haioken 0 Posted May 16, 2016 Share Posted May 16, 2016 Hi ESET Community, ESET AU support is taking a little bit longer than I'd like to get back to me (because I'm admittedly rather impatient.) I am currently investigating rolling out ESET EndPoint antivirus to a domain of 50+ computers. We have a document containing what ESET identifies as Win32/Kryptic.EMBF that I'm currently using for testing, as we had a PC recently infected via this document. When emailled to me yesterday, this document was collected from my email and moved to infected items (which I expect). The copy in a folder on my desktop was also picked up and removed when accessing the directory in question. I subsequently installed EndPoint antivirus on my Manager's machine with the same policies, and did the same as a demonstration, however unfortunately, it was not picked up in his email, nor in a folder on his desktop. What is more worrying is that my manager has re-sent the file to me today, and while it was previously detected on this PC, in this case it was not detected by ESET EndPoint Secuirty. I have also saved and opened the infected document with no interference from ESET. No alterations have been made to the configuration of my PC the item has not been marked as safe no directories are ignored Email scanning is enabled Realtime protection is enabled Document scanning is enabled Both PUA options are enabled Detection of suspicious applications is enabled. Scanning the file manually, the log entries are as follows: Log Scan Log Version of virus signature database: 13493 (20160515) Date: 16/5/2016 Time: 12:39:57 PM Scanned disks, folders and files: C:\Users\haydenk\Desktop\instra.com_order_info.doc Number of scanned objects: 1 Number of threats found: 0 Time of completion: 12:39:57 PM Total scanning time: 0 sec (00:00:00) Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted May 17, 2016 Administrators Share Posted May 17, 2016 Hello, 1, Win32/Kryptik detection is not a detection name for doc files but PE files. Please upload the file to a safe location and pm me the download link (maybe providing a hash would suffice). 2, Malicious doc files contain a macro that is removed during the cleaning. It could be that the doc file has already been cleaned and you then scanned a benign file that had no malicious code inside. Link to comment Share on other sites More sharing options...
Recommended Posts