ESS 5.2.15.0 Allowed .zip with payload

Discussion in 'ESET Smart Security' started by jlpeifer, Apr 15, 2013.

Thread Status:
Not open for further replies.
  1. jlpeifer

    jlpeifer Registered Member

    Joined:
    Jul 5, 2012
    Posts:
    14
    Location:
    USA
    I know there's a procedure for submitting suspected files to ESET, but this one's a bit perplexing and I'd like to get your feedback.

    First a little environmental info:
    XP SP3
    Thunderbird 17.0.5
    ESET Smart Security 5.2.15.0
    Virus Sig 8230 (20130415)
    Email Client Protection for Thunderbird ENABLED

    A client received an email containing a small zip that purportedly contained "faxes". Fortunately the client was seasoned enough not to open the zip. Instead he forwarded it to me.

    I submitted the zip to http://virusscan.jotti.org where ESET positively identified the file as containing a virus "ESET 2013-04-15 Win32/PSW.Fareit.A".

    Here's my problem... the ESS installation on my client's computer didn't pick up the infection until I attempted to unzip the executable it contained.

    Is that normal? It seems that ESET should have intercepted the ZIP file attached to the email prior to it making its way to my client's inbox.
     
  2. Quad

    Quad Registered Member

    Joined:
    Jan 10, 2013
    Posts:
    47
    As far as I know, yes, it's normal; the realtime module doesn't scan archives until they're extracted. Archives are considered harmless, and once they're extracted the realtime module kicks in and detect any threats.
     
  3. jlpeifer

    jlpeifer Registered Member

    Joined:
    Jul 5, 2012
    Posts:
    14
    Location:
    USA
    Thx for the feedback.
     
  4. Quad

    Quad Registered Member

    Joined:
    Jan 10, 2013
    Posts:
    47
    You're welcome.
     
Thread Status:
Not open for further replies.