Whitelisted Malware

[IvanL_5306 1]

https://www.virustotal.com/gui/file/e1fb148206beb7168a5f92581a51ea32a03d841abf00aff221f35ed03197a59d

This sample is whitelisted by LiveGrid. Submitted 3 days ago and not processed.

Besides, a bunch of Fake Installers that deliver Farfli malware are also not processed.

 

[Peter Randziak 1,084]

Hello @IvanL_5306,

not sure what you mean by 

17 hours ago, IvanL_5306 said:

This sample is whitelisted by LiveGrid.

however it is being a subject of detection by ESET now, can be checked on VT.

Peter

[IvanL_5306 1]

1 hour ago, Peter Randziak said:

Hello @IvanL_5306,

not sure what you mean by 

however it is being a subject of detection by ESET now, can be checked on VT.

Peter

Just received a reply from ESET Malware Response Team after my post.

I wonder if a sample has "fine" reputation is considered as "whitelisted"?

I'm not sure what you mean by "whitelisted" from your side (ESET).

 

Auto reply

Edited October 18 by IvanL_5306

[AnthonyQ 48]

6 hours ago, Peter Randziak said:

Hello @IvanL_5306,

not sure what you mean by 

  On 10/17/2023 at 8:10 PM,  IvanL_5306 said: 

This sample is whitelisted by LiveGrid.

Look at the first pic the OP shared. Before the detection was created, this malware sample had been whitelisted (indicated by the green color) in the LiveGrid.

[itman 1,630]

33 minutes ago, AnthonyQ said:

Look at the first pic the OP shared. Before the detection was created, this malware sample had been whitelisted (indicated by the green color) in the LiveGrid.

All that LiveGrid Reputation status display indicates is how many Eset installations the .exe has been installed on. Reputation status has nothing to do with whether the process has been white/blacklisted or the like.

As such, I have always viewed LiveGrid Reputation display status as a useless feature.

Edited October 18 by itman

[AnthonyQ 48]

6 minutes ago, itman said:

All that LiveGrid Reputation status display indicates is how many Eset installations the .exe has been installed on. Reputation status has nothing to do with whether the process has been white/blacklisted or the like.

As such, I have always viewed LiveGrid Reputation display status as a useless feature.

It is not true.

There are two columns on the LiveGrid reputation page - one column is for "Reputation," and the other is for "Number of Users." I believe you are referring to the second column.

(https://help.eset.com/eis/16.2/en-US/idh_page_cloud.html)

[itman 1,630]

56 minutes ago, AnthonyQ said:

It is not true.

Quote

Reputation—In most cases, ESET Internet Security and ESET LiveGrid® technology assign risk levels to objects (files, processes, registry keys, etc.) by using a series of heuristic rules that examine the characteristics of each object and then weigh their potential for malicious activity. Based on these heuristics, objects are assigned a risk level from 1 – Fine (green) to 9 – Risky (red).

The ranking color is based on prior Eset "first sight" status of the .exe.

For example after a Win OS cumulative update resulting in many  OS files being changed, LiveGrid will show many of these files with a yellow color; i.e. low reputation. You will observe that as time elapses, the color of these files will change to green.

Likewise, a red color would be indicative of an unknown process; i.e. never seen by Eset previously.

I will also add that the above Reputation description is deceptive in that it means a cumulative ranking of the number of times the process has been scanned on devices with Eset installed.

Again, LiveGrid does not perform any cloud malware scanning other than for blacklist status.

Edited October 18 by itman

[Peter Randziak 1,084]

Hello guys,

O.K. I understand what we talk about now.
The file has been signed by a recognized certificate so it had higher reputation.
The signing certificate had been revoked, so it had been removed from the list of recognized signing certificates.
Our teams are looking into it and checking the underlaying processes speed up recognition of such in the future.

@IvanL_5306 thank you for pointing on this, really helpful for us.

Peter

[itman 1,630]

Following up on @Peter Randziak above posting, VT analysis shows the .exe was signed using a stolen Micro-Star root certificate that had been subsequently revoked;

Assumed is the Digicert  cert. assigned to the .exe was an EV one. Appears Eset Reputation scanning, like Win SmartScreen, will auto trust an executable signed with an EV cert.. However, SmartScreen does validate the cert. chain path. SmartScreen will also block the process from executing in the instance of cert. chain validation failure. I have not seen Eset Reputation scanning having like capability. Finally with Eset HTTP/HTTPS scanning enabled, Eset fails the EV cert. validation test at badssl.com;

The Eset Reputation issue aside, it does not explain why Eset could not detect this malware when 40+ vendors at VT did. It appears most of the detection's at VT were behavior based. One malicious behavior observed was an AMSI bypass deployed by this malware.

It has been repeated stated in the forum that a process's signing status does not factor into Eset's scanning "at-first-sight" upon creation/startup/etc.. It would be "revealing" if this is not done for EV signed processes.

Edited October 18 by itman

[AnthonyQ 48]

8 hours ago, itman said:

Again, LiveGrid does not perform any cloud malware scanning other than for blacklist status.

User numbers may influence reputation, but the primary factor is heuristic malware scanning conducted by LiveGrid.

As Peter noted, items with Green bar in the Reputation field are whitelisted. I've previously submitted false positives to ESET, which now show a green reputation.

Reputation—In most cases, ESET Internet Security and ESET LiveGrid® technology assign risk levels to objects (files, processes, registry keys, etc.) by using a series of heuristic rules that examine the characteristics of each object and then weigh their potential for malicious activity. Based on these heuristics, objects are assigned a risk level from 1 – Fine (green) to 9 – Risky (red).

(https://help.eset.com/eis/16.2/en-US/idh_page_cloud.html)

[itman 1,630]

Appears "the message is not getting across."

Again. LiveGrid Reputation status has nothing to do with Eset whitelist status of the process. With a few exceptions I will get to later, LiveGrid reputation is based on number of Eset users of the process.

I will use an HP monitor driver installer as an example. Most people never install a driver for their monitor; using the Win default driver instead. Also, this installer is specific to one HP monitor model. I have used this installer previously and its been sitting in my Downloads folder for a few years. Finally, this installer is validity code signed by HP. Let's see what LiveGrid's Reputation ranking is for this installer;

Now for those LiveGrid process Reputation usage exceptions.  One is anything Microsoft code signed has high reputation status. Also as this malware example shows, anything code signed with an EV cert. is given high reputation status. This assignment parallels that done by Win SmartScreen processing.

As far as what Eset uses process whitelisting for is given below;

Quote

ESET LiveGrid®

Additionally, it implements a reputation system that helps to improve the overall efficiency of our anti-malware solutions. A user can check the reputation of running processes and files directly from the program's interface or contextual menu with additional information available from ESET LiveGrid®. When an executable file or archive is being inspected on a user’s system, its hashtag is first compared against a database of white- and blacklisted items. If it is found on the whitelist, the inspected file is considered clean and flagged to be excluded from future scans. If it is on the blacklist, appropriate actions are taken based on the nature of the threat. If no match is found, the file is scanned thoroughly. Based on the results of this scan, files are categorized as threats or non-threats. This approach has a significant positive impact on scanning performance. This reputation system enables effective detection of malware samples even before their signatures are delivered to the user’s computer via an updated virus database (which happens several times a day).

https://help.eset.com/glossary/en-US/technology_livegrid.html

Edited October 19 by itman

[AnthonyQ 48]

4 hours ago, itman said:

Appears "the message is not getting across."

Again. LiveGrid Reputation status has nothing to do with Eset whitelist status of the process. With a few exceptions I will get to later, LiveGrid reputation is based on number of Eset users of the process.

I will use an HP monitor driver installer as an example. Most people never install a driver for their monitor; using the Win default driver instead. Also, this installer is specific to one HP monitor model. I have used this installer previously and its been sitting in my Downloads folder for a few years. Finally, this installer is validity code signed by HP. Let's see what LiveGrid's Reputation ranking is for this installer;

Now for those LiveGrid process Reputation usage exceptions.  One is anything Microsoft code signed has high reputation status. Also as this malware example shows, anything code signed with an EV cert. is given high reputation status. This assignment parallels that done by Win SmartScreen processing.

As far as what Eset uses process whitelisting for is given below;

https://help.eset.com/glossary/en-US/technology_livegrid.html

Files with Green Reputation is considered as Clean, which can be regarded as whitelisted. 

Quote

LiveGrid reputation is based on number of Eset users of the process.

It's wrong. No. of user is merely one factor, or even not a factor when calculating the reputation score. The primary factor, as stated on ESET website, is heur rules in the cloud.

Edited October 19 by AnthonyQ