Jump to content

Archived

This topic is now archived and is closed to further replies.

EsetFan

Why Eset doesn't detect this?

Recommended Posts

Well, I was bored so I wrote a very basic virus or what ever you name it in VB.NET

simply it destroy the the windows, it deletes important files which make windows run plus stopping security center and windows firewall

 

When I did scan on it with ESET SS v6 with latest updates it showed me that the file is clean

I didn't encrypt the file or did anything,

 

However, I created a worm recently which spread by sending itself via email, ESET detected it as a worm.

 

I'm willing to send it to ESET analysis but in v6 I can't see anything related to that. I'll upgrade again to v7 and will send it but I'll edit it a little so it can't harm you I'll put the code into a button instead of form load.

 

File scan on Virustotal

Share this post


Link to post
Share on other sites

I have a few questions about this.

What version of visual studio did you make this in ?

What version of .NET framework did you use ?

Is this a standalone single-form exe with code behind ?

Where did you place the exe on the drive when scanning ?

Did you actually execute while being protected by nod32?

What options did you have selected on nod32?

Did you try uploading it to a website and downloading to see if  it was caught in a download process ?

Are you using any functions and calling or just straight code ?

How large is the file ?

What is the first malicious action it performs based on your list of things ?

 

Would your code be caught if it was converted to a vbs file instead ??? Please check.

 

I would almost fill more comfortable with some of these answers sent in a PM instead of public.

 

I don't need any code, because i could write the same thing. Just my questions answered :P

Call it "to busy and lazy to try". :ph34r:

 

Thank you Eset_fan !

Share this post


Link to post
Share on other sites

So you're publicly admitting to have created malware which might be considered a crime if you spread it and the malware performs malicious actions on victims' computers. If you don't spread it and the malware exists only on your computer, that answers why it's not detected by ESET.

Share this post


Link to post
Share on other sites

I have a few questions about this.

What version of visual studio did you make this in ?

What version of .NET framework did you use ?

Is this a standalone single-form exe with code behind ?

Where did you place the exe on the drive when scanning ?

Did you actually execute while being protected by nod32?

What options did you have selected on nod32?

Did you try uploading it to a website and downloading to see if  it was caught in a download process ?

Are you using any functions and calling or just straight code ?

How large is the file ?

What is the first malicious action it performs based on your list of things ?

 

Would your code be caught if it was converted to a vbs file instead ??? Please check.

 

I would almost fill more comfortable with some of these answers sent in a PM instead of public.

 

I don't need any code, because i could write the same thing. Just my questions answered :P

Call it "to busy and lazy to try". :ph34r:

 

Thank you Eset_fan !

 

1. Visual Studio 2010 Professional

2. .NET framework 2.0

3. Yes

4. I scanned it from the place which VB execute files (Bin/debug)

5. Yes, by the way I'm using Smart Security ;)

6. Nope, because as I can see its not detected.

7. Straight codes. the very basic.

8. 20kb

9. Disabling firewall

10. Tried, didn't detect.

 

Thank you.

 

 

So you're publicly admitting to have created malware which might be considered a crime if you spread it and the malware performs malicious actions on victims' computers. If you don't spread it and the malware exists only on your computer, that answers why it's not detected by ESET.

 

Well, my point why eset doesn't detect it as a virus? I'm not willing or never tried to harm anyone.

but I want to know something isn't eset (or any antivirus) check file's code or behavior? It uses a very basic codes which anyone can write them and infect anyone since its not detected.. I shocked when I saw the virus scan on Virustotal about this virus

I though it would be detected by all antiviruses, but its not too bad simple codes can bypass the biggest antiviruses.

 

I WILL NEVER SPREAD THIS FILE SINCE I'M NOT A HACKER OR ACTING LIKE KIDS WHO INFECTING USERS.

I can pm you all codes for the vb.net which can harm a pc if you want. since I wouldn't like to post something that anyone other can harm people without right.

Share this post


Link to post
Share on other sites

A few things which might debunk your virus and why it wasnt detected....

 

You would need to provide screen shots for proof.

We know the saying "Pics or it didnt happen" :)

 

It should not have to spread to be detected, the engine should catch malicious activity.

This is why Eset catches more in the wild virii then any other software solution.

 

Here is why you may not be catching it.

See attached pics . . .

 

 

post-1101-0-83453800-1377364099_thumb.jpg

post-1101-0-75784600-1377364143_thumb.jpg

post-1101-0-77939600-1377364162_thumb.jpg

post-1101-0-31455800-1377364172_thumb.jpg

post-1101-0-78816100-1377364638_thumb.jpg

Share this post


Link to post
Share on other sites

These pics show options for threat sense, as well as real time and scheduled scanning.

Im not positive because of my habits, but most of these are default settings that would need to be changed based on user behavior etc.

-Advanced heuristics /dna/ smart sigs

-Runtime packers

-Object settings/ Object size (default settings)

-Enable detection of p unsafe a's

Are among a few that would need to be adjusted based on your 20kb file.

 

 

I would also be interested in moving the exe out of the bin folder and onto the root of C: prior to scan.

Just thinking out loud. . .

Share this post


Link to post
Share on other sites
Guest claudiu

Hi Marcos,

 

 "If you don't spread it and the malware exists only on your computer, that answers why it's not detected by ESET"

 

No, this doesn't answer why ESET did not detect it! This is a typical  "zero day" , and one of the ESET shields should react somehow .

 

Share this post


Link to post
Share on other sites

Hi Marcos,

 

 "If you don't spread it and the malware exists only on your computer, that answers why it's not detected by ESET"

 

No, this doesn't answer why ESET did not detect it! This is a typical  "zero day" , and one of the ESET shields should react somehow .

 

Guest_claudiu_*

My two posts above explain why it wasnt detected. " We have not had a response back from the coder "

Your comment was definatly not required, bearing the obtrusive nature of the resonse.

Marcus has assisted with Eset customers for years on wilders and has been a dominant support on these forums, providing more help than anyone.

 

In regards to Threatsense his post is accurate. <_<

Share this post


Link to post
Share on other sites

I'm curious why you created this, to test ESET's Generic and/or Heuristics detection capability, or?

 

As for the VT detections, as far as I can see all of them are Generic detections(expected), but you thought that almost all vendors on VT would detect this....

 

I shocked when I saw the virus scan on Virustotal about this virus

I though it would be detected by all antiviruses, but its not too bad simple codes can bypass the biggest antiviruses.

 

Share this post


Link to post
Share on other sites

 

Hi Marcos,

 

 "If you don't spread it and the malware exists only on your computer, that answers why it's not detected by ESET"

 

No, this doesn't answer why ESET did not detect it! This is a typical  "zero day" , and one of the ESET shields should react somehow .

 

Guest_claudiu_*

My two posts above explain why it wasnt detected. " We have not had a response back from the coder "

Your comment was definatly not required, bearing the obtrusive nature of the resonse.

Marcus has assisted with Eset customers for years on wilders and has been a dominant support on these forums, providing more help than anyone.

 

In regards to Threatsense his post is accurate. <_<

 

If he is who I think he is, then he has been on the Prevx/Webroot section on Wilders asking and claiming all sorts of stuff. And even the new offical Webroot forum as well, and now he has found the ESET Forum :P Just so you know. 

Share this post


Link to post
Share on other sites

Not that I really care about this, but if you like to play around...... I see on the GIF that you use V6 (also you didn't actually execute the file  as far as I can see?), but you could download the V7 BETA execute the "malware" and see if the new Advanced Memory Scanner reacts to it.

Share this post


Link to post
Share on other sites

 

 

Hi Marcos,

 

 "If you don't spread it and the malware exists only on your computer, that answers why it's not detected by ESET"

 

No, this doesn't answer why ESET did not detect it! This is a typical  "zero day" , and one of the ESET shields should react somehow .

 

Guest_claudiu_*

My two posts above explain why it wasnt detected. " We have not had a response back from the coder "

Your comment was definatly not required, bearing the obtrusive nature of the resonse.

Marcus has assisted with Eset customers for years on wilders and has been a dominant support on these forums, providing more help than anyone.

 

In regards to Threatsense his post is accurate. <_<

 

If he is who I think he is, then he has been on the Prevx/Webroot section on Wilders asking and claiming all sorts of stuff. And even the new offical Webroot forum as well, and now he has found the ESET Forum :P Just so you know. 

 

 

Nope, not right. I've never used Webroot or even tried to use it. and never gone to their forum.

I just wonder why eset doesn't detect this simple malware when it can detect a very harmful malware. that's my point

Share this post


Link to post
Share on other sites

 

 

 

Hi Marcos,

 

 "If you don't spread it and the malware exists only on your computer, that answers why it's not detected by ESET"

 

No, this doesn't answer why ESET did not detect it! This is a typical  "zero day" , and one of the ESET shields should react somehow .

 

Guest_claudiu_*

My two posts above explain why it wasnt detected. " We have not had a response back from the coder "

Your comment was definatly not required, bearing the obtrusive nature of the resonse.

Marcus has assisted with Eset customers for years on wilders and has been a dominant support on these forums, providing more help than anyone.

 

In regards to Threatsense his post is accurate. <_<

 

If he is who I think he is, then he has been on the Prevx/Webroot section on Wilders asking and claiming all sorts of stuff. And even the new offical Webroot forum as well, and now he has found the ESET Forum :P Just so you know. 

 

 

Nope, not right. I've never used Webroot or even tried to use it. and never gone to their forum.

I just wonder why eset doesn't detect this simple malware when it can detect a very harmful malware. that's my point

 

 

 

You still kept the freaking default size checked.

Uncheck that, and place a 1 byte file detection and greater. You had a few other options unchecked too.

Not that i want my hand held, but do it right .

 

Also,

 

That could be a file that restarts the computer for all i know rofl.

 

Share this post


Link to post
Share on other sites

Also,

 

That could be a file that restarts the computer for all i know rofl.

On Error Resume Next
Dim FileToDelete As String = EsetFan
StopService("EsetFan")
My.Computer.Registry.LocalMachine.DeleteSubKey("EsetFan")

System.IO.File.Delete("FileToDelete")

 

LOL
 

Share this post


Link to post
Share on other sites

Well, I'm not joking, I can send you the file and you will see how it pain in the

when you will have install windows again

Share this post


Link to post
Share on other sites
Guest claudiu

"Your comment was definatly not required, bearing the obtrusive nature of the resonse.

Marcus has assisted with Eset customers for years on wilders and has been a dominant support on these forums, providing more help than anyone"

 

Hi  Arakasi,

 

A comment is just a comment - required or not!

And yes, "Marcus has assisted with Eset customers for years on wilders and has been a dominant support on these forums, providing more help than anyone"   this doesn't mean we cannot comment regarding what he is saying....

 

If " malware exists only on your computer, that answers why it's not detected by ESET" is at least , a hilarious answer.

As you can see from : https://www.virustotal.com/en/file/c3b9c787417ade0f8e2a5787504a0c68833f98c3c97fae9af6f5588ac848dd10/analysis/1377337238/

 the "home made" malware has been detected by Avira engine as  well as BitDefender  engine , even though that malware existed only on OP computer and not in the wild.

 

In the end , this is how your PC should be protected against "zero day" malware .

 

From hxxp://en.wikipedia.org/wiki/Zero-day_virus

 

A Zero day virus is a previously unknown computer virus or other malware for which specific antivirus software signatures are not yet available.[1]

 

 

Share this post


Link to post
Share on other sites

Well, I'm not joking, I can send you the file and you will see how it pain in the ######

when you will have install windows again

 

I would not have to install windows again rofl.

I would repair the damages manually, you have so much evil intent in your words, I am done speaking in this thread.

Good day EsetFan

Plus your making malicious virii, highly illegal.

 

Good day to you as well claudiu

Share this post


Link to post
Share on other sites

I have to agree to claudiu. this is my exact point of this thread so please keep it out of joking

in short, I mean if some other one made something like this and I'm been protected by ESET.. I'm still can be infected by such a malware.

 

by the way @Arakasi you won't be able to run in safe mode this disables safemode too.

Share this post


Link to post
Share on other sites

Antivirus companies should detected actual threats, not just lab-borne made ones intended for studying or presenting one skills. If a threat makes it out of a lab, it definitely deserves to be detected so that users are protected against it. We've been seeing a lot of actual zero-day threats endangering users that were detected only by ESET and all other big vendors missed it (of course, some might have been detected and blocked by behavioral blockers but they are not used on mail servers or gateways so the overall protection is not 100% equal to what ESET provides).

Since everything has been said and explained, we'll draw this thread to a close.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...