 Kramer
Mod
join:2000-08-03
Richmond, VA
1 recommendation |
Kramer
Mod
2013-Feb-21 7:37 am
Interesting Fun This MorningI happened to be moving mail from one account into a GMail account and GMail refused to move a few messages it said contained a virus. I decided to investigate a little. I was able to download the zip file and decompressed it in a folder. Not once did my Windows Defender on WIN8 complain. I investigated a little more and ran the ZIP through VIRSCAN.ORG multi-vendor test. The results were interesting. While most big brand vendors did detect it only 47% ended up doing so. I then updated my Defender definitions which for some reason were out of date and then touched the various files. I moved the infected ZIP to my desktop and Defender didn't even notice. I then touched the uncompressed files and Defender did detect and remove the EXE that was contained in the ZIP that I had decompressed. I check Defender's settings and it was set to scan archive files. Something must be wrong with that feature because it clearly misses the infected file within an archive. It is now sitting in my recycle bin and has yet to complain. I was a bit surprised that Defender/Security Essentials was almost worthless with this payload, but check out the big names that detected nothing... AntiVir -Nothing Comodo- Nothing NOD32 - Nothing Sophos- Nothing Sunbelt - Nothing Trend Micro - Nothing (really disappointed here) Even though Virscan.org says Kaspersky detects it, the Kaspersky online scan did not. Kudos to Google for intercepting this malware. Obviously with any given infection various products are going to be hit or miss at various times... but FWIW ... just reporting my mileage. |
|
| |
Also interesting is the fact that your Virscan report says that Microsoft detected it ?
Does Virscan test it as a Zip , or does it unzip it first ?
If they test as a Zip , wonder what Microsoft scanner they used ? |
|
 norwegian
Premium Member
join:2005-02-15
Outback |
to Kramer
There are a serious big load of zipped infected files getting around on emails at present and have been for near 6 to 10 mths.
Banks, airlines, online shops etc and the files are changing quite regularly.
|
|
Kramer
Mod
join:2000-08-03
Richmond, VA |
to MrFixit1
The latest definitions do detect it unzipped. I can tell you on my machine the latest definitions do not detect it in an archive. Good question on how they deal with the zip. If they unzip it first, it doesn't tell you much how well the various products do with the compressed files. The way the scan looks, it looks like it is decompressed with each scan. That doesn't say much. |
|
| Kramer |
to norwegian
said by norwegian:There are a serious big load of zipped infected files getting around on emails at present and have been for near 6 to 10 mths.
Banks, airlines, online shops etc and the files are changing quite regularly.
Yep, seen a lot of them. This was supposedly an ADP payroll report. |
|
norwegian
Premium Member
join:2005-02-15
Outback |
to Kramer
said by Kramer:Even though Virscan.org says Kaspersky detects it, the Kaspersky online scan did not. That was interesting - I know earlier versions of the online web scanner was not as reliable to run the engine code effectively, they had issues there with it; it seems that bug hasn't gone away; a couple of years later. Thanks for pointing that out. |
|
Kramer
Mod
join:2000-08-03
Richmond, VA |
Kramer
Mod
2013-Feb-21 8:14 am
I am referring to the single file scan. You upload the file to them and they scan it. |
|
 therube
join:2004-11-11
Randallstown, MD |
to Kramer
quote:
If they unzip it first, it doesn't tell you much how well the various products do with the compressed files.
The only way to test a compressed file is to unzip (uncompress) it. You can scan a "ZIP" as a ZIP (a blob of data) but that isn't really going to tell you much because a ZIP cannot execute. Now once the contents of the ZIP are extracted, either by you doing it manually, or the A/V extracting it into (presumably) a sandbox, then it can successfully scan the files therein for malware. And it could also be that your A/V is set to ignore "ZIP" files altogether, & would only interact when they are unzipped. |
|
norwegian
Premium Member
join:2005-02-15
Outback |
to Kramer
Understood, slight misinterpretation, but I had the feeling at the time, any site web scan was not a big thing, they were preferring tools and downloadable engines rather than web based product. So while my reply was not quite correct, it was still in reference to the whole web interface.
I could go on, but it would become personal interpretation, rather than what I learnt at the time, it still seems it hasn't changed if the results were not good.
|
|
 CartelIntel inside Your sensitive data outside
Premium Member
join:2006-09-13
Chilliwack, BC |
to Kramer
I disable defender ever since Vista Beta. I find it quite useless.
You dont use a AV?
Wow trend micro usually says everything is a virus....
So you already opened this mail previously? |
|
Kramer
Mod
join:2000-08-03
Richmond, VA |
Kramer
Mod
2013-Feb-21 9:45 am
Defender in Vista and Defender in WIN8 are two completely different products. Mail has not been opened by me until testing. Google detected it, but I was able to get at it using another method. |
|
2 edits |
to Cartel
said by Cartel:You dont use a AV?
sindows7, with "windows 8", "windows defender" is MS's "security essentials"-rebranded, so it is an antivirus program.. incidentally, "windows defender", not the one in "windows 8", which is MS's "security essentials"-rebranded, does not have the same detections as MS's "security essentials".. in the past, i found several malicious files that were not flagged by "windows defender" but, when i submitted them to MS, MS said that they already had detection for the files, so i concluded that the files were flagged by MS's "security essentials" while they were not flagged by MS's "windows defender".. i don't see why "windows defender" couldn't have the same detections that MS's "security essentials" has, but, unfortunately, that is not the way that MS does things.. |
|
Kramer
Mod
join:2000-08-03
Richmond, VA |
to therube
said by therube:quote:
If they unzip it first, it doesn't tell you much how well the various products do with the compressed files.
The only way to test a compressed file is to unzip (uncompress) it. You can scan a "ZIP" as a ZIP (a blob of data) but that isn't really going to tell you much because a ZIP cannot execute. Now once the contents of the ZIP are extracted, either by you doing it manually, or the A/V extracting it into (presumably) a sandbox, then it can successfully scan the files therein for malware. And it could also be that your A/V is set to ignore "ZIP" files altogether, & would only interact when they are unzipped. Uh: 47% of the products used were able to detect the malware just fine. This is a definition issue, not anything having to do with the archive. I already stated Defender was set to scan archived files. It isn't going to ignore zips... at least if it is working properly. |
|
 HA Nut
Premium Member
join:2004-05-13
USA |
to Kramer
My opinion...
We would need to know how MS scans archives. I doubt they do it in real time. Many AV products do but IMO, it's wasted CPU cycles to do so.
IMO, it's probably scanned on file open (real time), file close (real time) or during a scheduled/manual scan (NOT the real time engine.) This method provides decent protection and keeps the PC's CPU time better managed. |
|
therube
join:2004-11-11
Randallstown, MD |
to Kramer
> This is a definition issue
One way to be sure would be to ZIP up the files using password protection (IOW the scanner could not unzip the files) & resubmit them & see what comes of it. |
|
Kramer
Mod
join:2000-08-03
Richmond, VA |
to HA Nut
said by HA Nut:My opinion...
We would need to know how MS scans archives. I doubt they do it in real time. Many AV products do but IMO, it's wasted CPU cycles to do so.
IMO, it's probably scanned on file open (real time), file close (real time) or during a scheduled/manual scan (NOT the real time engine.) This method provides decent protection and keeps the PC's CPU time better managed.
Fair enough and easy enough to prove one way or another. You are absolutely right. If I scan the file it does get detected. I really should have thought of that. If you just touch an archive, it would be unreasonable to expect the AV software to spend the time and effort to examine the contents which I assume would involve a heavy amount of CPU activity. Imagine what what become of a computer's speed were one to copy a folder of 1000 zips from one place to another if the AV software had to examine each one of those archives. Thanks for the explanation. |
|
| |
to Kramer
kramar, i wish you would upload the unzipped/decompressed EXE-file to "virustotal", and post a link to the scan-results.. and..submit the file to "avira"-if it is not flagged by the avira program, at "virustotal": » analysis.avira.com/en/submit |
|
psloss
Premium Member
join:2002-02-24 |
to norwegian
said by norwegian:There are a serious big load of zipped infected files getting around on emails at present and have been for near 6 to 10 mths.
Banks, airlines, online shops etc and the files are changing quite regularly. Longer than that, but high-frequency for that period. (There are blogs that provide play-by-play, but they're full of 'don't click on this' links.) said by redwolfe_98:kramar, i wish you would upload the unzipped/decompressed EXE-file to "virustotal", and post a link to the scan-results.. One of the hashes of the EXE is probably sufficient. One can search for that on VirusTotal. |
|
Kramer
Mod
join:2000-08-03
Richmond, VA
1 edit |
to redwolfe_98
This is the extracted EXE » www.virustotal.com/en/fi ··· nalysis/The ZIP which someone else had analyzed » www.virustotal.com/en/fi ··· nalysis/3 Less detections from the ZIP Don't see Avira as a listed product but I uploaded it to them and they identified the ZIP as being malware. I just couldn't bring myself to hit the word "Open" on the EXE for the upload  I don't know why my early this morning scan got such a poor hit rate. Edit: This looks like a pretty new virus. That would explain the changing detection rate. Virustotal first saw it a couple of days ago. That's when the email arrived in this person's account. Google didn't detect it until this morning when I was uploading some mail into the account. |
|
psloss
Premium Member
join:2002-02-24 |
psloss
Premium Member
2013-Feb-21 7:47 pm
said by Kramer:Edit: This looks like a pretty new virus. That would explain the changing detection rate. Virustotal first saw it a couple of days ago. It was a new build a couple of days ago, but it is part of a frequent, repeating pattern. |
|
Mele20
Premium Member
join:2001-06-05
Hilo, HI |
to Kramer
said by Kramer:Edit: This looks like a pretty new virus. That would explain the changing detection rate. Virustotal first saw it a couple of days ago. That's when the email arrived in this person's account. Google didn't detect it until this morning when I was uploading some mail into the account.
Yep. It is very new (this particular version of it). Windows Defender covered it in the CURRENT definitions 1.145.109.0 as an updated definition. |
|
