Well, I think it is a false positive. Emsisoft released a decryptor for the Diavol-ransomware. Site (don't go there for now!!!) obfuscated: hxxps://xxx.emsisoft.com/ransomware-decryption-tools/diavol My Eset gives a warning on that page I leave it further up to the two companies to figure it out between them. @Fabian Wosar @Marcos
I went to that site and Eset didn't give me a warning. I could also download decryptor with no problems. EDIT: initial scan though detected it so it's not entirely fixed:
I was unable to reproduce the detection. Please contact samples[at]eset.com and provide step-by-step instructions how to duplicate.
I had already restored a backup image. But I just went there again. Very simple, I went to the site using IE11 on Win7 Pro 64-bit. Immediatelly same warning from Eset Internet Security 15.0.23.0 Real-time file system protection C:\Users\...\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\86RSH0ML\diavol[1].htm Win64/Filecoder.Diavol trojan Edit: using the Eset regular update channel
I've sent the FP report from the quarantine, the detection is related to the ransomware note provided on the Emsisoft website so I don't think they'll fix it since it's the actual note malware uses.
Thank you for submitting it! ===== I have also sent email to samples at eset. They cannot reproduce it, they say. But we have now three persons who got the warning. I'm sorry Eset, but I'm not going to go there again and then run eset log collector and then again restore a backup image. It's enough now. Eset: Get in contact with Emsisoft!
Strangely for me website and download are not blocked or detected. Only on demand scanner detects it in Firefox cache folder (it probably detects message that is stored in FF cache as part of visited site).
Hi Stapp, Did you hear back from Emsisoft? If so, are you allowed to tell us more here? Could maybe someone of Emsisoft come over here? Thanks!
It's the ransomware instructions which are detected since they are in a raw form on the web page. They are detected on the disk only if the page is fully cached which is why it's not always detected. A solution could be adding html formatting or replacing the text with an image.
Thank you Marcos! So, do I understand you right that Emsisoft would better edit that page? Thank you!
The code ESET detects is just the text the ransomware places as instructions for payment. By itself it's not malicious but ESET probably added it to the databases as a precaution, as remnant detection. There's no danger opening Emsisofts webpage
Honestly, never understood why ESET detects and removes ransom notes. Personally, find it frustrating.
Some notes: 1. I went again to that site. Still the same warning from my Eset. 2. So, it looks like nothing have been changed sofar. 3. I don't know whether Emsisoft is aware of it. Yes, stapp was so kind to report it to them. But did they actually read it? I also don't know whether Eset and Emsisoft are in contact with each other about it. I don't have to know about such a discussion. My only goal was and is that the two companies could and can come to an agreement and solve it. Such things usually happen behind the scenes. That is absolutely fine with me! The only thing that counts, is that users are protected and don't have to deal with "possible false positives" (that is only disturbing). 4. The famous site of Bleeping Computer has a much better page about the Diavol Decryptor from Emsisoft than Emsisoft itself. No warning there. No ransom note in raw-format. There is there a screenshot of the ransom note. The Decryptor can be downloaded from there. Here: https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-trickbot-gangs-diavol-ransomware/
Emsisoft is aware. Perhaps it is something they need to discuss between themselves. I doubt they will do it in public on a forum. Emsisoft isn't known for hosting malware as you know, and the site is showing what is basically a text file. When the ransom notes are removed into quarantine it may make it harder for the user to get his files back as they cannot fully identify which ransomware it is (you need a file and the note as seen in the link) https://id-ransomware.malwarehunterteam.com
Thanks stapp. Good to know now. Of course I do know that. That's OK! There was a reason why I posted: === Of course I know that!! More: the many decryptors they released, all the very hard work behind it: I can only in deep respect applaud for it! That is exactly where the culprit is. That is the issue. Yes, I am fully aware about the discussion whether Eset should detect it or not. At the other hand Emsisoft should never post it in that way. A screenshot is great, just like at the Bleeping Computer page I gave. That is why that Bleeping Computer page is much better than the Emsisoft page. Yes. We had a thread about it here: https://www.wilderssecurity.com/threads/before-you-pay-that-ransomware-demand.390879/ And I mentioned it other times. Absolutely great site!
