Jump to content

Samples to ESET Research Lab


Go to solution Solved by Marcos,

Recommended Posts

Hello,

Last year I sent two files to the lab. They were driver files from Asus.
Now I'm testing the new ESET and the files are being recognized again.
How quickly does ESET check such messages and adjust the signatures?

Greetings

Link to comment
Share on other sites

  • Administrators

It's very unlikely to be a false positive. In case you get the file detected again, provide its hash for verification.

Link to comment
Share on other sites

  • Administrators

The hash is logged in the Detections log and can be also determined from the name of the quarantined file on the disk.

Link to comment
Share on other sites

I didn't know it was also saved in the logs.

Here is the hash:

92F251358B3FE86FD5E7AA9B17330AFA0D64A705

160A237295A9E5CBB64CA686A84E47553A14F71D

8B86C99328E4EB542663164685C6926E7E54AC20

Link to comment
Share on other sites

So is it better to block them or put them in quarantine?

If a file is in quarantine and I send it to the lab, will it be automatically removed from quarantine if ESET marks it as a false detection?

Link to comment
Share on other sites

  • Administrators

If you need a driver which contains a known vulnerability, it is detected and there is no newer version of it that would have the vulnerability fixed, you can create a detection exclusion with the path to the driver. This way if an adversary or malware dropped the same vulnerable driver for exploitation, it would be still detected by ESET.

3 minutes ago, foxtigerjungle said:

If a file is in quarantine and I send it to the lab, will it be automatically removed from quarantine if ESET marks it as a false detection?

No, the file would remain in quarantine. However, in this case these drivers are correctly detected because of the vulnerabilities they contain.

Link to comment
Share on other sites

2 minutes ago, Marcos said:

No, the file would remain in quarantine. However, in this case these drivers are correctly detected because of the vulnerabilities they contain.

If ESET has updated the signatures, is it possible to rescan the files in quarantine?

Link to comment
Share on other sites

  • Administrators
6 minutes ago, foxtigerjungle said:

If ESET has updated the signatures, is it possible to rescan the files in quarantine?

No, you would need to restore a file and re-scan it. In this case it would not be detected by the on-demand scanner anyway as the file is supposed to be detected only under specific circumstances.

Link to comment
Share on other sites

1 hour ago, Marcos said:

why are eset not detecting those hashes, i randomly picked up hashes from github and checked on virustotal and see that others are detecting it even refreshing the virustotal sacn

Link to comment
Share on other sites

  • Administrators

https://docs.virustotal.com/docs/antivirus-verdict-differs

VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product.

Also I'd recommend to read this older blog about the VirusTotal service: https://blog.virustotal.com/2016/05/maintaining-healthy-community.html.

Link to comment
Share on other sites

Here's an Asus forum posting on asio.sys: https://rog-forum.asus.com/t5/asus-software/windows-11-core-isolation-and-asio-sys/td-p/888889 .

Regardless of AV detection or not, Win 10/11 will not allow the driver to load at boot time due it being on Microsoft vulnerable driver list. Validation from this list is done automatically as long as Windows Security Center -> Device security -> Core isolation -> Memory integrity is enabled.

The problem is malware can drop a vulnerable driver on a device after boot time, install it, and load it. The malware then exploits the vulnerability in the driver to infect the target device. Hence, AV solutions flagging vulnerable drivers as a PUA and removing them.

Edited by itman
Link to comment
Share on other sites

4 hours ago, Marcos said:

https://docs.virustotal.com/docs/antivirus-verdict-differs

VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product.

Also I'd recommend to read this older blog about the VirusTotal service: https://blog.virustotal.com/2016/05/maintaining-healthy-community.html.

Doesn't that mean VirusTotal should have more aggressive detection capabilities than the product? If so, under ESET, it should obviously detect malware whether it's detected by the ESET product or not.

Link to comment
Share on other sites

  • Administrators

Virus Total uses the on-demand scanner to scan files. The product has several protection layers besides the on-demand scanner to protect the system.

Link to comment
Share on other sites

4 minutes ago, hellosky11 said:

Doesn't that mean VirusTotal should have more aggressive detection capabilities than the product?

No. Eset on VT excludes its cloud scanning. Why? So its cloud servers don't get overloaded handling unrelated product source queries.

Link to comment
Share on other sites

5 hours ago, hellosky11 said:

Doesn't that mean VirusTotal should have more aggressive detection capabilities than the product?

There appears to be a fundamental misunderstand here on what VirusTotal does.

View VT as a large sandbox online solution that just runs all AV solutions resident there at once and reports the results of the AV products installed there.

Again and repeating the prior posted comment. The AV solution installed at VT is in most cases, a modified version of the publicly purchased version. In most instances, the VT installed version does not include all protection mechanisms offered in the publicly purchased version.

Overall, VT is useful for evaluating if a full signature detection is present for the malware sample being evaluated. And this is all the VT result is useful for. The purchased and installed AV version could detect malware sample via cloud, behavior, etc. alternative methods.

Edited by itman
Link to comment
Share on other sites

Since we are again on the subject of Eset not detecting something at VirusTotal, here's an example as to why you should take Eset detection's "with a grain of salt" there.

A while back I found a ransomware sample that Eset didn't detect at VT. I downloaded it and upon attempted file creation on my device, below is the result;

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
6/29/2024 2:08:28 PM;Real-time file system protection;file;C:\Users\xxxxxxx\Downloads\8adbbce057b86be80f590e726943d836b8125e53aa0a28a948ac9f29c4afd542.exe;ML/Augur trojan;cleaned by deleting;xxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (755AF3328261B37426BC495C6C64BBA0C18870B2).;A7ED2871B07054D3832F452A41E0F798D7B3E7CC;6/29/2024 2:08:08 PM

Eset caught it via machine learning scanning. If you now review the sample at VT, Eset has a full filecoder signature for the ransomware.

The bottom line here is "bombarding" Eset researchers with missed VT detection's is counterproductive. It's diverting valuable analysis time for samples that Eset probably detects via one of its protection mechanisms. This also is why many will not receive a response for their submitted samples.

Edited by itman
Link to comment
Share on other sites

Just now, foxtigerjungle said:

But why have other AVs not reported anything about AsIO.sys or its behavior?

The same reason why Eset doesn't show a detection at VT. Like Eset, most AV's are classifying vulnerable drivers as PUA's and have omitted PUA detection from their installations at VT.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...