Eset fp on Emsisoft page Decryptor for Diavol

Discussion in 'other anti-virus software' started by FanJ, Mar 21, 2022.

  1. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,333
    Well, I think it is a false positive.

    Emsisoft released a decryptor for the Diavol-ransomware.
    Site (don't go there for now!!!) obfuscated:
    hxxps://xxx.emsisoft.com/ransomware-decryption-tools/diavol

    My Eset gives a warning on that page

    I leave it further up to the two companies to figure it out between them.
    @Fabian Wosar @Marcos
     
  2. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    20,564
    Location:
    UK
    I have passed this info on to Emsisoft.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,756
    Location:
    Slovenia, EU
    I went to that site and Eset didn't give me a warning. I could also download decryptor with no problems.

    EDIT: initial scan though detected it so it's not entirely fixed:

    upload_2022-3-22_6-42-52.png
     
    Last edited: Mar 22, 2022
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,454
    I was unable to reproduce the detection. Please contact samples[at]eset.com and provide step-by-step instructions how to duplicate.
     
  5. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,333
    I had already restored a backup image. But I just went there again.
    Very simple, I went to the site using IE11 on Win7 Pro 64-bit.
    Immediatelly same warning from Eset Internet Security 15.0.23.0

    Real-time file system protection
    C:\Users\...\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\86RSH0ML\diavol[1].htm
    Win64/Filecoder.Diavol trojan

    Edit:
    using the Eset regular update channel
     
    Last edited: Mar 22, 2022
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,333
    Thanks stapp!
     
  7. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,333
    Thanks Minimalist for trying it! Looks like we got the same.
     
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,333
    Will do, was too tired last night; sorry.
     
  9. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    837
    I've sent the FP report from the quarantine, the detection is related to the ransomware note provided on the Emsisoft website so I don't think they'll fix it since it's the actual note malware uses.
     
  10. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,333
    Thank you for submitting it!

    =====

    I have also sent email to samples at eset.
    They cannot reproduce it, they say. But we have now three persons who got the warning.
    I'm sorry Eset, but I'm not going to go there again and then run eset log collector and then again restore a backup image. It's enough now. Eset: Get in contact with Emsisoft!
     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,756
    Location:
    Slovenia, EU
    Strangely for me website and download are not blocked or detected. Only on demand scanner detects it in Firefox cache folder (it probably detects message that is stored in FF cache as part of visited site).
     
  12. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,333
    Hi Stapp,
    Did you hear back from Emsisoft? If so, are you allowed to tell us more here?
    Could maybe someone of Emsisoft come over here?
    Thanks!
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,454
    It's the ransomware instructions which are detected since they are in a raw form on the web page. They are detected on the disk only if the page is fully cached which is why it's not always detected. A solution could be adding html formatting or replacing the text with an image.

    upload_2022-3-22_16-36-56.png
     
  14. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,333
    Thank you Marcos! :thumb:

    So, do I understand you right that Emsisoft would better edit that page?
    Thank you!
     
  15. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    837
    The code ESET detects is just the text the ransomware places as instructions for payment. By itself it's not malicious but ESET probably added it to the databases as a precaution, as remnant detection. There's no danger opening Emsisofts webpage
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,454
    Yes, the code on the web page should be changed to a non-raw format to avoid detection by other AVs.
     
  17. Grinler

    Grinler Security Expert

    Joined:
    Jun 20, 2004
    Posts:
    22
    Honestly, never understood why ESET detects and removes ransom notes.

    Personally, find it frustrating.
     
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,454
    It helps a lot with classification and subsequent decryption and forensic analysis.
     
  19. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,333
    Some notes:

    1.
    I went again to that site. Still the same warning from my Eset.

    2.
    So, it looks like nothing have been changed sofar.

    3.
    I don't know whether Emsisoft is aware of it.
    Yes, stapp was so kind to report it to them. But did they actually read it?
    I also don't know whether Eset and Emsisoft are in contact with each other about it. I don't have to know about such a discussion.
    My only goal was and is that the two companies could and can come to an agreement and solve it. Such things usually happen behind the scenes. That is absolutely fine with me!
    The only thing that counts, is that users are protected and don't have to deal with "possible false positives" (that is only disturbing).

    4.
    The famous site of Bleeping Computer has a much better page about the Diavol Decryptor from Emsisoft than Emsisoft itself. No warning there. No ransom note in raw-format. There is there a screenshot of the ransom note.
    The Decryptor can be downloaded from there. Here:
    https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-trickbot-gangs-diavol-ransomware/
     
  20. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    20,564
    Location:
    UK
    Emsisoft is aware.
    Perhaps it is something they need to discuss between themselves. I doubt they will do it in public on a forum.
    Emsisoft isn't known for hosting malware as you know, and the site is showing what is basically a text file.

    When the ransom notes are removed into quarantine it may make it harder for the user to get his files back as they cannot fully identify which ransomware it is (you need a file and the note as seen in the link)

    https://id-ransomware.malwarehunterteam.com
     
  21. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,333
    Thanks stapp. Good to know now.

    Of course I do know that. That's OK! There was a reason why I posted:
    ===

    Of course I know that!! More: the many decryptors they released, all the very hard work behind it: I can only in deep respect applaud for it!

    That is exactly where the culprit is. That is the issue.
    Yes, I am fully aware about the discussion whether Eset should detect it or not.
    At the other hand Emsisoft should never post it in that way. A screenshot is great, just like at the Bleeping Computer page I gave. That is why that Bleeping Computer page is much better than the Emsisoft page.

    Yes. We had a thread about it here:
    https://www.wilderssecurity.com/threads/before-you-pay-that-ransomware-demand.390879/
    And I mentioned it other times. Absolutely great site!
     
    Last edited: Mar 24, 2022
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.