Samples to ESET Research Lab

[hellosky11 1]

ML is not an issue, and ML has very false positives too, I have submitted many ML samples to eset malware research team, neither they remove detection for ML, neither they create signature detection for ML, which they should either way.

[itman 1,746]

9 hours ago, hellosky11 said:

ML is not an issue, and ML has very false positives too, I have submitted many ML samples to eset malware research team, neither they remove detection for ML, neither they create signature detection for ML, which they should either way.

"You're all over the place" in your forum postings.

One minute you accuse Eset of not detecting malware because it doesn't detect on VirusTotal. Then you imply that Eset behavior detection's are deficient due to false positives which certainly isn't the case.

My recommendation is to take your forum postings "with a grain of salt."

 

Edited September 11 by itman

[hellosky11 1]

13 hours ago, itman said:

"You're all over the place" in your forum postings.

One minute you accuse Eset of not detecting malware because it doesn't detect on VirusTotal. Then you imply that Eset behavior detection's are deficient due to false positives which certainly isn't the case.

My recommendation is to take your forum postings "with a grain of salt."

 

-- redacted -- You think I'm 'all over the place' just because I'm pointing out two different issues with Eset?! -- redacted -- I've submitted multiple ML samples that Eset fails to detect, and yet they don't do anything about it. -- redacted --

Edited September 12 by Marcos
Redacted

[foxtigerjungle 1]

@hellosky11

Do you get feedback when you submit samples?

[Marcos 5,259]

Please refrain from personal attacks, adhere to this forum rules and keep the discussion polite and calm.

[Marcos 5,259]

8 hours ago, hellosky11 said:

I've submitted multiple ML samples that Eset fails to detect

Please clarify. Either the files are detected by ML (ML/Augur) or they are not detected. It can't be both. Files with what hashes are you referring to?

[IvanL_5306 1]

https://www.virustotal.com/gui/file/c9817d415d34ea3ae07094dae818ffe8e3fb1d5bcb13eb0e65fd361b7859eda7

Some samples check the system environment before carrying out any malicious activities but it seems that the malware analysts aren't thoroughly analyzing the samples. They tend to conclude that if a sample doesn't operate correctly in their sandbox or analysis system, it is considered CLEAN.

Already provided the payloads URLs in email. Speechless...

[Marcos 5,259]

45 minutes ago, IvanL_5306 said:

Some samples check the system environment before carrying out any malicious activities but it seems that the malware analysts aren't thoroughly analyzing the samples. They tend to conclude that if a sample doesn't operate correctly in their sandbox or analysis system, it is considered CLEAN.

This definitely doesn't concern ESET analysts., We analyze files thoroughly and do not rely just on the sandbox output.

[hellosky11 1]

7 hours ago, Marcos said:

Please clarify. Either the files are detected by ML (ML/Augur) or they are not detected. It can't be both. Files with what hashes are you referring to?

ESET products detect some samples as 'ML Augur,' which is obviously machine learning-based rather than signature-based. I sent these Augur samples to the malware research team so that, if malicious, they can create signatures, or if not malicious, they can remove the ML detection. They have done this in the past, but they do not respond to the same email as well.

@Marcos, to be very frank, why is the ESET malware research team not responding to the samples/hashes they receive? I understand they receive hundreds of sample emails daily, and I wait for more than a week before sending a follow-up email, as stated in your ESET support articles, which you're also aware of.

Can you provide a logical explanation for why the malware research team isn’t responding to the samples or hashes they receive? I’m also wondering whether the follow-up email procedure mentioned in your support articles is still valid, as I’ve noticed that even follow-up emails go unanswered. I shared an image earlier showing how many emails I’ve sent to the malware research team, and none of them have been responded to. Please speak freely—does ESET have a limited number of malware researchers? From what I know, in the past, the team consisted of people who worked both as developers and malware researchers, meaning a single person was handling both roles on average.

[Marcos 5,259]

What matters is that malware is detected, the detection name doesn't matter. There are AVs that detect let's say 30% of all the malware and somehow suspicious files just by 1 name.

If ML/Augur is reported on a clean file (false positive), we fix it.

A response is provided typically only if more information is needed to fix FP or to add a detection for an undetected suspicious file.

[hellosky11 1]

I still do not receive a response when I send a file to malware research team and they create detection which gets available after 2-3 days, and that is how I come to know!

If ML.Augur is reported on a false negative file, you should remove it also!

[itman 1,746]

4 hours ago, IvanL_5306 said:

https://www.virustotal.com/gui/file/c9817d415d34ea3ae07094dae818ffe8e3fb1d5bcb13eb0e65fd361b7859eda7

This is possibly a hacked version of NetDiagnotor.exe, cirra 2015. Described here: https://www.freefixer.com/library/file/NetDiagnotor.exe-246070/ with a VT analysis here: https://www.virustotal.com/gui/file/b4e5378b745ea24bb2a73ce510751deb2725e554db7ac31de212f9ac163f1317/details .

Appears to be Chinese based software.

Edited September 12 by itman

[IvanL_5306 1]

48 minutes ago, itman said:

This is possibly a hacked version of NetDiagnotor.exe, cirra 2015. Described here: https://www.freefixer.com/library/file/NetDiagnotor.exe-246070/ with a VT analysis here: https://www.virustotal.com/gui/file/b4e5378b745ea24bb2a73ce510751deb2725e554db7ac31de212f9ac163f1317/details .

Appears to be Chinese based software.

Good to know but the sample is not subjected to detection despite VT is marked as "malware".

Edited September 12 by IvanL_5306

[itman 1,746]

1 hour ago, IvanL_5306 said:

Good to know but the sample is not subjected to detection despite VT is marked as "malware".

Further analysis yields the following.

NetDiagnotor.exe per se is not malicious. It is how it's executed that determines its malicious status.

In the original version posted to VT here: https://www.virustotal.com/gui/file/b4e5378b745ea24bb2a73ce510751deb2725e554db7ac31de212f9ac163f1317/details, a malicious driver was the parent process;

Eset along with many other AV solutions detected the malicious driver.

In the current execution scenario for NetDiagnotor.exe: https://www.virustotal.com/gui/file/c9817d415d34ea3ae07094dae818ffe8e3fb1d5bcb13eb0e65fd361b7859eda7  , it is begin executed from;

Eset currently does not detect this .rar file as malicious at VT.

It remains to be determined if device installed Eset would detect the .rar file upon execution.

-EDIT- I downloaded the .rar from a malware share. Eset didn't detect it.

Edited September 12 by itman

[itman 1,746]

Update on NetDiagnotor.exe. Eset now detects it at VT along with the .rar parent file used to create it.

Edited September 12 by itman

[itman 1,746]

7 hours ago, itman said:

In the current execution scenario for NetDiagnotor.exe: https://www.virustotal.com/gui/file/c9817d415d34ea3ae07094dae818ffe8e3fb1d5bcb13eb0e65fd361b7859eda7  , it is begin executed from;

@Marcos, I have a question in regards to Eset non-detection of this .rar upon creation on my device prior to Eset specific sig, creation for it.

VT analysis shows that Eset would have at least detected one malicious .exe within the .rar. This indicates to me that Eset never scanned the .rar upon its creation. The .rar was downloaded within a password protected .zip archive which was extracted via 7Zip on my local device. The .rar couldn't execute on my device since I don't have WinRAR installed on my device and no file association for .rar.

[Marcos 5,259]

9 hours ago, itman said:

VT analysis shows that Eset would have at least detected one malicious .exe within the .rar. This indicates to me that Eset never scanned the .rar upon its creation. The .rar was downloaded within a password protected .zip archive which was extracted via 7Zip on my local device. The .rar couldn't execute on my device since I don't have WinRAR installed on my device and no file association for .rar.

Real-time protection doesn't scan archives. This particular rar archive contains 3 files detected as follows upon extraction by real-time protection or during a scan with the on-demand scanner:

7vBc.exe", result="MSIL/Agent.BPH trojan"
config.exe", result="Win32/TrojanDownloader.Agent.HUJ trojan"
ghohUvaqFA29.exe", result="a variant of WinGo/Rozena.WL trojan"

 

[itman 1,746]

5 hours ago, Marcos said:

Real-time protection doesn't scan archives.

Sorry. I misinterpreted real-time ThreatSense settings. It only scans RAR-SFX files upon file creation.

Edited September 13 by itman

[hellosky11 1]

@Marcos

I downloaded and checked various samples from VirusShare, VirusSign, and GitHub. ESET detected a lot of them, but there are still many samples that remain and need to be sent to the malware research team. The number of samples may exceed 1,000. First, I'm not even sure if the malware research team will check them, considering the sources from which the samples were downloaded are well-known across the web.

That being said, in the past, I had a conversation with the malware research team and asked if I could use third-party websites like upload.ee, Google Drive, gofile, or WeTransfer. However, they said to send files via email attachments only. As we know, Gmail has a 25 MB attachment limit, and even if ZIP files are password-protected, Google often blocks them due to its advanced algorithms or security measures.

The issue here is that sending around 1,000 samples with a 25 MB email attachment limit would result in a huge number of emails to the malware researchers, which is not feasible. I need you to contact the malware research team and ask them for a solution in this case. How should I send them the samples? I understand that email is the preferred method, but considering the volume, an online file-sharing service may be necessary. Thanks!

[Marcos 5,259]

You can send a few samples for a start. I doubt all those samples are true malware that would be subject to detection and most of them will be rather clean, corrupted or grey files with uncertain purpose or functionality, joke applications, PoC, educational code, etc.

[hellosky11 1]

Is there any link through which I can send them? I’ve sent 2-3 emails over the past two weeks, and some were detected. Could you reach out to the researchers to find out how to submit them? Alternatively, I can PM you the link to the third-party site with the uploaded samples, and you can share it directly with them.

[hellosky11 1]

??

[hellosky11 1]

can you please confirm from malware research team directly?

[IvanL_5306 1]

Today is the day return to the workplace, but I noticed that they only process submissions submitted on Sunday and will ignore those submissions submitted on Saturday.

Edited Monday at 12:35 PM by IvanL_5306