual html code is scanned

Again , scanning the URL for "obfuscated JS" adds ZERO value to malware detection, so why is implemented by ESET????

Link to comment
Share on other sites

This statement needs further clarification;

On 12/22/2022 at 3:33 AM, Marcos said:

There's an obfuscated JS on the website which is detected and is most likely responsible for pop-up advertisements

Browsers have options to block pop-ups.

Pop-up ads although a nuisance are not necessarily malicious.

Browsers have extension/add-ons that will block ads.

Whether JavaScript code being processed by a browser is obfuscated per se is immaterial. It is only material if the JavaScript code after being de-obfuscated is determined to contain malicious code. Therefore in this instance, did the JavaScript code contain malware or perform activities that are suspicious enough to warrant blocking of the URL?

Link to comment
Share on other sites

On 12/21/2022 at 12:44 PM, John999 said:

I am talking, for example, about these two (the first is a p*rn site)

https://watchmdh.to/
hxxp://depositfiles.com/

Also of note is I have Firefox set to use HTTPS connection by default.

Eset does not block access to https://depositfiles.com/.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...