Jump to content

Win32/Battdil.J inconsistent detection


Recommended Posts

Hi,

 

We have 75+ PC's running Eset Endpoint, administrated through ERA server. All clients are up to date on definitions.

 

In the past few days, one of our staff downloaded *something* and infected their computer with Battdil.J. Eset did not pick up the virus when it was downloaded, or executed. It simply started to appear in the threat log in Operating Memory >> svchost.exe. Eset also failed to stop any of the several hundred emails sent from that staff member to our entire organisation shortly afterwards. The emails had the subject line "Invoice - xxxx", and a .zip attachement containing an .scr. Several employees opened and executed the attachment.

 

The threat log in ERA shows that Eset stopped and cleaned the virus when it was executed on some clients, but not all. Furthermore, the virus was still able send several hundred emails from the client either before, or after Eset claimed it to be clean.

 

So my questions are:

 

1. Why does Eset not pick the virus up when it is downloaded?

2. Why does Eset only pick the virus up when it executed on a small number of clients?

3. Why does Eset not pick the virus up when it emailed in OR out?

4. Why does Eset claim to have cleaned the infection, while the virus continues to send out infected emails?

Any help is very much appreciated - We are absolutely crippled with this.

 

Thanks in advance,

 

Cyrus

Link to comment
Share on other sites

Just had the same thing happen this morning.  ESET did not catch the zip attachment in the email that lead to the infection and mass sending from the infected user's email.  We have Endpoint AV and Mail Security for Exchange.  All up to date...

Link to comment
Share on other sites

Hello,

 

The first thing that comes to mind, is the ERA policy deployed, the settings that are different from client to server, a question would be are you running ESET mail security, or relying on file security and endpoints only ?

Are you using Endpoint Antivirus, or Endpoint security on your clients, or a combination of both ? This separates disk level detections from network level detections.

We are going to need to pour through logs to get some of the questions being asked.

I recommend contacting ESET directly, opening a ticket so we can track, and do all this in a more organized and professional format, like we do in the field or as sys admins.

 

Try this link: https://www.eset.com/us/support/contact/

Or

hxxp://www.eset.com/us/about/contact/

 

The severity seems a little too high for a few forum posts, and requires a more detailed analysis. :)

I hope we can help.

Edited by Arakasi
Link to comment
Share on other sites

  • Administrators
1. Why does Eset not pick the virus up when it is downloaded?

2. Why does Eset only pick the virus up when it executed on a small number of clients?

3. Why does Eset not pick the virus up when it emailed in OR out?

4. Why does Eset claim to have cleaned the infection, while the virus continues to send out infected emails?

 

First of all, there's nothing like 100% protection against all threats. Although ESET is very effective at detecting new borne malware, if malware authors aim at popular vendors and modify malware until it becomes undetected by them and release it just then, there's not much vendors could do except:

a, Cloud blocking. ESET Live Grid had been part of ESET's products since v5 (home version) and ESET Endpoint v5 products. Utilizing data from cloud, ESET Live Grid provides rapid response to new borne threats and can block them within minutes instead of waiting hours for a signature database update with a malware signature added. Unfortunately, there's still plenty of users who keep Live Grid disabled. To test cloud blocking, download the CloudCar test file from hxxp://www.amtso.org/check-desktop-cloud-lookups, first with web protection enabled and then with web protection temporarily disabled. In the former case, the file should be detected and blocked as suspicious. To test email protection, attach Cloudcar to an email and send it to yourself. Now it should be detected by email protection.

b, Utilize HIPS to monitor applications that are executed and to block actions that may be dangerous. Since v7, ESET uses HIPS coupled with Advanced memory scanner to monitor executed applications. It's turned out to be very effective against new malware, however, due to a potential effect on performance it hasn't been implemented in Endpoint products until v6 which is to be released next year.

2, Most likely those clients had the signature db already updated to the version that had the detection for the malware added if we rule out the possibility that the infected clients were misconfigured.

3, Already explained in point 1.

4, Maybe the malware was injected in an already running process. In such case, a computer restart may be needed to complete cleaning.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...