100 2 Posted January 15 Share Posted January 15 I have an installation file of a program (hardcopy) that Eset considers clean during the scan (via the context menu). Virustotal also (except for 1 detection out of 67, by VBA32). If I then check the reputation via the context menu, it immediately moves it to quarantine as a suspicious object. It can be reproduced again and again: Restore from quarantine ► scan via the context menu ► clean || check reputation ► quarantine. I always download the latest version of Hardcopy automatically via the Ketarin update tool. The file ends up in the download folder without any problems. However, if I download it using a browser, Eset immediately moves it to quarantine. I haven't even activated the additional Eset browser protection. So obviously a reputation check is always carried out when downloading with the browser. The fact that the swsetup.in_ could not be unpacked during the scan cannot be the problem, because this is also the case with older versions of this software and, after all, the file scanner did not report anything, only the reputation scanner. https://www.virustotal.com/gui/file/339e6bbc9fc221f9955769eb3b332d2eac479d41409c0a61672866f106d2adac?nocache=1 Website in English: https://gen.hardcopy.de File: h**ps://www.hardcopy.de/hc.exe Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 16 Administrators Share Posted January 16 The file has been removed from the blacklist and should not be detected when scanned. 100 1 Link to comment Share on other sites More sharing options...
100 2 Posted January 17 Author Share Posted January 17 (edited) Thank you very much, Marco! But I still have a few questions: 1) Are unknown files automatically blacklisted? 2) Does real-time protection (and therefore the blacklist) only work for downloads via a browser? Ketarin was able to download the file undisturbed. If it had actually contained malicious code, that would have been a security risk. If I hadn't checked the reputation (which I don't normally do), I could have simply installed it from my Ketarin download folder, because the file scanner had nothing to complain about. I use Ketarin for several programs to download their updates automatically, but install them manually. Edited January 17 by 100 Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,074 Posted January 17 Administrators Solution Share Posted January 17 7 hours ago, 100 said: 1) Are unknown files automatically blacklisted? No, only files that were processed and evaluated as malicious or highly suspicious are blacklisted. 7 hours ago, 100 said: 2) Does real-time protection (and therefore the blacklist) only work for downloads via a browser? Ketarin was able to download the file undisturbed. If it had actually contained malicious code, that would have been a security risk. I assume it's because SSL/TLS scanning is performed for browser processes by default. For other applications you would need to create an application scan rule in the SSL/TLS setup and set the action to "scan". 100 1 Link to comment Share on other sites More sharing options...
100 2 Posted January 17 Author Share Posted January 17 Ah, I see. I have now added the SSL/TLS check for Ketarin. Thanks, Marco! Link to comment Share on other sites More sharing options...
Recommended Posts