My Web Search - Partially caught

We just had a user get MyWebSearch (browsing places on the internet I'm sure are not "work related"). ESET Real-Time Protection successfully sees a couple DLL's and quarantines them, just enough to disable MyWebSearch but not enough to remove it completely. (Just to note, 1 hour 37 minutes prior to this infection our weekly full in-depth scan had run and found nothing on this machine, so it was perfectly "clean" according to ESET).

The part I do not understand is how the rest of the MyWebSearch files were created in C:\Program Files\MyWebSearch\ and were not caught by the Real Time Protection? Just to prove my point, installed MBAM and ran a scan. The moment that MBAM touches the infected files ESET pops up and quarantines them! How can the real-time protection not catch the file created an hour earlier in C:\Program Files\MyWebSearch but an hour later, MBAM touches the file to move it to quarantine and ESET jumps in like it's saving the day and quarantines MBAM's quarantine. So please explain how the Real-Time Protection can flat miss created items that are clearly in the definitions?

See screenshot below.....

 

It obviously misses part of infection. Submit the files if you have time
http://kb.eset.com/esetkb/index?page=content&id=SOLN141

 

ESET does find the files, that is not the problem, but only after MBAM touches them. If the Real-Time Protection can find the infection when MBAM touches the files, why can't the Real-Time Protection find it when the file was created in the first place? Even better, why didn't the Web-Protection find this in the first place and never let the file get created in C:\ProgramFiles\MyWebSearch. And if it did slip past the Web Protection, how did the Real-Time Protection let it get created in C:\Program Files\MyWebSearch?

 

What to do if you are infected.

Infections like this are generally due to soft security settings.

Not all security solutions can guarantee 100% protection 100% of the time.

Respected Security sites like Bleeping Compter, and Malwarebytes have extensive Anti-Rogue Removal Guides. This is a testament to how severe the Rogue AV problem and Malware problem is.

 

Pretty much "Eset's Motto" isn't it

 

I'm not sure whether you're talking about binaries or additional data / config files. ESET does not detect such benign stuff plus we try to avoid detection of adware uninstallers as they can be used to remove adware traces completely (including non-binary stuff or registry entries in other than run keys). I'd suggest submitting all suspicious files you find to ESET and we'll see if it is appropriate to detect some of them.

 

Some of the malware and BHO's MyWebSearch can install without user consent.
Info on the MyWay pest, More on BHO's

 

I think everyone is missing my point. My point is not MyWebSearch, I'm well aware of MyWebSearch and it's removal. The files caught by ESET, only AFTER MBAM tried Quarantining them, are not "benign" files. They are DLL's and an EXE (refer to my screenshot in my original post to clearly see this).

My question is: How does a DLL and EXE file not get caught by the Real-Time Protection? but then get caught as soon as MBAM quarantine's the file? I can understand TXT, LOG, INI files possibly not getting picked up. But I just checked the config for this machine and "Scan On -> File Creation" is turned on. I always assumed this meant ALL files were scanned on creation, not just the ones that NOD32 felt like scanning.

 

Maybe detection was added after the files were saved to the disk or you didn't have real-time protection configured to detect this kind of stuff. I assume that running an on-demand scan with detection of potentially unsafe applications and adware/spyware/riskware enabled would have revealed the files.

 

See my previous two replies here, here

 

Thanks for the replies. I'll check the policy and make sure everything is set correctly on the Real-Time protection. I'll also just have to watch for the next MyWebSearch infection and see if I can find any other useful information.

 

Use of a HOSTS File would help greatly in avoiding infiltrations such as these.