What is the difference between "deleted" and "cleaned by deleting"?

[WolfgangOne 0]

Exactly as the title says. In the Threats section of ERA, under the Action column, some items show "deleted" and others show "cleaned by deleting." I'm curious to know if there is a functional difference, and if not, I'd like to suggest changing them to all be the same. 

[MartinK 378]

Not able to verify, but I think "deleted" files are simply deleted (for example as is done for temporary files downloaded on background during web page loading) and files marked as "cleaned by deleting" were most probably files found on your filesystem and thus were moved to quarantine. You should be able to compare this list with quarantine content.

[WolfgangOne 0]

Hm. I thought you were onto something there, but in the attached report screenshot, the last five items from today (9/22/2016) are are all five in the affected computer's quarantine, as pictured.

 

That said, it's interesting that the different types have different actions; the two Win32/NetTool.Portscan.c were "deleted" and the "a variant of Win32/VBObfus" were "cleaned by deleting". 

 

I set this computer to "normal cleaning" instead of "strict", fired up FreeFileSync again to get it to try and copy the infected files. The Portscan files, when detected, brought up the screen asking what action to take, the options being "Clean" and "No action". I said clean. The other three files did not display an option, but did show the notice that they'd been "cleaned by deleting". 

 

However, this time, all five files show on the report as "cleaned by deleting." All five were added to the Quarantine (the count increased). 

 

Normal cleaning is described as "In this mode, the program will attempt to automatically clean or delete infected files. If no action can be performed and user is logged in, an alert window with a list of available actions may be displayed. An alert window will also be displayed if the action fails."

 

Strict cleaning is described as "In this mode, the program will attempt to automatically clean or delete all infected files without user intervention. System files are the only exception; if they cannot be cleaned and a user is logged in, alert window with a list of available actions will be displayed."

 

I'm not sure what, exactly, is meant by "If no action can be performed..." since it obviously can perform the action, but how this seems to possibly work out is that "deleted" means it cleaned something optional. Something that would have given the user a choice, if it had been set to offer one. Basically, condition yellow strict cleaning = "deleted", condition red strict cleaning = "cleaned by deleting". 

 

I don't know, I'm probably obsessing. I have a lot of complaints about reports in general in ERA, and this is just one of they many mysteries I'd like resolved. But if there's really no practical difference between the two as appears to be the case, I'd really prefer if they were both were just renamed "deleted", just for the sake of making things simpler. It almost strikes me as just something missed in coding, i.e., they changed the wording in the past and missed one of the references. 

 

Either way, I'd really appreciate an Eset programmer's input or the like.

Edited September 2, 2016 by WolfgangOne

[MartinK 378]

Sorry for delay: the difference between those states is that in case of second result "cleaned by deleting", certain post-delete operations were performed. For example stopping processes, removing references from registry (autostart). There is a plan to unite those states in the future, but there are no guarantees.