Eset mail scanning not up too much?

Discussion in 'ESET Smart Security' started by DonVa, Oct 17, 2008.

Thread Status:
Not open for further replies.
  1. DonVa

    DonVa Registered Member

    Joined:
    May 11, 2008
    Posts:
    30
    Recently I had an email with a doc.exe attachment
    I was pretty sure it had a virus and didn't open it.

    I was surprised ESET Smart Security didn't pick it up.

    I fowarded it to Eset and after a couple of days it was detected by ESET after updates.


    Today I have another zip file containing what is constructed to look like a word document.

    it has a word icon assoociated with it. The file has a .exe extension but it is not obvious as it has a huge amount of white space before it so it just looks like a .doc extensions
    Statement_01-1.doc .exe

    i.e - the .exe extension is hidden by lots of white space in the name.

    I am almost certain this is a virus.

    I am beginning to wonder if ESET Smart Security is up to the task??

    I have full heuristics on too.
     
  2. ASpace

    ASpace Guest

    Make sure ESET Smart Security is updated . Forward such emails to ESET Virus Labs samples@eset.com and don't wonder - it is pretty normal for nowadays situation to come accross something missed because there are tons of new malware appearing everyday.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    These Autorun/Fakealert/Wigon trojans are seldom undected and at least the email/web access protection modules recognize them as Statik and block them. Please send the file to us for perusal as suggested above.
     
  4. DonVa

    DonVa Registered Member

    Joined:
    May 11, 2008
    Posts:
    30
    Someone else must have done it as it has now been picked up and quarantined - presumably after signature updates were picked up.

    You might be right that they are seldom missed - but I must be unlucky to have had two in a few weeks that were.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    As I said, all spammed malware with Statemend.doc.exe that I know of was caught by the email/web scanner as they use more sensitive heuristics. Could you please send the file in question to samples[at]eset.com in a password protected archive and a link to this thread url in the subject? I'd be interested in checking it with an older version to make sure it was initially intercepted by the email/web scanners.
     
  6. DonVa

    DonVa Registered Member

    Joined:
    May 11, 2008
    Posts:
    30
    I will send the file attachment if you can tell me how to get the quarantined file back.

    The email is in my infected outlook folder but the message has now has no attachment as ESET deleted it.


    The actual attachment was called Statement_01-10.zip.

    This zip file contained a file called Statement_01-10.doc .exe


    (There are about 115 spaces between .doc and .exe so it looks like just .doc as you can't see the .exe part - when I post this message you can't see this as the html is reformatted to trim the spaces out).


    The sender was:
    Etta Lundy [tempestdianequeennn@btopenworld.com]

    The subject was:
    dave Report 1/1/2008 - 10/1/2008.


    The email message was as below:

    Dear Valued Customer:

    Your account ID: dave

    As requested, we are sending you this account report attached this mail between 1/1/2008 and 10/1/2008.

    At your service,
    Etta Lundy



    Eset has now tagged the message thus:


    __________ ESET Smart Security warning, version of virus signature database 3533 (20081017) __________

    Warning, ESET Smart Security found the following threats in the message:

    Statement_01-10.zip - Win32/TrojanDownloader.Wigon.AU trojan - deleted
    Statement_01-10.zip > ZIP > Statement_01-10.doc .exe - Win32/TrojanDownloader.Wigon.AU trojan - was a part of the deleted object

    http://www.eset.com




    Again there are lots of spaces between .doc and .exe in the tagged message - but you won't see them when I post it.



    ESET is doing it's job now, but only a day or so after getting the messages or after I reported it.


    Can I undelete the attachment?
    If so I will send it.
     
  7. ASpace

    ASpace Guest

  8. DonVa

    DonVa Registered Member

    Joined:
    May 11, 2008
    Posts:
    30
    It wasn't in the quarantine as emails don't go here.

    However I had originally saved the file to my desktop and that one did go in quarantine.

    I have submitted it as requested with link to this message.


    PS:

    I am using 3.0.650 version

    The virus definitions that picked up the virus was database 3533 (20081017)

    So the ones that missed must have been earlier than that
     
Thread Status:
Not open for further replies.