Jump to content

Sample status after submission


Recommended Posts

I Submitted a sample manually in eset liveguard?where can i see the status of eset submitted sample?i am using smart home security

Link to comment
Share on other sites

  • Administrators

If the sample was evaluated by ESET LiveGuard as malicious, it would have been detected and blocked. Otherwise it was evaluated as clean / not suspicious enough.

Link to comment
Share on other sites

LiveGuard cannot always evaluate whether a file is malicious or not. It may not have detected the file as malicious, but if it were submitted to malware researchers, they might identify it as malware. One cannot fully depend on LiveGuard or ML Augur detection; what seems non-malicious to them may appear malicious to malware researchers, correct?

Link to comment
Share on other sites

ML Augur is machine learning-based. What about LiveGuard? Is it cloud-based detection? And is HIPS the behavior-based detection?

Edited by hellosky11
Link to comment
Share on other sites

1 hour ago, hellosky11 said:

One cannot fully depend on LiveGuard or ML Augur detection; what seems non-malicious to them may appear malicious to malware researchers, correct?

Your can read about Augur processing here: https://www.welivesecurity.com/2017/06/20/machine-learning-eset-road-augur/ . Of note is;

Quote

The group of classification algorithms has two possible setups:

The more aggressive one will label a sample as malicious if most of the six algorithms vote it as such. This is useful mainly for IT staff using ESET Enterprise Inspector, as it can flag anything suspicious and leave the final evaluation of the outputs to a competent admin.

The milder, or more conservative, approach declares a sample clean if at least one of the six algorithms comes to such conclusion. This is useful for general purpose systems with a less expert overview.

My assumption is in Eset consumer products, Augur is being deployed somewhere between the aggressive and conservative approach to render a clean verdict. Also for Eset consumer products, the malicious confidence factor is 90%, or high level.

Edited by itman
Link to comment
Share on other sites

1 hour ago, hellosky11 said:

LiveGuard cannot always evaluate whether a file is malicious or not.

The main issue with LiveGuard is it is in essence a cloud sandbox. Malware can be deploying detection evasion tactics; one of those being if it is running in a sandbox, VM, etc. and won't run or run w/malicious behavior.

Link to comment
Share on other sites

Quote

Your can read about Augur processing here: https://www.welivesecurity.com/2017/06/20/machine-learning-eset-road-augur/ . Of note is;

 

i have read it already in the past.

Quote

My assumption is in Eset consumer products, Augur is being deployed somewhere between the aggressive and conservative approach to render a clean verdict. Also for Eset consumer products, the malicious confidence factor is 90%, or high level.

But as I said, even if the execution of a file in the sandbox in LiveGuard doesn't seem malicious, it doesn't mean the file might not be malicious. What if malware researchers find it malicious? Technology is constantly evolving, but nothing is perfect, no matter how many times we say this is perfect or that is perfect. The only thing perfect are the signatures created by malware analysts, which are very thoroughly checked by them. But that being said, it's known that checking every file via malware researchers is not at all possible. Hence, we need to trust different technologies but should not be completely dependent on them 100%.

Link to comment
Share on other sites

27 minutes ago, hellosky11 said:

The only thing perfect are the signatures created by malware analysts, which are very thoroughly checked by them

500,000+ new malwares are created on a daily basis. Assume a chunk of those are variants. AV vendors only have the resources to manually handle the prevalent ones in-the-wild.

Link to comment
Share on other sites

23 minutes ago, hellosky11 said:

My wild guess is that PUP/PUA would be based on signatures created by malware researchers

No, they're blacklist detection's.

Using a URL you posted in the other thread as an example, it was first classified as suspicious;

Time;URL;Status;Detection;Application;User;IP address;Hash

9/22/2024 12:24:16 PM;https://pladyzone.cyou;Blocked;PUA blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxxxxx;2606:4700:3037::6815:37fd;BF6FE3B2F9E7FF98FB025182DFFBF7298BD348BF

Later; assumed after manual review, it was classified as phishing.

Time;URL;Status;Detection;Application;User;IP address;Hash

9/22/2024 2:20:09 PM;https://pladyzone.cyou;Blocked;Anti-Phishing blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxxxxxx;2606:4700:3031::ac43:aed5;BF6FE3B2F9E7FF98FB025182DFFBF7298BD348BF

Link to comment
Share on other sites

5 hours ago, hellosky11 said:

oh mannn!!! my this statement was not related to URL but a general thing!

An Eset real-time suspicious detection is either a LiveGrid or local blacklist detection.

Link to comment
Share on other sites

We have a sample, eset not detecting and submitted multiple times. Some nasty pop messages, changes your theme and signs you out of your account. Don't think it's very malicious just messing with your system

Hash: e2e73189fc716657384ea41fc20002ad4eb2a458870ddd3aa673033e8633d987

Pinkyware.exe

Just some screenshots

image.png.0db7b684c82c01896f2816b5d2f652e1.pngimage.png.5cd1718d4cc5cee50657db6d6aabbed8.pngimage.png.248ceba9d6dc398349b2df9de787f435.png

Edited by QuickSilverST250
Link to comment
Share on other sites

sharing fake android antivirus app hashes downloaded from samsung store, all the apps are developed by same vendor/person

 

hashes:

 
0a8c7cfac04a4b0b094e75bd4d3ab34da1d0cab8895c6ec407a23c1d33a42aa3
 
f0cae7ef86c212b8dc863b78bda9f8f45706243b44b6fa71a9f390c4292ce163
 
c30b793c60793ae6c04f81ba787d63abe447fcbcf1a2b8efaa19b1029c4c129a
 
cd4eb4192a1dad86297dc4241ee7dcde871aa3915db816071a715d7d3723d02a
 
samples can be downloaded from virustotal
 
i sent the hashes directly to bitdefender, dr.web, avira, avast, norton and they all have created detection, but eset still has not
Link to comment
Share on other sites

1 hour ago, QuickSilverST250 said:

Hash: e2e73189fc716657384ea41fc20002ad4eb2a458870ddd3aa673033e8633d987

Pinkyware.exe

There are 27 vendor detections for it at VirusTotal with most of them being Trojan detections.

Link to comment
Share on other sites

  • Administrators
1 hour ago, hellosky11 said:

sharing fake android antivirus app hashes downloaded from samsung store, all the apps are developed by same vendor/person

We’ve checked one of them so far, and it turned out to be clean or, at most, grayware. We won't add a detection.

Link to comment
Share on other sites

4 hours ago, Marcos said:

We’ve checked one of them so far, and it turned out to be clean or, at most, grayware. We won't add a detection.

are you telling me that the app is really an antivirus and that too all of the 4 from the same vendors...

 

as per norton

image.png.7234099d42c25b1cf710d74329efb410.png

 

at least then it should be detected as pup/pua then, because no detection means antivirus is valid and if i install that antivirus and run an android ransomware and my files gets encrypted what will eset has to say about it, that its a garyware and not malicious, if so then why was the antivirus apps not able to protect me

Link to comment
Share on other sites

31 minutes ago, hellosky11 said:

are you telling me that the app is really an antivirus and that too all of the 4 from the same vendors.

Fake AVs can be a security threat;

Quote

Fake antivirus software is one of the most persistent threats on the internet today. It masquerades as legitimate malware protection, but is actually a malicious software that extorts money from you to “fix” your computer. And often, this new antivirus program disables your legitimate security software that you already have, making it challenging to remove.

A rogue antivirus program will often hook you while you’re browsing the web by displaying a popup window claiming that your computer may be infected with various online threats. Often, the popup includes a phishing link to download security software that offers to solve the problem, or redirects you to a site that sells the fake antivirus application. It is also often also called scareware since the hackers use messages like “You have a virus,” as a way to get you to click on their message.

Because having an infected operating system usually means lost data, time, and money, most of us are eager to get rid of any potential problems right away. However, our eagerness to act without conducting proper research is what makes fake antivirus software so successful.

Once you click on the phishing link in the popup and enter your credit card details for the “purchase,” the hackers behind this threat now have your financial data to exploit. Not only can they use this data to conduct identity theft, but you’re also left with nothing but malware in return.

https://www.mcafee.com/learn/fake-antivirus-software/

The above noted since Eset has reviewed this sample, it can be assumed it does not fall into the malware category.

Edited by itman
Link to comment
Share on other sites

  • Administrators

We've analyzed all files and decided not to add detection. It appears to be a kind of PoC for deeplearning malware detection, possibly with many false positives. It doesn't seem to be the intention of the maker to fool people into purchasing a product that would not actually detect malware.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...