Jump to content

virus in eml file detect only with manual scan and not real time scan, Why ?


Recommended Posts

hello to every body

i have got a big problem

i received an email that has got attachment and i save that email in eml file and after that for better test i zip that file and test with some antivirus

1 = when i upload eml file into virustotal.com then antivirus scan and alert that file has got a virus

2 = i install mcafee virus scan enterprise edition in virtual machine and update that, and when i extract eml file from zip file, mcafee detect and delete eml file, and i check mcafee settiong is set on all file scan.

3 = i install kaspersky internet security and update that, check setting and all file scan is enable, when i extract zip file kaspersky does not alert any virus, but when right click on file then click scan for virus, then kaspersky alert virus found

 

now question is , when kaspersky setting is set on all file scan, why kaspersky does not detect that eml file and only when right click and then scan click, after that it detect eml file that contain attachment virus ?

 

is that any setting to enable for detect virus in eml file in real time protection enable ?

 

For security reason i send that file in zip file [REMOVED BY MODERATION
that has got password 123

 

Link to comment
Share on other sites

Hello  @hellboy755,

Welcome!

Please tell us:

  1. Operating system name, version & build
  2. KIS version & patch(x) ?
  3. What mail application is installed? 
  4. KIS Report, ALL Events, 7days, please export the report, save as a .txt file and 📎attach to your reply please ? 
  5. Is KIS licensed, if “yes”, raise a case with Kaspersky Technical Support, provide them with the history & information, a GSI & Windows Logs, they may also ask for Traces, run as the issue is replicated, they will guide you with the collection of the Traces.

Thank you

References: 

Configuring Mail Anti-Virus

KIS Library

Link to comment
Share on other sites

hello again

1 = my os is windows 10 1909 (build 18363.535) 

2 = KIS is kaspersky internet security 20.0.14.1085(g)

3 = that eml file is for export mail in kerio connect mail server

4 = why would you like this ? this is not common, excuse, some my system trace file is in this report and i dont like that, excuse

5 = kaspersky install in trial version for test and 26 days left

 

Link to comment
Share on other sites

Hello @hellboy755,

Thank you for replying.

Kaspersky Internet Security supports currently circulated Microsoft Outlook Mail applications.

As you have KIS Premium Trial license, raise a case with Kaspersky Technical Support, provide them with the KIS Report, history & information, a GSI & Windows Logs, they may also ask for Traces, run as the issue is replicated, they will guide you with the collection of the Traces.

Thank you

Link to comment
Share on other sites

thanks for you replying

but my question is very clear

i dont speak about outlook

why mcafee all file scan setting, when i extract file , detect attachment virus but kaspersky does not detect that and must right click and manual select scan ?

how can i tune kaspersky to detect that file

Link to comment
Share on other sites

Hello  @hellboy755,

I understand the question. 

As you have KIS Premium Trial license, raise a case with Kaspersky Technical Support, provide them with the KIS Report, history & information, a GSI & Windows Logs, they may also ask for Traces, run as the issue is replicated, they will guide you with the collection of the Traces.

Thank you

Link to comment
Share on other sites

hi @Berny  again

 

SHA256 of my file is : d98dff28b9d7947431da8d35cdf54e9b1acee32282f41446a1079298a2d8f987

 

you can test with hash calculator

 

 

 

 

and when you upload into virustotal.com it detect that

 

 

 

 

 

you must set security level of scanning to high to detect eml file with right clickscan

Link to comment
Share on other sites

@hellboy755: FileAV (resident protection) is set by default to Scan by Format, taken from Online Help:

If you select this option, File Anti-Virus scans only files which a virus could infiltrate. Before searching for viruses in a file, its internal header is analyzed to determine the file format (TXT, DOC, EXE, etc.). During the scan, file extensions are also taken into consideration.

File Anti-Virus treats files without extensions as executables. File Anti-Virus always scans them, regardless of the file types you have selected for scanning.

 

Probably .eml files are not included directly in this scan, since eml file type is not directly executable and You need to open it with an application. You may try to set You FileAV to All Files and check again, but probably this setting will slowdown Your system:

 

Also as @Friend already said, if You modify the main FileAV Security Level to High, All Files are scanned and Heur is also set to Deep Scan, but also this may slowdown Your system, so FileAV is set by default to optimum and to offer a great performance.

Link to comment
Share on other sites

Well, I have been running some different tests with that eml file, and these are my conclusions:

 

1.- In FileAV module set to default Recommended or in Security Level set to High , it seems the file will not be detected on extracting or on access it (for example opening to the folder where is located), unless You open it with a mail client application.

 

2.- If You try to send it via a browser, the file will be detected (WebAV module in Default/Recommended Security Level).

 

3.- If You try to send it via an email client, for example via SMTP also the file is detected (MailAV module in Default/Recommended Security Level).

 

4.- If You run manual on demand scan/Selective Scan over the file (Security Level set to High), it will be also detected.

 

Since this kind of file will remain harmless unless You open or send it, I am enough satisfied with Kaspersky's behaviour… so my suggestion is to set Selective, Quick and Full Scan settings to High Level, and keep in Recommended the resident modules FileAV, WebAV and MailAV.

 

That file is already detected by Kaspersky, so no need to do extra working sending it to Kaspersky VirusDesk:

 

 

Link to comment
Share on other sites

dear @harlan4096 

i have both mcafee and kaspersky

when mcafee set all file scan, then when extract eml file, the file is detected

but when kasper is on all file scan, kaspersky not scan eml

this is my question, why kaspersky all file scan doesnt work ?

you can test with mcafee, my problem is only kaspersky or other antiviruses has got option to all file scan, but this option doesnt work, why ?

why mcafee all file scan works ?

i would like someone explain why ? and can solve the problem that kaspersky scan my all my files, not only that file his like to scan.

thanks a lot for your test

Link to comment
Share on other sites

@hellboy755 . according to the virustotal results, it is clear that the detection takes place with a heuristic analyzer, and not with bases.
The antivirus also uses scan optimization technologies, that is, the same file may not be scanned again, even after changing the antivirus settings, if these technologies are not disabled.
For checks, the high level must be changed in the settings in the section: Scan  https://help.kaspersky.com/KIS/2020/en-US/68154.htm

Link to comment
Share on other sites

thanks @Friend 

but i set both ( iSwift, iChecker ) to disable and test with new name and location with high setting but is doesnt detect againt

heuristic analyzer is not for a file that has got a virus, heuristic analyzer  is for file execute and check and track their file and area that is access and modified and then if is harmful must be restore and or alert to user that file is harmful, but this file not execute and kaspersky when manual scan detect as trojan inside it. so antivirus must be detect that file when select high setting and all file selected.

Link to comment
Share on other sites

I also guess that the problem here is that the eml by itself is not malicious or infected, since it is an email message but contains a malicious attach (.doc), so probably that’s why Kaspersky does not process it directly but it detects and delete only that malicious attach and not the complete file…

 

Probably other av firms just add a signature for the complete file, but Kaspersky in this case focuses only in the malicious part of the doc...

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share



×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.