Failed to detect new instance of same file?

[haioken 0]

Hi ESET Community,

 

ESET AU support is taking a little bit longer than I'd like to get back to me (because I'm admittedly rather impatient.)

 

I am currently investigating rolling out ESET EndPoint antivirus to a domain of 50+ computers.

 

We have a document containing what ESET identifies as Win32/Kryptic.EMBF that I'm currently using for testing, as we had a PC recently infected via this document.

 

When emailled to me yesterday, this document was collected from my email and moved to infected items (which I expect). The copy in a folder on my desktop was also picked up and removed when accessing the directory in question.

I subsequently installed EndPoint antivirus on my Manager's machine with the same policies, and did the same as a demonstration, however unfortunately, it was not picked up in his email, nor in a folder on his desktop.

What is more worrying is that my manager has re-sent the file to me today, and while it was previously detected on this PC, in this case it was not detected by ESET EndPoint Secuirty. I have also saved and opened the infected document with no interference from ESET.

 

• No alterations have been made to the configuration of my PC
• the item has not been marked as safe
• no directories are ignored
• Email scanning is enabled
• Realtime protection is enabled
• Document scanning is enabled
• Both PUA options are enabled
• Detection of suspicious applications is enabled.

Scanning the file manually, the log entries are as follows:

 

Log

Scan Log

Version of virus signature database: 13493 (20160515)

Date: 16/5/2016  Time: 12:39:57 PM

Scanned disks, folders and files: C:\Users\haydenk\Desktop\instra.com_order_info.doc

Number of scanned objects: 1

Number of threats found: 0

Time of completion: 12:39:57 PM  Total scanning time: 0 sec (00:00:00)

 

[Marcos 5,074]

Hello,

1, Win32/Kryptik detection is not a detection name for doc files but PE files. Please upload the file to a safe location and pm me the download link (maybe providing a hash would suffice).

2, Malicious doc files contain a macro that is removed during the cleaning. It could be that the doc file has already been cleaned and you then scanned a benign file that had no malicious code inside.