ESET protection fluctuating?

[foxtigerjungle 1]

27 minutes ago, itman said:

I don't know what context you are referring to for archive scanning.

This here from Marcos. Maybe I misunderstood it.

 

Thank you for showing me the Option.

[itman 1,746]

9 hours ago, josh_bdn said:

Then I said that there were two samples missed when I tested yesterday. The other one was a large files (800 MB). Eset has a detection for it but still lets it execute. I reduced the file size and uploaded it to VT. 

9ff1ca0678c81ef0cd6bef34c76fb73ed5bcd571dc3c3de356422f1859072720

Here's what happened when I downloaded this from a malware share; not VirusTotal.

Short.exe was created. No detection from Eset. File not blocked from execution per LiveGuard submission.

I opened its file properties prior to sending the file to Eset Quarantine. Then my desktop looses all its icons only shortly thereafter to have them restored. Oh no ....... I also have Win Explorer open and watching short.exe there. It changes to non-.exe status. Shortly thereafter, the file disappears and I get an Eset blacklist suspicious detection;

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
9/16/2024 4:26:38 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\short.exe;Suspicious Object;cleaned by deleting;xxxxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (755AF3328261B37426BC495C6C64BBA0C18870B2).;41A496EE621CF8FAD1CA7AD11731AE24C657172C;9/16/2024 4:23:32 PM

I have also noticed this behavior on other recent malware downloads. It's as if Eset has finally implemented an enhanced local sandbox and running the malware there rather than just performing a quick heuristic scan.

 

Edited Monday at 09:20 PM by itman

[itman 1,746]

10 hours ago, Marcos said:

a detection "Advanced memory scanner;file;Operating memory » RegAsm.exe(7772);a variant of MSIL/Spy.RedLine.A trojan;contained infected files" was triggered. 

FYI to all.

I added a HIPS monitoring rule a while back for RegAsm.exe and RegScvs.exe when I observed they were frequently deployed by InfoStealers.

[QuickSilverST250 0]

8 hours ago, itman said:

FYI to all.

I added a HIPS monitoring rule a while back for RegAsm.exe and RegScvs.exe when I observed they were frequently deployed by InfoStealers.

Thnx i will look into this and add myself

[itman 1,746]

17 hours ago, itman said:

I opened its file properties prior to sending the file to Eset Quarantine. Then my desktop looses all its icons only shortly thereafter to have them restored. Oh no .......

It appears if you try to access the malware download in any way while Eset is locally analyzing the file, Eset will crash the process being used. In my case, this was Win Explorer. Best to wait a while after malware file creation to see if Eset will detect the file prior to trying to access the file.

 

[itman 1,746]

13 hours ago, QuickSilverST250 said:

Thnx i will look into this and add myself

Note that this is only a partial mitigation. Attackers will download RegAsm.exe where ever and run it from there;

Quote

The goal of the AutoIt script is to drop RegAsm.exe legit binary, used as a container in order to inject malicious .NET code using Costura Loader (a reflective loader used to obfuscate the code and confuse and hinder reverse engineering efforts) commonly used by other stealers.

https://alpine-sec.medium.com/infostealer-campaign-using-autoit-and-reflective-net-techniques-1ca60bd9b068

"Where Oh where" is the long missing Eset HIPS global wildcard capability?

Ref.: https://attack.mitre.org/techniques/T1218/009/

Edited Tuesday at 09:26 PM by itman