How to handle threats that are not cleaned or quarantined?

Discussion in 'ESET Smart Security' started by Reedmikel, Mar 15, 2012.

Thread Status:
Not open for further replies.
  1. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    NOD32 4.2 BUSINESS EDITION: web protection encountered threat "SWF/Exploit.Agent.EA trojan" and reported action of "connection terminated - quarantined". User saw fake AV window while browsing Internet using IE8. Restarted PC but still got the fake AV screen...

    I then had customer restart PC and then I ran an in-depth scan from ERAC (with nobody logged on to the infected PC). Scan came back clean.

    Next I remoted into PC and used AutoRuns tool and found a RUNONCE registry link to a suspicious executable file (which I did submit to ESET). A bit later I ran an on-demand scan on this file and it now is detected as "a variant of Win32/Kryptik.ACQS trojan”. But again, it was not cleaned or quarantined. A definition update had just occurred prior to this on-demand scan, which explains why the file was now detected as a threat. Did my suspicious file submission really get processed that fast?

    So ESET detected some form of web threat, but apparently does not fully protect the computer :( What are we supposed to do when a threat is detected, but not cleaned/quarantined? I checked the list of manual removal tools on ESET's site but saw no mention of "kryptik".

    Suggestion to ESET: why not provide some form of guidance to us admins back at the ERAC console as to how we are supposed to handle cases like this? Maybe link us to a KB article, or manual removal tool for the specific threat. The way it is now, we will have to call ESET - which wastes both of our times and monies...
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    What happened was that the computer got infected with a threat not recognized at the point of infection. After the signature database updated to a version which had detection for the threat added, the threat should have been detected and removed by the startup scan.
    Unfortunately, you didn't enclose the complete record from the on-demand scanner log. If there was an error cleaning/quarantining the file, it must have been logged. Another possibility is that the on-demand scan was run in "scan-only" mode so threat was only reported but not clean. Hovewer, as I have already written, the threat was supposed to be cleaned during a startup scan after update without the need to run an on-demand scan. It'd be interesting to see the Threat log from the computer in question, maybe some detections or errors logged were logged there.
     
  3. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    I am not sure I understand you Marcos, as the threat was recognized at the time of infection (the web protection module detected it as SWF/Exploit.Agent.EA trojan):

    Here is the threat log for the time of initial infection:
    Column Name Value
    Threat Id Threat 390
    Client Name Office1-new
    Computer Name Office1-new
    MAC Address 6c626d4bec1d
    Primary Server Win2k8-vm1
    Date Received 2012-03-15 14:00:20
    Date Occurred 2012-03-15 13:58:27
    Level Warning
    Scanner HTTP filter
    Object file
    Name http://91.200.176.24/content/field.swf
    Threat SWF/Exploit.Agent.EA trojan
    Action connection terminated - quarantined
    User SJS\Witczak_C
    Information Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Details Ready
    [/1]

    Here is the 1st In-depth scan log (which I initiated from ERAC):
    Log
    Scan Log
    Version of virus signature database: 6969 (20120315)
    Date: 3/15/2012 Time: 2:51:14 PM
    Scanned disks, folders and files: Operating memory;C:\Boot sector:D:\Boot sector;C:\:D:\
    Operating memory » C:\Program Files\RealVNC\VNC4\WinVNC4.exe » ZIP » - archive damaged
    C:\hiberfil.sys - error opening [4]
    C:\pagefile.sys - error opening [4]
    C:\compaq\ISOs\HP Restore Plus! for HP Pro 3000 Microtower PC.ISO » ISO » readme.txt » MBOX - is OK (internal scanning not performed)
    C:\compaq\ISOs\Vision Diagnostics.ISO » ISO » HP_MEMORY_TEST.ISO » ISO » CWSDPMIX.ZIP » ZIP » doc/cwsdpmi/cwsdpmi.doc » CWS » file.swf - archive damaged - the file could not be extracted.
    C:\compaq\ISOs\Vision Diagnostics.ISO » ISO » HP_MEMORY_TEST.ISO » ISO » CWSDPMIX.ZIP » ZIP » doc/cwsdpmi/cwsparam.doc » CWS » file.swf - archive damaged - the file could not be extracted.
    C:\Program Files\RealVNC\VNC4\winvnc4.exe » ZIP » - archive damaged
    C:\Temp\Office2\IE5\EN\IENT_S1.CAB » CAB » IENT_1.CAB » CAB » MSHTMLED.DLL - next archive volume not found
    C:\Temp\Office2\IE5\EN\IE_S1.CAB » CAB » IE_1.CAB » CAB » SHDOCVW.DLL - next archive volume not found
    Number of scanned objects: 782946
    Number of threats found: 0
    Time of completion: 3:22:21 PM Total scanning time: 1867 sec (00:31:07)

    Notes:
    [4] Object cannot be opened. It may be in use by another application or operating system.


    Here is the log from an On-demand scan of the suspicious file, AFTER the definitions had updated to 6970:

    Log
    Scan Log
    Version of virus signature database: 6970 (20120315)
    Date: 3/15/2012 Time: 4:04:26 PM
    Scanned disks, folders and files: C:\Documents and Settings\Witczak_C\Local Settings\Application Data\dtwbbsn.exe
    C:\Documents and Settings\Witczak_C\Local Settings\Application Data\dtwbbsn.exe - a variant of Win32/Kryptik.ACQS trojan
    Number of scanned objects: 1
    Number of threats found: 1
    Number of cleaned objects: 0
    Time of completion: 4:04:26 PM Total scanning time: 0 sec (00:00:00)


    And here is a threat log that shows NOD32 finally deleting the file (I tried to rename the file, hoping it would cause NOD32 to scan it):
    Column Name Value
    Threat Id Threat 392
    Client Name Office1-new
    Computer Name Office1-new
    MAC Address 6c626d4bec1d
    Primary Server Win2k8-vm1
    Date Received 2012-03-15 17:11:34
    Date Occurred 2012-03-15 17:09:42
    Level Warning
    Scanner Real-time file system protection
    Object file
    Name C:\Documents and Settings\Witczak_C\Local Settings\Application Data\dtwbbsn.exe(INFECTED)
    Threat a variant of Win32/Kryptik.ACQS trojan
    Action cleaned by deleting - quarantined
    User SJS\administrator
    Information Event occurred on a file modified by the application: C:\windows\explorer.exe.
    Details Ready


    My thought is that this web-based malware downloaded and executed the suspicious exe file. NOD32 says it terminated the connection to that web site, but not until *after* a malicious file was downloaded and run. That does not seem like very good protection :(

    So, back to my original question: what are we supposed to do when a threat is detected, but NOD32 is unable to clean or quarantine it? No suggestions are offered by the ERAC console, leaving users without any clue as to what to do...

    If there are other logs that you want to see, please give me precise directions as to how/where I can get these logs. Remember - I am a newbie to this software...
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Definitely it was not the malware that was detected because of this message:
    Action connection terminated - quarantined
    That means ESET blocked this particular piece of malware at the network level before it could make it to the computer disk or memory. I assume there must have been other malware or exploit that downloaded the rogue app.

    This shouldn't happen at all and this was not such a case either.

    In the on-demand scanner log, there was no mention of an error while cleaning or quarantining the file:
    C:\Documents and Settings\Witczak_C\Local Settings\Application Data\dtwbbsn.exe - a variant of Win32/Kryptik.ACQS trojan

    This indicates that the scan was not run in "cleaning mode". If you right-click a client and select New task -> On-demand scan (cleaning enabled), the "Scan without cleaning" check box will be unticked so any threat found will be removed.

    As I mentioned before, it'd be of interest to see all recent threat log records. Check if there are some with something like "Startup scanner" listed in the Scanner column. If the threat was actually active and registered in the system, the startup scan must have detected and removed it automatically after the update. If there's no mention of the startup scanner in the Threat log, I assume the threat was either not active on the computer or startup scan tasks are not run for some reason (e.g. most likely they were disabled).
     
  5. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Hmmm, I think it is too coincidental that the web protection module (sort of) caught a threat, and then some other piece of malware infected the PC. No, it is very likely that the two incidents are very related. The date/time stamp of the malicious .exe file matches the date/time stamp of the threat that the web filter (sort of) blocked.

    Again, I am new to your product, so you'd have to give me precise instructions on whatever other logs you want to see.

    I can tell you when I executed the In-depth scan that I chose CLEANING ENABLED. Why don't these logs state whether cleaning was enabled or not? It tells us the definitions version, so why not tell us other important settings like cleaning enabled/disabled?
     
Thread Status:
Not open for further replies.