ESET and malwarebazaar (abuse.ch)

[rotaru 10]

Hello,

Out of curiosity , is there any relationship between ESET and malwarebazaar  (abuse.ch)   ?

I am asking because often sample just posted on malwarebazaar are detected by ESET using exact signature which seems strange.

Some other players (Kaspersky) , if they detect it , it is by their heuristic capabilities.

Thanks! 

[Marcos 5,243]

There is no relation between ESET and the said service. Also the question is what you mean by "exact signature" because ESET uses smart DNA/XDNA detections a lot that describe the behavior and characteristics and those are in no way "exact signatures".

[itman 1,743]

Here's a write up on Eset heuristic scanning: https://support.eset.com/en/kb127-what-are-heuristics .

A heuristic detection can usually, but not always, be spotted by the Eset Detection log entry beginning with the wording, " a variant of ......"

Edited May 28, 2023 by itman

[itman 1,743]

9 hours ago, rotaru said:

I am asking because often sample just posted on malwarebazaar are detected by ESET using exact signature which seems strange.

A sample just posted does not imply it's "still in the wild" as far as never being seen before.

I have found samples with zero detection's at VT after a refresh. I download the sample and Eset immediately zaps it as with the below example;

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
5/15/2023 6:34:53 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\c97262c95c1eb9252b1ffa7ff332602f7c70815f4707663f0d82eec3333da8ac.bat;BAT/Agent.PLI trojan;cleaned by deleting;xxxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (DF22612647E9404A515D48EBAD490349685250DE).;CB1EA295D6FC6A2A502C9C35F2FC10861CF87F89;5/15/2023 6:34:39 PM

 

Edited May 28, 2023 by itman

[rotaru 10]

12 hours ago, itman said:

I have found samples with zero detection's at VT after a refresh. I download the sample and Eset immediately zaps it

The "reverse" is also valid; see here :https://www.virustotal.com/gui/file/1ed23ba2f4f0f91fe3ef1cbb68126fa47ca460aa8d77da6f0c345cbaea062292/detection/f-1ed23ba2f4f0f91fe3ef1cbb68126fa47ca460aa8d77da6f0c345cbaea062292-1685350357

recently posted, detected by 34 antiviruses but not ESET

[Marcos 5,243]

9 minutes ago, rotaru said:

The "reverse" is also valid; see here :https://www.virustotal.com/gui/file/1ed23ba2f4f0f91fe3ef1cbb68126fa47ca460aa8d77da6f0c345cbaea062292/detection/f-1ed23ba2f4f0f91fe3ef1cbb68126fa47ca460aa8d77da6f0c345cbaea062292-1685350357

recently posted, detected by 34 antiviruses but not ESET

Detected for 6 hours already:

1ed23ba2f4f0f91fe3ef1cbb68126fa47ca460aa8d77da6f0c345cbaea062292 - a variant of MSIL/Kryptik.AIXP trojan
 

Detection upon execution without Internet connection and modules frozen 17 days ago:

 

[itman 1,743]

5 hours ago, rotaru said:

recently posted, detected by 34 antiviruses but not ESET

You really can't count on Eset detection on VT for new malware.

The first thing Eset will do for new malware is create a LiveGrid blacklist detection for it while it analyzes the malware further. Those LiveGrid blacklist detection's do not show in VT results.

Remember that not all Eset detection and/or protection mechanisms are deployed on the copy deployed at VT.

[itman 1,743]

As far as Eset total miss detection's of Malware Bazaar samples, I have had some but they are "far and few in between" instance.  The most recent missed detection was a malware loader which when auto submitted to LiveGuard, came back with a clean status. Finally, I do not attempt to run theses missed detections. As such, it is possible Eset would have detected them post execution at some point,

Edited May 29, 2023 by itman

[itman 1,743]

Quite a few are fixated with VirusTotal as the "Holy Grail" reference when it comes to security software detection capability. It is very far from that status as noted in this article: https://www.virusbulletin.com/virusbulletin/2018/01/vb2017-paper-virustotal-tips-tricks-and-myths/

Of note;

Quote

MYTH 2: DETECTION OF MALWARE ON VIRUSTOTAL MEANS THE SCANNER HAS DETECTION OF THE MALWARE

VirusTotal displays what a product says it detected. This does not mean that the scanner would detect that threat if it was on your computer. As VirusTotal explained, the vendors are free to configure their products as they wish to. It is not as simple as trying to configure your product the same way. A vendor can use undocumented switches to obtain heuristic detections that the user cannot. Although VirusTotal explains that heuristics may be different between perimeter solutions and desktop solutions, a command-line scanner can behave differently from either a desktop or perimeter solution. Vendors can configure cloud detections in a manner that only detects scans from VirusTotal (or a test lab).

In some cases a sample is detected by its wrapper alone. The actual threat inside the wrapper may not be detected. If the malware is present outside of its wrapper, then it may not be detected.

Edited May 29, 2023 by itman

[rotaru 10]

3 hours ago, itman said:

Quite a few are fixated with VirusTotal as the "Holy Grail" reference

So, let's review what options are open for a regular user in choosing the right product:

1.  AV comparatives and AT test are not relevant , they do not reproduce "real life" situations
2. VirusTotal as the "Holy Grail" reference when it comes to security software detection capability is a no go
3. You Tube enthusiasts who are testing , they do not know what are they doing
4. Yourself doing various tests is not "condone" by the antivirus providers

So, what is left then?  Eternal question is "Did you have any issue using my product" . with the answer, in 99% of the situations, "No , I did not have any issues"

And I never had, regardless of paid of free antiviruses.

So, how do we choose then????

[AnthonyQ 51]

The overall quality of MB samples is not so high. There are many clean samples on it. Occasionally there are some interesting and noteworthy samples on MB shared by some famous threat hunters and I hope ESET analysts can monitor those samples.

[rotaru 10]

5 hours ago, AnthonyQ said:

There are many clean samples on it

Personally, I couldn't find any.  I teste every 2-3 days whatever is posted, on VM with ESET, Kaspersky, Avira

[itman 1,743]

18 hours ago, rotaru said:

 AV comparatives and AT test are not relevant , they do not reproduce "real life" situations

Actually, the AV lab real-time periodic tests do reproduce actual malware delivery in that their samples are delivered to the testing environment via accessing URLs where the malware is being hosted at.

The problem with some AV labs is their testing environment is a VM. Malware is increasingly being made VM aware and won't execute or execute properly in a VM. Ditto for ad hoc testers who do the same.

[itman 1,743]

Here's a "hot off the press" example: https://www.bleepingcomputer.com/news/security/terminator-antivirus-killer-is-a-vulnerable-windows-driver-in-disguise/ of a malware using legit Zemana kernel mode driver to disable security software.

Me thinks surely Eset won't detect this driver since its legit. Well, not the case when I tried to download the driver;

Time;URL;Status;Detection;Application;User;IP address;Hash
5/31/2023 4:36:20 PM;https://malshare.com/sampleshare.php?action=getfile&hash=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91;Blocked;Internal blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxxxx;95.217.89.49;F241EFD2F9F372316FF92D430CAECBEBEED17D46

Note that on VT the driver is only being detected by one vendor. Bottom line - take VT detection's as at best, a rough approximation that the malware won't be detected by Eset.

 

[rotaru 10]

3 hours ago, itman said:

Eset won't detect this driver

Does not seem like ESET "detected" the driver. It is rather an IP block based on a list .

[itman 1,743]

12 hours ago, rotaru said:

Does not seem like ESET "detected" the driver. It is rather an IP block based on a list .

It's not an IP address blacklist detection:

 

[rotaru 10]

6 hours ago, itman said:

It's not an IP address blacklist detection:

That is a "screen capture" from https://95.217.89.49/  with some samples from December 2022 ; has nothing to do with whatever was posted before.

[itman 1,743]

2 hours ago, rotaru said:

That is a "screen capture" from https://95.217.89.49/  with some samples from December 2022 ; has nothing to do with whatever was posted before.

Err ...... I connected to the Malshare web site using IP address shown in the Eset log entry I posted. If Eset was blocking by IP address as you claim, the connection would have been blocked prior to the web page rendering.

-EDIT- It appears you're not familiar with Malshare. It's a web site like Malware Bazaar that you can download malware samples from. Unlike Malware Bazaar which restricts sample downloads to password protected zip files only accessible within its web site, you can directly download malware samples from Malshare as is. That is what I did. Also, this is a more realistic test of your security protection since you want the malware blocked before it hits your disk. Obviously, there is a risk by directly downloading malware this way.

Edited June 1, 2023 by itman

[TTOZ 2]

On 5/29/2023 at 7:31 PM, Marcos said:

Detected for 6 hours already:

1ed23ba2f4f0f91fe3ef1cbb68126fa47ca460aa8d77da6f0c345cbaea062292 - a variant of MSIL/Kryptik.AIXP trojan
 

Detection upon execution without Internet connection and modules frozen 17 days ago:

 

SO impressive, seriously. Amazing. I think you were the very first, you detected it back in MAY! Wow