Dangermouse 5 Posted October 26, 2016 Share Posted October 26, 2016 I'm finding that file threats that would be terminated part-way in http protocol, are not always being detected during ftp download when using Mozilla Firefox as the ftp client. Most of the time, the threat isn't detected until an on-demand scan, or until the file is displayed in Windows Explorer. I've had this happen even when the threat is already covered by an ESET threat signature. In addition, I'm finding a discrepancy between the threat descriptions in Quarantine versus the Detected Threat log file. The quarantine description is most commonly Win32/Tenga, whereas the log file will show the threat itself e.g. MSIL/HackTool.WinActivator.E.potentially unsafe application Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted October 26, 2016 Administrators Share Posted October 26, 2016 Unlike http, ESET does does support ftp protocol filtering. That said, when you download an archive via ftp and save it to a disk, it won't be scanned internally unless you scan it with the on-demand scanner or extract it at which point extracted files would be scanned by real-time protection. Other discrepancies could stem from different detection sensitivity used by web/email protection and other scanners, including real-time protection. The quarantine description is most commonly Win32/Tenga, whereas the log file will show the threat itself e.g. MSIL/HackTool.WinActivator.E.potentially unsafe application. These must be different files and different detections. It's impossible that the threat name would differ in an alert window and in the logs upon detection. Link to comment Share on other sites More sharing options...
itman 1,748 Posted October 26, 2016 Share Posted October 26, 2016 (edited) Unlike http, ESET does does support ftp protocol filtering. That said, when you download an archive via ftp and save it to a disk, it won't be scanned internally unless you scan it with the on-demand scanner or extract it at which point extracted files would be scanned by real-time protection. Other discrepancies could stem from different detection sensitivity used by web/email protection and other scanners, including real-time protection. The quarantine description is most commonly Win32/Tenga, whereas the log file will show the threat itself e.g. MSIL/HackTool.WinActivator.E.potentially unsafe application. These must be different files and different detections. It's impossible that the threat name would differ in an alert window and in the logs upon detection. Marcos, my understanding is if realtime scanning is set to scan on "file creation" and the default archive file setting is enabled which scans to 10 levels deep, any the archive would be scanned when it was downloaded? I realize that Eset's web filter doesn't scan FTP traffic but that shouldn't effect internal realtime scan parameters? For example, a file archive copy from an USB drive should be scanned upon creation on the PC's hard drive . -EDIT- Actually, I need any official Eset statement on this. If Eset is scanning downloads using only the web filter from HTTP/S sources, I will set my other security solution to scan on file creation rather than on execution. Edited October 26, 2016 by itman Link to comment Share on other sites More sharing options...
Recommended Posts