Jump to content

Same file: File scanner ► clean, reputation scanner ► quarantine


Go to solution Solved by Marcos,

Recommended Posts

I have an installation file of a program (hardcopy) that Eset considers clean during the scan (via the context menu). Virustotal also (except for 1 detection out of 67, by VBA32). If I then check the reputation via the context menu, it immediately moves it to quarantine as a suspicious object. It can be reproduced again and again:
Restore from quarantine ► scan via the context menu ► clean || check reputation ► quarantine.

I always download the latest version of Hardcopy automatically via the Ketarin update tool. The file ends up in the download folder without any problems. However, if I download it using a browser, Eset immediately moves it to quarantine. I haven't even activated the additional Eset browser protection. So obviously a reputation check is always carried out when downloading with the browser. The fact that the swsetup.in_ could not be unpacked during the scan cannot be the problem, because this is also the case with older versions of this software and, after all, the file scanner did not report anything, only the reputation scanner.

https://www.virustotal.com/gui/file/339e6bbc9fc221f9955769eb3b332d2eac479d41409c0a61672866f106d2adac?nocache=1
Website in English: https://gen.hardcopy.de
File: h**ps://www.hardcopy.de/hc.exe

 

Eset_ Reputationsscan_Hardcopy.jpg

Link to comment
Share on other sites

Thank you very much, Marco!

But I still have a few questions:
1) Are unknown files automatically blacklisted?
2) Does real-time protection (and therefore the blacklist) only work for downloads via a browser? Ketarin was able to download the file undisturbed. If it had actually contained malicious code, that would have been a security risk.

If I hadn't checked the reputation (which I don't normally do), I could have simply installed it from my Ketarin download folder, because the file scanner had nothing to complain about. I use Ketarin for several programs to download their updates automatically, but install them manually.

Edited by 100
Link to comment
Share on other sites

  • Administrators
  • Solution
7 hours ago, 100 said:

1) Are unknown files automatically blacklisted?

No, only files that were processed and evaluated as malicious or highly suspicious are blacklisted.

 

7 hours ago, 100 said:

2) Does real-time protection (and therefore the blacklist) only work for downloads via a browser? Ketarin was able to download the file undisturbed. If it had actually contained malicious code, that would have been a security risk.

I assume it's because SSL/TLS scanning is performed for browser processes by default. For other applications you would need to create an application scan rule in the SSL/TLS setup and set the action to "scan".

Link to comment
Share on other sites

Ah, I see. I have now added the SSL/TLS check for Ketarin.
Thanks, Marco!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...