Jump to content

Detection of ftp download threats is inconsistent


Recommended Posts

I'm finding that file threats that would be terminated part-way in http protocol, are not always being detected during ftp download when using Mozilla Firefox as the ftp client.

 

Most of the time, the threat isn't detected until an on-demand scan, or until the file is displayed in Windows Explorer. I've had this happen even when the threat is already covered by an ESET threat signature.

 

In addition, I'm finding a discrepancy between the threat descriptions in Quarantine versus the Detected Threat log file.

 

The quarantine description is most commonly Win32/Tenga, whereas the log file will show the threat itself e.g. MSIL/HackTool.WinActivator.E.potentially unsafe application

 

 

Link to post
Share on other sites
  • Administrators

Unlike http, ESET does does support ftp protocol filtering. That said, when you download an archive via ftp and save it to a disk, it won't be scanned internally unless you scan it with the on-demand scanner or extract it at which point extracted files would be scanned by real-time protection. Other discrepancies could stem from different detection sensitivity used by web/email protection and other scanners, including real-time protection.

 

 

The quarantine description is most commonly Win32/Tenga, whereas the log file will show the threat itself e.g. MSIL/HackTool.WinActivator.E.potentially unsafe application.

 

These must be different files and different detections. It's impossible that the threat name would differ in an alert window and in the logs upon detection.

Link to post
Share on other sites

Unlike http, ESET does does support ftp protocol filtering. That said, when you download an archive via ftp and save it to a disk, it won't be scanned internally unless you scan it with the on-demand scanner or extract it at which point extracted files would be scanned by real-time protection. Other discrepancies could stem from different detection sensitivity used by web/email protection and other scanners, including real-time protection.

 

 

The quarantine description is most commonly Win32/Tenga, whereas the log file will show the threat itself e.g. MSIL/HackTool.WinActivator.E.potentially unsafe application.

 

These must be different files and different detections. It's impossible that the threat name would differ in an alert window and in the logs upon detection.

Marcos, my understanding is if realtime scanning is set to scan on "file creation" and the default archive file setting is enabled which scans to 10 levels deep, any the archive would be scanned when it was downloaded? I realize that Eset's web filter doesn't scan FTP traffic but that shouldn't effect internal realtime scan parameters? For example, a file archive copy from an USB drive should be scanned upon creation on the PC's hard drive .

 

-EDIT- Actually, I need any official Eset statement on this. If Eset is scanning downloads using only the web filter from HTTP/S sources, I will set my other security solution to scan on file creation rather than on execution.

Edited by itman
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...