Jump to content

Recommended Posts

Posted

Hello,

ESET is blocking https://safebrowsing.google.com/safebrowsing/report_phish/?tpl=mozilla&url=https%3A%2F%2Fhightvproduct.com%2F but not the malicious site itself. This happens in Edge. In Firefox nothing at all is blocked.

Happens for two pages at least, this one as well: https://passesandbadgets.shop/?

Both were advertised by spam emails. Similar issue in Outlook: The links in emails from trustworthy senders are detected as malicious links/websites but the spam detection still says the email is trustworthy, although the links are deteced as bad ...

Are these bugs? I suspect so.

Best Regards,

image.png

  • Administrators
Posted

Works for me although the website was already shutdown. Couldn't it be that you disabled antiphishing?

image.png

image.png

As for spam emails, ESET for MS Exchange as well as ESET Cloud Office Security for Microsoft365 can check links in scanned email messages.

Posted (edited)

Both sites worked for me some minutes ago so I would be surprised if it's shut down already.

No, web access protection and anti phishing are enabled:

image.png.b5eea44ace972f1116a6dd4a4feb7e6f.png

Regarding the spam emails: I checked them with the Outlook desktop app plug-in/add-on of ESET in combination with a free email account provider (no MS365 mail account). No SPAM prefix added. When I click on the email, malicious links/http requests are detected (and blocked). So I would suspect if that happens, the email should be flagged as well.

Edited by warg
  • Administrators
Posted

The email plug-in supports only Microsoft Outlook, not the new Outlook. Moreover, checking links in email is supported only on MS Exchange and by ECOS (https://help.eset.com/ecos/en-US/). If you have come an undetected spam message, you can supply it to me in the eml or msg format so that I can check it and possibly report to the antispam department.

Posted

Regarding the Outlook spam issue: I think we might mean 2 different things. You refer to "checking links" as in "checking the target/host of the link whether e. g. the website contains bad software" while I mean "checking links" in sense of against an ESET blacklist. So in my case when I open a malicious email, HTTP requests towards hosts on the blacklist are done, e. g. http requests for requesting images from a blocked domain. ESET detecs the HTTP request for the images on the remote URL and blocks that. My expectation would be: If the antispam routine doesn't detect spam but ESET detects HTTP requests from an email towards a malicious hostname, then then email gets classified as SPAM or infected (one of the two). None of that happened. The sender was legitimate but the content of the email wasn't.

For the phishing protection in the browser: Any clue why neither Edge nor Firefox block the pages while the ESET setting is active and the "report phishing" page of Mozilla (with the URL in the GET parameter) is blocked? According to VirusTotal both pages were detected/blocked by ESET.

  • Administrators
Posted

While antispam checks links in scanned messages too, a link blacklisted by the AV may not be blacklisted by the antispam and vice-versa. Additional checking links in email messages is supported only by ESET for MS Exchange Server and ECOS:

image.png

 

Also it is not clear what version of Outlook you use; antispam is supported only in Microsoft Outlook. However, if you click a link in an email message, it will open in a browser and if it's blacklisted by ESET, access to the website will be blocked.

Posted
5 minutes ago, Marcos said:

Also it is not clear what version of Outlook you use;

I'm using the Outlook desktop version delivered by Microsoft 365 Apps for Enterprise (previously Office 365 for Businesses/Enterprises) alias the classical Outlook app, not the new one (toggle of the new Outlook app is disabled). In general the plug-in works as it classifies other emails as spam. I just thought that if an email is causing HTTP requests in Outlook towards malicious URLS and that is detected by ESET (I got warning popups from ESET on my desktop telling me that some requests were blocked). So I think from what you write/I did understand the issue is that whether the AV blocks some HTTP requests doesn't cause any interaction in Outlook for the email object. I thought that if it's not detected as spam, it should move the email at least into ESET's "Found objects" but that likely just happens if an attachment is classified as malware and not the link in some remote embedded image of an email. So that would make sense why ESET didn't move/classify the email. Beside of that, I might submit the spam email next few days to ESET to improve the antispam filter.

Posted

I noticed something strange with this non-expected behavior of ESET in Firefox browser: When I visit blocked domains on top level (e. g. no subdomains or with any GET parameters) they are sometimes not blocked by ESET and sometimes they are. This happens in Firefox. Could it be that the ESET protection either fails at handling hxxp:// vs. https:// blacklisted URLs the same or maybe it fails at redirects? It even makes a difference sometimes when I drag and drop the URL from the URL input field of my browser into a new tab.

Posted (edited)

Whatever causes it, but I found a way to reproduce it:

1. Open a Firefox session with no cash/temporary content and visit hxxps://passesandbadgets.shop (no warning triggered)

2. press CTRL + F5.

3. A warning of ESET is triggered. Afterwards each call is found as being blacklisted.

Same for other domains. So for some reason the initial calls towards the blacklist fail or it's badly cached as positive result somewhere.

Edited by warg
Posted
17 minutes ago, warg said:

1. Open a Firefox session with no cash/temporary content and visit hxxps://passesandbadgets.shop (no warning triggered)

No problem here using Firefox;

Eset_Phish.thumb.png.e064f904f7f22f08ea128522fd9fb53a.png

Posted
5 minutes ago, itman said:

No problem here using Firefox;

Would speak for some caching issue at the blacklist/validation. When I try the TV site (see my initial post for URL) in Edge, it's first blocked with a warning but CTRL + F5/refresh unblocks it there. So in Edge it's the opposite behavior compared to Firefox.

Posted

I opened support ticket #00853409 on this. Let's see what they find as the root cause for this.

  • Administrators
Posted
On 11/10/2024 at 11:01 PM, warg said:

Whatever causes it, but I found a way to reproduce it:

1. Open a Firefox session with no cash/temporary content and visit hxxps://passesandbadgets.shop (no warning triggered)

2. press CTRL + F5.

3. A warning of ESET is triggered. Afterwards each call is found as being blacklisted.

Same for other domains. So for some reason the initial calls towards the blacklist fail or it's badly cached as positive result somewhere.

No problem here either. If you can reproduce it, please carry on as follows:

  1. Enable advanced logging under Help and support -> Technical support
  2. Reproduce the issue
  3. Stop logging
  4. Collect logs with ESET Log Collector and upload the generated archive here.

As for the detection of phishing links in the email body by the AV scanner (ie. not by antispam), it should be feasible from a technical point of view so there's a good chance it will be added some time later.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...