Samples to ESET Research Lab

[foxtigerjungle 1]

Hello,

Last year I sent two files to the lab. They were driver files from Asus.
Now I'm testing the new ESET and the files are being recognized again.
How quickly does ESET check such messages and adjust the signatures?

Greetings

[itman 1,746]

What are the driver files and their hash values? They might be vulnerable drivers.

[foxtigerjungle 1]

It was that File: AsIO.sys

After sending the files to the lab, I cleaned the quarantine. 🙄

[Marcos 5,243]

Those are very likely vulnerable drivers that are subject to potentially unsafe application detection

[foxtigerjungle 1]

So the detection is correct?
Other AVs had not reported it.

[Marcos 5,243]

It's very unlikely to be a false positive. In case you get the file detected again, provide its hash for verification.

[foxtigerjungle 1]

You mean the hash in the quarantine?

What does the hash say?

[Marcos 5,243]

The hash is logged in the Detections log and can be also determined from the name of the quarantined file on the disk.

[foxtigerjungle 1]

I didn't know it was also saved in the logs.

Here is the hash:

92F251358B3FE86FD5E7AA9B17330AFA0D64A705

160A237295A9E5CBB64CA686A84E47553A14F71D

8B86C99328E4EB542663164685C6926E7E54AC20

[Marcos 5,243]

All are listed as vulnerable, e.g. https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml.

[foxtigerjungle 1]

So is it better to block them or put them in quarantine?

If a file is in quarantine and I send it to the lab, will it be automatically removed from quarantine if ESET marks it as a false detection?

[Marcos 5,243]

If you need a driver which contains a known vulnerability, it is detected and there is no newer version of it that would have the vulnerability fixed, you can create a detection exclusion with the path to the driver. This way if an adversary or malware dropped the same vulnerable driver for exploitation, it would be still detected by ESET.

3 minutes ago, foxtigerjungle said:

If a file is in quarantine and I send it to the lab, will it be automatically removed from quarantine if ESET marks it as a false detection?

No, the file would remain in quarantine. However, in this case these drivers are correctly detected because of the vulnerabilities they contain.

[foxtigerjungle 1]

2 minutes ago, Marcos said:

No, the file would remain in quarantine. However, in this case these drivers are correctly detected because of the vulnerabilities they contain.

If ESET has updated the signatures, is it possible to rescan the files in quarantine?

[Marcos 5,243]

6 minutes ago, foxtigerjungle said:

If ESET has updated the signatures, is it possible to rescan the files in quarantine?

No, you would need to restore a file and re-scan it. In this case it would not be detected by the on-demand scanner anyway as the file is supposed to be detected only under specific circumstances.

[foxtigerjungle 1]

Thank you Marcos

[hellosky11 1]

1 hour ago, Marcos said:

All are listed as vulnerable, e.g. https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml.

why are eset not detecting those hashes, i randomly picked up hashes from github and checked on virustotal and see that others are detecting it even refreshing the virustotal sacn

[Marcos 5,243]

https://docs.virustotal.com/docs/antivirus-verdict-differs

VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product.

Also I'd recommend to read this older blog about the VirusTotal service: https://blog.virustotal.com/2016/05/maintaining-healthy-community.html.

[itman 1,746]

Here's an Asus forum posting on asio.sys: https://rog-forum.asus.com/t5/asus-software/windows-11-core-isolation-and-asio-sys/td-p/888889 .

Regardless of AV detection or not, Win 10/11 will not allow the driver to load at boot time due it being on Microsoft vulnerable driver list. Validation from this list is done automatically as long as Windows Security Center -> Device security -> Core isolation -> Memory integrity is enabled.

The problem is malware can drop a vulnerable driver on a device after boot time, install it, and load it. The malware then exploits the vulnerability in the driver to infect the target device. Hence, AV solutions flagging vulnerable drivers as a PUA and removing them.

Edited September 10 by itman

[hellosky11 1]

4 hours ago, Marcos said:

https://docs.virustotal.com/docs/antivirus-verdict-differs

VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product.

Also I'd recommend to read this older blog about the VirusTotal service: https://blog.virustotal.com/2016/05/maintaining-healthy-community.html.

Doesn't that mean VirusTotal should have more aggressive detection capabilities than the product? If so, under ESET, it should obviously detect malware whether it's detected by the ESET product or not.

[Marcos 5,243]

Virus Total uses the on-demand scanner to scan files. The product has several protection layers besides the on-demand scanner to protect the system.

[itman 1,746]

4 minutes ago, hellosky11 said:

Doesn't that mean VirusTotal should have more aggressive detection capabilities than the product?

No. Eset on VT excludes its cloud scanning. Why? So its cloud servers don't get overloaded handling unrelated product source queries.

[itman 1,746]

5 hours ago, hellosky11 said:

Doesn't that mean VirusTotal should have more aggressive detection capabilities than the product?

There appears to be a fundamental misunderstand here on what VirusTotal does.

View VT as a large sandbox online solution that just runs all AV solutions resident there at once and reports the results of the AV products installed there.

Again and repeating the prior posted comment. The AV solution installed at VT is in most cases, a modified version of the publicly purchased version. In most instances, the VT installed version does not include all protection mechanisms offered in the publicly purchased version.

Overall, VT is useful for evaluating if a full signature detection is present for the malware sample being evaluated. And this is all the VT result is useful for. The purchased and installed AV version could detect malware sample via cloud, behavior, etc. alternative methods.

Edited September 10 by itman

[itman 1,746]

Since we are again on the subject of Eset not detecting something at VirusTotal, here's an example as to why you should take Eset detection's "with a grain of salt" there.

A while back I found a ransomware sample that Eset didn't detect at VT. I downloaded it and upon attempted file creation on my device, below is the result;

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
6/29/2024 2:08:28 PM;Real-time file system protection;file;C:\Users\xxxxxxx\Downloads\8adbbce057b86be80f590e726943d836b8125e53aa0a28a948ac9f29c4afd542.exe;ML/Augur trojan;cleaned by deleting;xxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (755AF3328261B37426BC495C6C64BBA0C18870B2).;A7ED2871B07054D3832F452A41E0F798D7B3E7CC;6/29/2024 2:08:08 PM

Eset caught it via machine learning scanning. If you now review the sample at VT, Eset has a full filecoder signature for the ransomware.

The bottom line here is "bombarding" Eset researchers with missed VT detection's is counterproductive. It's diverting valuable analysis time for samples that Eset probably detects via one of its protection mechanisms. This also is why many will not receive a response for their submitted samples.

Edited September 10 by itman

[foxtigerjungle 1]

But why have other AVs not reported anything about AsIO.sys or its behavior?

[itman 1,746]

Just now, foxtigerjungle said:

But why have other AVs not reported anything about AsIO.sys or its behavior?

The same reason why Eset doesn't show a detection at VT. Like Eset, most AV's are classifying vulnerable drivers as PUA's and have omitted PUA detection from their installations at VT.