R4ys 0 Posted September 21 Share Posted September 21 I Submitted a sample manually in eset liveguard?where can i see the status of eset submitted sample?i am using smart home security Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted September 22 Administrators Share Posted September 22 If the sample was evaluated by ESET LiveGuard as malicious, it would have been detected and blocked. Otherwise it was evaluated as clean / not suspicious enough. Quote Link to comment Share on other sites More sharing options...
hellosky11 3 Posted September 22 Share Posted September 22 LiveGuard cannot always evaluate whether a file is malicious or not. It may not have detected the file as malicious, but if it were submitted to malware researchers, they might identify it as malware. One cannot fully depend on LiveGuard or ML Augur detection; what seems non-malicious to them may appear malicious to malware researchers, correct? Quote Link to comment Share on other sites More sharing options...
hellosky11 3 Posted September 22 Share Posted September 22 (edited) ML Augur is machine learning-based. What about LiveGuard? Is it cloud-based detection? And is HIPS the behavior-based detection? Edited September 22 by hellosky11 Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted September 22 Share Posted September 22 (edited) 1 hour ago, hellosky11 said: One cannot fully depend on LiveGuard or ML Augur detection; what seems non-malicious to them may appear malicious to malware researchers, correct? Your can read about Augur processing here: https://www.welivesecurity.com/2017/06/20/machine-learning-eset-road-augur/ . Of note is; Quote The group of classification algorithms has two possible setups: The more aggressive one will label a sample as malicious if most of the six algorithms vote it as such. This is useful mainly for IT staff using ESET Enterprise Inspector, as it can flag anything suspicious and leave the final evaluation of the outputs to a competent admin. The milder, or more conservative, approach declares a sample clean if at least one of the six algorithms comes to such conclusion. This is useful for general purpose systems with a less expert overview. My assumption is in Eset consumer products, Augur is being deployed somewhere between the aggressive and conservative approach to render a clean verdict. Also for Eset consumer products, the malicious confidence factor is 90%, or high level. Edited September 22 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted September 22 Share Posted September 22 1 hour ago, hellosky11 said: LiveGuard cannot always evaluate whether a file is malicious or not. The main issue with LiveGuard is it is in essence a cloud sandbox. Malware can be deploying detection evasion tactics; one of those being if it is running in a sandbox, VM, etc. and won't run or run w/malicious behavior. Quote Link to comment Share on other sites More sharing options...
hellosky11 3 Posted September 22 Share Posted September 22 Quote Your can read about Augur processing here: https://www.welivesecurity.com/2017/06/20/machine-learning-eset-road-augur/ . Of note is; i have read it already in the past. Quote My assumption is in Eset consumer products, Augur is being deployed somewhere between the aggressive and conservative approach to render a clean verdict. Also for Eset consumer products, the malicious confidence factor is 90%, or high level. But as I said, even if the execution of a file in the sandbox in LiveGuard doesn't seem malicious, it doesn't mean the file might not be malicious. What if malware researchers find it malicious? Technology is constantly evolving, but nothing is perfect, no matter how many times we say this is perfect or that is perfect. The only thing perfect are the signatures created by malware analysts, which are very thoroughly checked by them. But that being said, it's known that checking every file via malware researchers is not at all possible. Hence, we need to trust different technologies but should not be completely dependent on them 100%. Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted September 22 Share Posted September 22 27 minutes ago, hellosky11 said: The only thing perfect are the signatures created by malware analysts, which are very thoroughly checked by them 500,000+ new malwares are created on a daily basis. Assume a chunk of those are variants. AV vendors only have the resources to manually handle the prevalent ones in-the-wild. Quote Link to comment Share on other sites More sharing options...
hellosky11 3 Posted September 22 Share Posted September 22 My wild guess is that PUP/PUA would be based on signatures created by malware researchers, if I'm not mistaken. Since they are not malware, @Marcos, any thoughts? Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted September 22 Share Posted September 22 23 minutes ago, hellosky11 said: My wild guess is that PUP/PUA would be based on signatures created by malware researchers No, they're blacklist detection's. Using a URL you posted in the other thread as an example, it was first classified as suspicious; Time;URL;Status;Detection;Application;User;IP address;Hash 9/22/2024 12:24:16 PM;https://pladyzone.cyou;Blocked;PUA blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxxxxx;2606:4700:3037::6815:37fd;BF6FE3B2F9E7FF98FB025182DFFBF7298BD348BF Later; assumed after manual review, it was classified as phishing. Time;URL;Status;Detection;Application;User;IP address;Hash 9/22/2024 2:20:09 PM;https://pladyzone.cyou;Blocked;Anti-Phishing blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxxxxxx;2606:4700:3031::ac43:aed5;BF6FE3B2F9E7FF98FB025182DFFBF7298BD348BF Quote Link to comment Share on other sites More sharing options...
hellosky11 3 Posted September 23 Share Posted September 23 oh mannn!!! my this statement was not related to URL but a general thing! Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted September 23 Share Posted September 23 5 hours ago, hellosky11 said: oh mannn!!! my this statement was not related to URL but a general thing! An Eset real-time suspicious detection is either a LiveGrid or local blacklist detection. Quote Link to comment Share on other sites More sharing options...
QuickSilverST250 0 Posted September 26 Share Posted September 26 (edited) We have a sample, eset not detecting and submitted multiple times. Some nasty pop messages, changes your theme and signs you out of your account. Don't think it's very malicious just messing with your system Hash: e2e73189fc716657384ea41fc20002ad4eb2a458870ddd3aa673033e8633d987 Pinkyware.exe Just some screenshots Edited September 26 by QuickSilverST250 Quote Link to comment Share on other sites More sharing options...
hellosky11 3 Posted September 26 Share Posted September 26 sharing fake android antivirus app hashes downloaded from samsung store, all the apps are developed by same vendor/person hashes: 0a8c7cfac04a4b0b094e75bd4d3ab34da1d0cab8895c6ec407a23c1d33a42aa3 f0cae7ef86c212b8dc863b78bda9f8f45706243b44b6fa71a9f390c4292ce163 c30b793c60793ae6c04f81ba787d63abe447fcbcf1a2b8efaa19b1029c4c129a cd4eb4192a1dad86297dc4241ee7dcde871aa3915db816071a715d7d3723d02a samples can be downloaded from virustotal i sent the hashes directly to bitdefender, dr.web, avira, avast, norton and they all have created detection, but eset still has not Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted September 26 Share Posted September 26 1 hour ago, QuickSilverST250 said: Hash: e2e73189fc716657384ea41fc20002ad4eb2a458870ddd3aa673033e8633d987 Pinkyware.exe There are 27 vendor detections for it at VirusTotal with most of them being Trojan detections. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted September 26 Administrators Share Posted September 26 1 hour ago, hellosky11 said: sharing fake android antivirus app hashes downloaded from samsung store, all the apps are developed by same vendor/person We’ve checked one of them so far, and it turned out to be clean or, at most, grayware. We won't add a detection. Quote Link to comment Share on other sites More sharing options...
QuickSilverST250 0 Posted September 26 Share Posted September 26 2 hours ago, itman said: There are 27 vendor detections for it at VirusTotal with most of them being Trojan detections. Sent the sample to virus labs, detecting it now as badjoke Quote Link to comment Share on other sites More sharing options...
hellosky11 3 Posted September 26 Share Posted September 26 4 hours ago, Marcos said: We’ve checked one of them so far, and it turned out to be clean or, at most, grayware. We won't add a detection. are you telling me that the app is really an antivirus and that too all of the 4 from the same vendors... as per norton at least then it should be detected as pup/pua then, because no detection means antivirus is valid and if i install that antivirus and run an android ransomware and my files gets encrypted what will eset has to say about it, that its a garyware and not malicious, if so then why was the antivirus apps not able to protect me Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted September 26 Share Posted September 26 (edited) 31 minutes ago, hellosky11 said: are you telling me that the app is really an antivirus and that too all of the 4 from the same vendors. Fake AVs can be a security threat; Quote Fake antivirus software is one of the most persistent threats on the internet today. It masquerades as legitimate malware protection, but is actually a malicious software that extorts money from you to “fix” your computer. And often, this new antivirus program disables your legitimate security software that you already have, making it challenging to remove. A rogue antivirus program will often hook you while you’re browsing the web by displaying a popup window claiming that your computer may be infected with various online threats. Often, the popup includes a phishing link to download security software that offers to solve the problem, or redirects you to a site that sells the fake antivirus application. It is also often also called scareware since the hackers use messages like “You have a virus,” as a way to get you to click on their message. Because having an infected operating system usually means lost data, time, and money, most of us are eager to get rid of any potential problems right away. However, our eagerness to act without conducting proper research is what makes fake antivirus software so successful. Once you click on the phishing link in the popup and enter your credit card details for the “purchase,” the hackers behind this threat now have your financial data to exploit. Not only can they use this data to conduct identity theft, but you’re also left with nothing but malware in return. https://www.mcafee.com/learn/fake-antivirus-software/ The above noted since Eset has reviewed this sample, it can be assumed it does not fall into the malware category. Edited September 26 by itman Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted September 27 Administrators Share Posted September 27 We've analyzed all files and decided not to add detection. It appears to be a kind of PoC for deeplearning malware detection, possibly with many false positives. It doesn't seem to be the intention of the maker to fool people into purchasing a product that would not actually detect malware. Quote Link to comment Share on other sites More sharing options...
hellosky11 3 Posted September 27 Share Posted September 27 what about this roblox scam extension hash: fd6794db91cdb6d6eb003b4aa6a2a0cdc32934098946cf3fbeb0ca3483538414 vt: https://www.virustotal.com/gui/file/fd6794db91cdb6d6eb003b4aa6a2a0cdc32934098946cf3fbeb0ca3483538414?nocache=1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.