foxtigerjungle 3 Posted September 9 Share Posted September 9 Hello, Last year I sent two files to the lab. They were driver files from Asus. Now I'm testing the new ESET and the files are being recognized again. How quickly does ESET check such messages and adjust the signatures? Greetings Quote Link to comment Share on other sites More sharing options...
itman 1,758 Posted September 9 Share Posted September 9 What are the driver files and their hash values? They might be vulnerable drivers. Quote Link to comment Share on other sites More sharing options...
foxtigerjungle 3 Posted September 9 Author Share Posted September 9 It was that File: AsIO.sys After sending the files to the lab, I cleaned the quarantine. 🙄 Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,293 Posted September 10 Administrators Share Posted September 10 Those are very likely vulnerable drivers that are subject to potentially unsafe application detection Quote Link to comment Share on other sites More sharing options...
foxtigerjungle 3 Posted September 10 Author Share Posted September 10 So the detection is correct? Other AVs had not reported it. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,293 Posted September 10 Administrators Share Posted September 10 It's very unlikely to be a false positive. In case you get the file detected again, provide its hash for verification. Quote Link to comment Share on other sites More sharing options...
foxtigerjungle 3 Posted September 10 Author Share Posted September 10 You mean the hash in the quarantine? What does the hash say? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,293 Posted September 10 Administrators Share Posted September 10 The hash is logged in the Detections log and can be also determined from the name of the quarantined file on the disk. Quote Link to comment Share on other sites More sharing options...
foxtigerjungle 3 Posted September 10 Author Share Posted September 10 I didn't know it was also saved in the logs. Here is the hash: 92F251358B3FE86FD5E7AA9B17330AFA0D64A705 160A237295A9E5CBB64CA686A84E47553A14F71D 8B86C99328E4EB542663164685C6926E7E54AC20 Quote Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,293 Posted September 10 Administrators Solution Share Posted September 10 All are listed as vulnerable, e.g. https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml. Quote Link to comment Share on other sites More sharing options...
foxtigerjungle 3 Posted September 10 Author Share Posted September 10 So is it better to block them or put them in quarantine? If a file is in quarantine and I send it to the lab, will it be automatically removed from quarantine if ESET marks it as a false detection? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,293 Posted September 10 Administrators Share Posted September 10 If you need a driver which contains a known vulnerability, it is detected and there is no newer version of it that would have the vulnerability fixed, you can create a detection exclusion with the path to the driver. This way if an adversary or malware dropped the same vulnerable driver for exploitation, it would be still detected by ESET. 3 minutes ago, foxtigerjungle said: If a file is in quarantine and I send it to the lab, will it be automatically removed from quarantine if ESET marks it as a false detection? No, the file would remain in quarantine. However, in this case these drivers are correctly detected because of the vulnerabilities they contain. Quote Link to comment Share on other sites More sharing options...
foxtigerjungle 3 Posted September 10 Author Share Posted September 10 2 minutes ago, Marcos said: No, the file would remain in quarantine. However, in this case these drivers are correctly detected because of the vulnerabilities they contain. If ESET has updated the signatures, is it possible to rescan the files in quarantine? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,293 Posted September 10 Administrators Share Posted September 10 6 minutes ago, foxtigerjungle said: If ESET has updated the signatures, is it possible to rescan the files in quarantine? No, you would need to restore a file and re-scan it. In this case it would not be detected by the on-demand scanner anyway as the file is supposed to be detected only under specific circumstances. Quote Link to comment Share on other sites More sharing options...
foxtigerjungle 3 Posted September 10 Author Share Posted September 10 Thank you Marcos Quote Link to comment Share on other sites More sharing options...
hellosky11 3 Posted September 10 Share Posted September 10 1 hour ago, Marcos said: All are listed as vulnerable, e.g. https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml. why are eset not detecting those hashes, i randomly picked up hashes from github and checked on virustotal and see that others are detecting it even refreshing the virustotal sacn Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,293 Posted September 10 Administrators Share Posted September 10 https://docs.virustotal.com/docs/antivirus-verdict-differs VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product. Also I'd recommend to read this older blog about the VirusTotal service: https://blog.virustotal.com/2016/05/maintaining-healthy-community.html. Quote Link to comment Share on other sites More sharing options...
itman 1,758 Posted September 10 Share Posted September 10 (edited) Here's an Asus forum posting on asio.sys: https://rog-forum.asus.com/t5/asus-software/windows-11-core-isolation-and-asio-sys/td-p/888889 . Regardless of AV detection or not, Win 10/11 will not allow the driver to load at boot time due it being on Microsoft vulnerable driver list. Validation from this list is done automatically as long as Windows Security Center -> Device security -> Core isolation -> Memory integrity is enabled. The problem is malware can drop a vulnerable driver on a device after boot time, install it, and load it. The malware then exploits the vulnerability in the driver to infect the target device. Hence, AV solutions flagging vulnerable drivers as a PUA and removing them. Edited September 10 by itman Quote Link to comment Share on other sites More sharing options...
hellosky11 3 Posted September 10 Share Posted September 10 4 hours ago, Marcos said: https://docs.virustotal.com/docs/antivirus-verdict-differs VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product. Also I'd recommend to read this older blog about the VirusTotal service: https://blog.virustotal.com/2016/05/maintaining-healthy-community.html. Doesn't that mean VirusTotal should have more aggressive detection capabilities than the product? If so, under ESET, it should obviously detect malware whether it's detected by the ESET product or not. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,293 Posted September 10 Administrators Share Posted September 10 Virus Total uses the on-demand scanner to scan files. The product has several protection layers besides the on-demand scanner to protect the system. Quote Link to comment Share on other sites More sharing options...
itman 1,758 Posted September 10 Share Posted September 10 4 minutes ago, hellosky11 said: Doesn't that mean VirusTotal should have more aggressive detection capabilities than the product? No. Eset on VT excludes its cloud scanning. Why? So its cloud servers don't get overloaded handling unrelated product source queries. Quote Link to comment Share on other sites More sharing options...
itman 1,758 Posted September 10 Share Posted September 10 (edited) 5 hours ago, hellosky11 said: Doesn't that mean VirusTotal should have more aggressive detection capabilities than the product? There appears to be a fundamental misunderstand here on what VirusTotal does. View VT as a large sandbox online solution that just runs all AV solutions resident there at once and reports the results of the AV products installed there. Again and repeating the prior posted comment. The AV solution installed at VT is in most cases, a modified version of the publicly purchased version. In most instances, the VT installed version does not include all protection mechanisms offered in the publicly purchased version. Overall, VT is useful for evaluating if a full signature detection is present for the malware sample being evaluated. And this is all the VT result is useful for. The purchased and installed AV version could detect malware sample via cloud, behavior, etc. alternative methods. Edited September 10 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,758 Posted September 10 Share Posted September 10 (edited) Since we are again on the subject of Eset not detecting something at VirusTotal, here's an example as to why you should take Eset detection's "with a grain of salt" there. A while back I found a ransomware sample that Eset didn't detect at VT. I downloaded it and upon attempted file creation on my device, below is the result; Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 6/29/2024 2:08:28 PM;Real-time file system protection;file;C:\Users\xxxxxxx\Downloads\8adbbce057b86be80f590e726943d836b8125e53aa0a28a948ac9f29c4afd542.exe;ML/Augur trojan;cleaned by deleting;xxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (755AF3328261B37426BC495C6C64BBA0C18870B2).;A7ED2871B07054D3832F452A41E0F798D7B3E7CC;6/29/2024 2:08:08 PM Eset caught it via machine learning scanning. If you now review the sample at VT, Eset has a full filecoder signature for the ransomware. The bottom line here is "bombarding" Eset researchers with missed VT detection's is counterproductive. It's diverting valuable analysis time for samples that Eset probably detects via one of its protection mechanisms. This also is why many will not receive a response for their submitted samples. Edited September 10 by itman Quote Link to comment Share on other sites More sharing options...
foxtigerjungle 3 Posted September 10 Author Share Posted September 10 But why have other AVs not reported anything about AsIO.sys or its behavior? Quote Link to comment Share on other sites More sharing options...
itman 1,758 Posted September 10 Share Posted September 10 Just now, foxtigerjungle said: But why have other AVs not reported anything about AsIO.sys or its behavior? The same reason why Eset doesn't show a detection at VT. Like Eset, most AV's are classifying vulnerable drivers as PUA's and have omitted PUA detection from their installations at VT. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.