foxtigerjungle 20 Posted September 9, 2024 Posted September 9, 2024 Hello, Last year I sent two files to the lab. They were driver files from Asus. Now I'm testing the new ESET and the files are being recognized again. How quickly does ESET check such messages and adjust the signatures? Greetings
itman 1,921 Posted September 9, 2024 Posted September 9, 2024 What are the driver files and their hash values? They might be vulnerable drivers.
foxtigerjungle 20 Posted September 9, 2024 Author Posted September 9, 2024 It was that File: AsIO.sys After sending the files to the lab, I cleaned the quarantine. 🙄
Administrators Marcos 5,733 Posted September 10, 2024 Administrators Posted September 10, 2024 Those are very likely vulnerable drivers that are subject to potentially unsafe application detection
foxtigerjungle 20 Posted September 10, 2024 Author Posted September 10, 2024 So the detection is correct? Other AVs had not reported it.
Administrators Marcos 5,733 Posted September 10, 2024 Administrators Posted September 10, 2024 It's very unlikely to be a false positive. In case you get the file detected again, provide its hash for verification.
foxtigerjungle 20 Posted September 10, 2024 Author Posted September 10, 2024 You mean the hash in the quarantine? What does the hash say?
Administrators Marcos 5,733 Posted September 10, 2024 Administrators Posted September 10, 2024 The hash is logged in the Detections log and can be also determined from the name of the quarantined file on the disk.
foxtigerjungle 20 Posted September 10, 2024 Author Posted September 10, 2024 I didn't know it was also saved in the logs. Here is the hash: 92F251358B3FE86FD5E7AA9B17330AFA0D64A705 160A237295A9E5CBB64CA686A84E47553A14F71D 8B86C99328E4EB542663164685C6926E7E54AC20
Administrators Solution Marcos 5,733 Posted September 10, 2024 Administrators Solution Posted September 10, 2024 All are listed as vulnerable, e.g. https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml.
foxtigerjungle 20 Posted September 10, 2024 Author Posted September 10, 2024 So is it better to block them or put them in quarantine? If a file is in quarantine and I send it to the lab, will it be automatically removed from quarantine if ESET marks it as a false detection?
Administrators Marcos 5,733 Posted September 10, 2024 Administrators Posted September 10, 2024 If you need a driver which contains a known vulnerability, it is detected and there is no newer version of it that would have the vulnerability fixed, you can create a detection exclusion with the path to the driver. This way if an adversary or malware dropped the same vulnerable driver for exploitation, it would be still detected by ESET. 3 minutes ago, foxtigerjungle said: If a file is in quarantine and I send it to the lab, will it be automatically removed from quarantine if ESET marks it as a false detection? No, the file would remain in quarantine. However, in this case these drivers are correctly detected because of the vulnerabilities they contain.
foxtigerjungle 20 Posted September 10, 2024 Author Posted September 10, 2024 2 minutes ago, Marcos said: No, the file would remain in quarantine. However, in this case these drivers are correctly detected because of the vulnerabilities they contain. If ESET has updated the signatures, is it possible to rescan the files in quarantine?
Administrators Marcos 5,733 Posted September 10, 2024 Administrators Posted September 10, 2024 6 minutes ago, foxtigerjungle said: If ESET has updated the signatures, is it possible to rescan the files in quarantine? No, you would need to restore a file and re-scan it. In this case it would not be detected by the on-demand scanner anyway as the file is supposed to be detected only under specific circumstances.
Guest Posted September 10, 2024 Posted September 10, 2024 1 hour ago, Marcos said: All are listed as vulnerable, e.g. https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml. why are eset not detecting those hashes, i randomly picked up hashes from github and checked on virustotal and see that others are detecting it even refreshing the virustotal sacn
Administrators Marcos 5,733 Posted September 10, 2024 Administrators Posted September 10, 2024 https://docs.virustotal.com/docs/antivirus-verdict-differs VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product. Also I'd recommend to read this older blog about the VirusTotal service: https://blog.virustotal.com/2016/05/maintaining-healthy-community.html.
itman 1,921 Posted September 10, 2024 Posted September 10, 2024 (edited) Here's an Asus forum posting on asio.sys: https://rog-forum.asus.com/t5/asus-software/windows-11-core-isolation-and-asio-sys/td-p/888889 . Regardless of AV detection or not, Win 10/11 will not allow the driver to load at boot time due it being on Microsoft vulnerable driver list. Validation from this list is done automatically as long as Windows Security Center -> Device security -> Core isolation -> Memory integrity is enabled. The problem is malware can drop a vulnerable driver on a device after boot time, install it, and load it. The malware then exploits the vulnerability in the driver to infect the target device. Hence, AV solutions flagging vulnerable drivers as a PUA and removing them. Edited September 10, 2024 by itman
Guest Posted September 10, 2024 Posted September 10, 2024 4 hours ago, Marcos said: https://docs.virustotal.com/docs/antivirus-verdict-differs VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product. Also I'd recommend to read this older blog about the VirusTotal service: https://blog.virustotal.com/2016/05/maintaining-healthy-community.html. Doesn't that mean VirusTotal should have more aggressive detection capabilities than the product? If so, under ESET, it should obviously detect malware whether it's detected by the ESET product or not.
Administrators Marcos 5,733 Posted September 10, 2024 Administrators Posted September 10, 2024 Virus Total uses the on-demand scanner to scan files. The product has several protection layers besides the on-demand scanner to protect the system.
itman 1,921 Posted September 10, 2024 Posted September 10, 2024 4 minutes ago, hellosky11 said: Doesn't that mean VirusTotal should have more aggressive detection capabilities than the product? No. Eset on VT excludes its cloud scanning. Why? So its cloud servers don't get overloaded handling unrelated product source queries.
itman 1,921 Posted September 10, 2024 Posted September 10, 2024 (edited) 5 hours ago, hellosky11 said: Doesn't that mean VirusTotal should have more aggressive detection capabilities than the product? There appears to be a fundamental misunderstand here on what VirusTotal does. View VT as a large sandbox online solution that just runs all AV solutions resident there at once and reports the results of the AV products installed there. Again and repeating the prior posted comment. The AV solution installed at VT is in most cases, a modified version of the publicly purchased version. In most instances, the VT installed version does not include all protection mechanisms offered in the publicly purchased version. Overall, VT is useful for evaluating if a full signature detection is present for the malware sample being evaluated. And this is all the VT result is useful for. The purchased and installed AV version could detect malware sample via cloud, behavior, etc. alternative methods. Edited September 10, 2024 by itman
itman 1,921 Posted September 10, 2024 Posted September 10, 2024 (edited) Since we are again on the subject of Eset not detecting something at VirusTotal, here's an example as to why you should take Eset detection's "with a grain of salt" there. A while back I found a ransomware sample that Eset didn't detect at VT. I downloaded it and upon attempted file creation on my device, below is the result; Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 6/29/2024 2:08:28 PM;Real-time file system protection;file;C:\Users\xxxxxxx\Downloads\8adbbce057b86be80f590e726943d836b8125e53aa0a28a948ac9f29c4afd542.exe;ML/Augur trojan;cleaned by deleting;xxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (755AF3328261B37426BC495C6C64BBA0C18870B2).;A7ED2871B07054D3832F452A41E0F798D7B3E7CC;6/29/2024 2:08:08 PM Eset caught it via machine learning scanning. If you now review the sample at VT, Eset has a full filecoder signature for the ransomware. The bottom line here is "bombarding" Eset researchers with missed VT detection's is counterproductive. It's diverting valuable analysis time for samples that Eset probably detects via one of its protection mechanisms. This also is why many will not receive a response for their submitted samples. Edited September 10, 2024 by itman
foxtigerjungle 20 Posted September 10, 2024 Author Posted September 10, 2024 But why have other AVs not reported anything about AsIO.sys or its behavior?
itman 1,921 Posted September 10, 2024 Posted September 10, 2024 Just now, foxtigerjungle said: But why have other AVs not reported anything about AsIO.sys or its behavior? The same reason why Eset doesn't show a detection at VT. Like Eset, most AV's are classifying vulnerable drivers as PUA's and have omitted PUA detection from their installations at VT.
Recommended Posts