rotaru 10 Posted May 28, 2023 Share Posted May 28, 2023 Hello, Out of curiosity , is there any relationship between ESET and malwarebazaar (abuse.ch) ? I am asking because often sample just posted on malwarebazaar are detected by ESET using exact signature which seems strange. Some other players (Kaspersky) , if they detect it , it is by their heuristic capabilities. Thanks! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,242 Posted May 28, 2023 Administrators Share Posted May 28, 2023 There is no relation between ESET and the said service. Also the question is what you mean by "exact signature" because ESET uses smart DNA/XDNA detections a lot that describe the behavior and characteristics and those are in no way "exact signatures". Link to comment Share on other sites More sharing options...
itman 1,743 Posted May 28, 2023 Share Posted May 28, 2023 (edited) Here's a write up on Eset heuristic scanning: https://support.eset.com/en/kb127-what-are-heuristics . A heuristic detection can usually, but not always, be spotted by the Eset Detection log entry beginning with the wording, " a variant of ......" Edited May 28, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,743 Posted May 28, 2023 Share Posted May 28, 2023 (edited) 9 hours ago, rotaru said: I am asking because often sample just posted on malwarebazaar are detected by ESET using exact signature which seems strange. A sample just posted does not imply it's "still in the wild" as far as never being seen before. I have found samples with zero detection's at VT after a refresh. I download the sample and Eset immediately zaps it as with the below example; Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 5/15/2023 6:34:53 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\c97262c95c1eb9252b1ffa7ff332602f7c70815f4707663f0d82eec3333da8ac.bat;BAT/Agent.PLI trojan;cleaned by deleting;xxxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (DF22612647E9404A515D48EBAD490349685250DE).;CB1EA295D6FC6A2A502C9C35F2FC10861CF87F89;5/15/2023 6:34:39 PM Edited May 28, 2023 by itman Link to comment Share on other sites More sharing options...
rotaru 10 Posted May 29, 2023 Author Share Posted May 29, 2023 12 hours ago, itman said: I have found samples with zero detection's at VT after a refresh. I download the sample and Eset immediately zaps it The "reverse" is also valid; see here :https://www.virustotal.com/gui/file/1ed23ba2f4f0f91fe3ef1cbb68126fa47ca460aa8d77da6f0c345cbaea062292/detection/f-1ed23ba2f4f0f91fe3ef1cbb68126fa47ca460aa8d77da6f0c345cbaea062292-1685350357 recently posted, detected by 34 antiviruses but not ESET Link to comment Share on other sites More sharing options...
Administrators Marcos 5,242 Posted May 29, 2023 Administrators Share Posted May 29, 2023 9 minutes ago, rotaru said: The "reverse" is also valid; see here :https://www.virustotal.com/gui/file/1ed23ba2f4f0f91fe3ef1cbb68126fa47ca460aa8d77da6f0c345cbaea062292/detection/f-1ed23ba2f4f0f91fe3ef1cbb68126fa47ca460aa8d77da6f0c345cbaea062292-1685350357 recently posted, detected by 34 antiviruses but not ESET Detected for 6 hours already: 1ed23ba2f4f0f91fe3ef1cbb68126fa47ca460aa8d77da6f0c345cbaea062292 - a variant of MSIL/Kryptik.AIXP trojan Detection upon execution without Internet connection and modules frozen 17 days ago: Link to comment Share on other sites More sharing options...
itman 1,743 Posted May 29, 2023 Share Posted May 29, 2023 5 hours ago, rotaru said: recently posted, detected by 34 antiviruses but not ESET You really can't count on Eset detection on VT for new malware. The first thing Eset will do for new malware is create a LiveGrid blacklist detection for it while it analyzes the malware further. Those LiveGrid blacklist detection's do not show in VT results. Remember that not all Eset detection and/or protection mechanisms are deployed on the copy deployed at VT. peteyt 1 Link to comment Share on other sites More sharing options...
itman 1,743 Posted May 29, 2023 Share Posted May 29, 2023 (edited) As far as Eset total miss detection's of Malware Bazaar samples, I have had some but they are "far and few in between" instance. The most recent missed detection was a malware loader which when auto submitted to LiveGuard, came back with a clean status. Finally, I do not attempt to run theses missed detections. As such, it is possible Eset would have detected them post execution at some point, Edited May 29, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,743 Posted May 29, 2023 Share Posted May 29, 2023 (edited) Quite a few are fixated with VirusTotal as the "Holy Grail" reference when it comes to security software detection capability. It is very far from that status as noted in this article: https://www.virusbulletin.com/virusbulletin/2018/01/vb2017-paper-virustotal-tips-tricks-and-myths/ Of note; Quote MYTH 2: DETECTION OF MALWARE ON VIRUSTOTAL MEANS THE SCANNER HAS DETECTION OF THE MALWARE VirusTotal displays what a product says it detected. This does not mean that the scanner would detect that threat if it was on your computer. As VirusTotal explained, the vendors are free to configure their products as they wish to. It is not as simple as trying to configure your product the same way. A vendor can use undocumented switches to obtain heuristic detections that the user cannot. Although VirusTotal explains that heuristics may be different between perimeter solutions and desktop solutions, a command-line scanner can behave differently from either a desktop or perimeter solution. Vendors can configure cloud detections in a manner that only detects scans from VirusTotal (or a test lab). In some cases a sample is detected by its wrapper alone. The actual threat inside the wrapper may not be detected. If the malware is present outside of its wrapper, then it may not be detected. Edited May 29, 2023 by itman peteyt 1 Link to comment Share on other sites More sharing options...
Solution rotaru 10 Posted May 29, 2023 Author Solution Share Posted May 29, 2023 3 hours ago, itman said: Quite a few are fixated with VirusTotal as the "Holy Grail" reference So, let's review what options are open for a regular user in choosing the right product: AV comparatives and AT test are not relevant , they do not reproduce "real life" situations VirusTotal as the "Holy Grail" reference when it comes to security software detection capability is a no go You Tube enthusiasts who are testing , they do not know what are they doing Yourself doing various tests is not "condone" by the antivirus providers So, what is left then? Eternal question is "Did you have any issue using my product" . with the answer, in 99% of the situations, "No , I did not have any issues" And I never had, regardless of paid of free antiviruses. So, how do we choose then???? Link to comment Share on other sites More sharing options...
AnthonyQ 51 Posted May 30, 2023 Share Posted May 30, 2023 The overall quality of MB samples is not so high. There are many clean samples on it. Occasionally there are some interesting and noteworthy samples on MB shared by some famous threat hunters and I hope ESET analysts can monitor those samples. Link to comment Share on other sites More sharing options...
rotaru 10 Posted May 30, 2023 Author Share Posted May 30, 2023 5 hours ago, AnthonyQ said: There are many clean samples on it Personally, I couldn't find any. I teste every 2-3 days whatever is posted, on VM with ESET, Kaspersky, Avira Link to comment Share on other sites More sharing options...
itman 1,743 Posted May 30, 2023 Share Posted May 30, 2023 18 hours ago, rotaru said: AV comparatives and AT test are not relevant , they do not reproduce "real life" situations Actually, the AV lab real-time periodic tests do reproduce actual malware delivery in that their samples are delivered to the testing environment via accessing URLs where the malware is being hosted at. The problem with some AV labs is their testing environment is a VM. Malware is increasingly being made VM aware and won't execute or execute properly in a VM. Ditto for ad hoc testers who do the same. Link to comment Share on other sites More sharing options...
itman 1,743 Posted May 31, 2023 Share Posted May 31, 2023 Here's a "hot off the press" example: https://www.bleepingcomputer.com/news/security/terminator-antivirus-killer-is-a-vulnerable-windows-driver-in-disguise/ of a malware using legit Zemana kernel mode driver to disable security software. Me thinks surely Eset won't detect this driver since its legit. Well, not the case when I tried to download the driver; Time;URL;Status;Detection;Application;User;IP address;Hash 5/31/2023 4:36:20 PM;https://malshare.com/sampleshare.php?action=getfile&hash=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91;Blocked;Internal blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxxxx;95.217.89.49;F241EFD2F9F372316FF92D430CAECBEBEED17D46 Note that on VT the driver is only being detected by one vendor. Bottom line - take VT detection's as at best, a rough approximation that the malware won't be detected by Eset. Link to comment Share on other sites More sharing options...
rotaru 10 Posted June 1, 2023 Author Share Posted June 1, 2023 3 hours ago, itman said: Eset won't detect this driver Does not seem like ESET "detected" the driver. It is rather an IP block based on a list . Link to comment Share on other sites More sharing options...
itman 1,743 Posted June 1, 2023 Share Posted June 1, 2023 12 hours ago, rotaru said: Does not seem like ESET "detected" the driver. It is rather an IP block based on a list . It's not an IP address blacklist detection: Link to comment Share on other sites More sharing options...
rotaru 10 Posted June 1, 2023 Author Share Posted June 1, 2023 6 hours ago, itman said: It's not an IP address blacklist detection: That is a "screen capture" from https://95.217.89.49/ with some samples from December 2022 ; has nothing to do with whatever was posted before. Link to comment Share on other sites More sharing options...
itman 1,743 Posted June 1, 2023 Share Posted June 1, 2023 (edited) 2 hours ago, rotaru said: That is a "screen capture" from https://95.217.89.49/ with some samples from December 2022 ; has nothing to do with whatever was posted before. Err ...... I connected to the Malshare web site using IP address shown in the Eset log entry I posted. If Eset was blocking by IP address as you claim, the connection would have been blocked prior to the web page rendering. -EDIT- It appears you're not familiar with Malshare. It's a web site like Malware Bazaar that you can download malware samples from. Unlike Malware Bazaar which restricts sample downloads to password protected zip files only accessible within its web site, you can directly download malware samples from Malshare as is. That is what I did. Also, this is a more realistic test of your security protection since you want the malware blocked before it hits your disk. Obviously, there is a risk by directly downloading malware this way. Edited June 1, 2023 by itman Link to comment Share on other sites More sharing options...
TTOZ 2 Posted July 1, 2023 Share Posted July 1, 2023 On 5/29/2023 at 7:31 PM, Marcos said: Detected for 6 hours already: 1ed23ba2f4f0f91fe3ef1cbb68126fa47ca460aa8d77da6f0c345cbaea062292 - a variant of MSIL/Kryptik.AIXP trojan Detection upon execution without Internet connection and modules frozen 17 days ago: SO impressive, seriously. Amazing. I think you were the very first, you detected it back in MAY! Wow Link to comment Share on other sites More sharing options...
Recommended Posts