virus in eml file detect only with manual scan and not real time scan, Why ?

[hellboy755]

hello to every body

i have got a big problem

i received an email that has got attachment and i save that email in eml file and after that for better test i zip that file and test with some antivirus

1 = when i upload eml file into virustotal.com then antivirus scan and alert that file has got a virus

2 = i install mcafee virus scan enterprise edition in virtual machine and update that, and when i extract eml file from zip file, mcafee detect and delete eml file, and i check mcafee settiong is set on all file scan.

3 = i install kaspersky internet security and update that, check setting and all file scan is enable, when i extract zip file kaspersky does not alert any virus, but when right click on file then click scan for virus, then kaspersky alert virus found

 

now question is , when kaspersky setting is set on all file scan, why kaspersky does not detect that eml file and only when right click and then scan click, after that it detect eml file that contain attachment virus ?

 

is that any setting to enable for detect virus in eml file in real time protection enable ?

 

For security reason i send that file in zip file [REMOVED BY MODERATION] 
that has got password 123

 

[Flood and Flood's wife]

Hello  @hellboy755,

Welcome!

Please tell us:

1. Operating system name, version & build? 
2. KIS version & patch(x) ?
3. What mail application is installed? 
4. KIS Report, ALL Events, 7days, please export the report, save as a .txt file and 📎attach to your reply please ? 
5. Is KIS licensed, if “yes”, raise a case with Kaspersky Technical Support, provide them with the history & information, a GSI & Windows Logs, they may also ask for Traces, run as the issue is replicated, they will guide you with the collection of the Traces.

Thank you

References: 

Configuring Mail Anti-Virus

KIS Library

[hellboy755]

hello again

1 = my os is windows 10 1909 (build 18363.535) 

2 = KIS is kaspersky internet security 20.0.14.1085(g)

3 = that eml file is for export mail in kerio connect mail server

4 = why would you like this ? this is not common, excuse, some my system trace file is in this report and i dont like that, excuse

5 = kaspersky install in trial version for test and 26 days left

 

[Flood and Flood's wife]

Hello @hellboy755,

Thank you for replying.

Kaspersky Internet Security supports currently circulated Microsoft Outlook Mail applications.

As you have KIS Premium Trial license, raise a case with Kaspersky Technical Support, provide them with the KIS Report, history & information, a GSI & Windows Logs, they may also ask for Traces, run as the issue is replicated, they will guide you with the collection of the Traces.

Thank you

[hellboy755]

thanks for you replying

but my question is very clear

i dont speak about outlook

why mcafee all file scan setting, when i extract file , detect attachment virus but kaspersky does not detect that and must right click and manual select scan ?

how can i tune kaspersky to detect that file

[Flood and Flood's wife]

Hello  @hellboy755,

I understand the question. 

As you have KIS Premium Trial license, raise a case with Kaspersky Technical Support, provide them with the KIS Report, history & information, a GSI & Windows Logs, they may also ask for Traces, run as the issue is replicated, they will guide you with the collection of the Traces.

Thank you

[hellboy755]

i dont have premium trial license

[Flood and Flood's wife]

Hello  @hellboy755 ,

“5 = kaspersky install in trial version for test and 26 days left “ is KIS Premium Trial license. 

Thank you

[Friend]

Hi, @hellboy755 ,
It depends on the level of protection that you have set in Settings -> General -> Security level
If you set a maximum security level  of protection, then the file should be immediately detected

[Berny]

i dont have premium trial license

FYI product descriptions are available here :
> “Essential” stands for KAV
> “Advanced” stands for KIS
> “Premium” stands for KTS

Also , for security reasons i removed your potential infected attachment

 

[hellboy755]

hi @Friend 

i set that option too at the first of my test

but does not solve my problem and kaspersky does not detect file again

[hellboy755]

hi @Berny 

so i use advanced version

do you know why kaspersky does not detect eml file after extract and when you scan manually find attachment virus ?

[Berny]

@hellboy755Please see below
 

*.eml Scan

 

*.doc scan

 

Please contact K-Lab Technical Support https://center.kaspersky.com

Also , please don’t attach potential infected objects.

[hellboy755]

hi @Berny  again

 

SHA256 of my file is : d98dff28b9d7947431da8d35cdf54e9b1acee32282f41446a1079298a2d8f987

 

you can test with hash calculator

 

 

 

 

and when you upload into virustotal.com it detect that

 

 

 

 

 

you must set security level of scanning to high to detect eml file with right clickscan

[Berny]

@hellboy755  I would like to help you but your best option is to continue with Kaspersky Lab Technical Support ….

[hellboy755]

hi again dear @Berny 

thanks a lot

i hope some people can help me for this problem in this community forum

i send my question to support team and i wait for their answer

 

[harlan4096]

@hellboy755: FileAV (resident protection) is set by default to Scan by Format, taken from Online Help:

If you select this option, File Anti-Virus scans only files which a virus could infiltrate. Before searching for viruses in a file, its internal header is analyzed to determine the file format (TXT, DOC, EXE, etc.). During the scan, file extensions are also taken into consideration.

File Anti-Virus treats files without extensions as executables. File Anti-Virus always scans them, regardless of the file types you have selected for scanning.

 

Probably .eml files are not included directly in this scan, since eml file type is not directly executable and You need to open it with an application. You may try to set You FileAV to All Files and check again, but probably this setting will slowdown Your system:

 

Also as @Friend already said, if You modify the main FileAV Security Level to High, All Files are scanned and Heur is also set to Deep Scan, but also this may slowdown Your system, so FileAV is set by default to optimum and to offer a great performance.

[hellboy755]

hi dear @harlan4096 

i know what option you speak about that and i set this option too

but it doesnt detect that eml file

you can test file that i attach in first my send message

 

[Berny]

you can test file that i attach in first my send message

Your eml-file attachment in your first post that contains the suspicious doc-file  has been deleted for security reasons. You could eventually upload the file on a Cloud service  and PM the link to @harlan4096 

[hellboy755]

i send the link to dear @harlan4096 

[harlan4096]

Well, I have been running some different tests with that eml file, and these are my conclusions:

 

1.- In FileAV module set to default Recommended or in Security Level set to High , it seems the file will not be detected on extracting or on access it (for example opening to the folder where is located), unless You open it with a mail client application.

 

2.- If You try to send it via a browser, the file will be detected (WebAV module in Default/Recommended Security Level).

 

3.- If You try to send it via an email client, for example via SMTP also the file is detected (MailAV module in Default/Recommended Security Level).

 

4.- If You run manual on demand scan/Selective Scan over the file (Security Level set to High), it will be also detected.

 

Since this kind of file will remain harmless unless You open or send it, I am enough satisfied with Kaspersky's behaviour… so my suggestion is to set Selective, Quick and Full Scan settings to High Level, and keep in Recommended the resident modules FileAV, WebAV and MailAV.

 

That file is already detected by Kaspersky, so no need to do extra working sending it to Kaspersky VirusDesk:

 

 

[hellboy755]

dear @harlan4096 

i have both mcafee and kaspersky

when mcafee set all file scan, then when extract eml file, the file is detected

but when kasper is on all file scan, kaspersky not scan eml

this is my question, why kaspersky all file scan doesnt work ?

you can test with mcafee, my problem is only kaspersky or other antiviruses has got option to all file scan, but this option doesnt work, why ?

why mcafee all file scan works ?

i would like someone explain why ? and can solve the problem that kaspersky scan my all my files, not only that file his like to scan.

thanks a lot for your test

[Friend]

@hellboy755 . according to the virustotal results, it is clear that the detection takes place with a heuristic analyzer, and not with bases.
The antivirus also uses scan optimization technologies, that is, the same file may not be scanned again, even after changing the antivirus settings, if these technologies are not disabled.
For checks, the high level must be changed in the settings in the section: Scan  https://help.kaspersky.com/KIS/2020/en-US/68154.htm

[hellboy755]

thanks @Friend 

but i set both ( iSwift, iChecker ) to disable and test with new name and location with high setting but is doesnt detect againt

heuristic analyzer is not for a file that has got a virus, heuristic analyzer  is for file execute and check and track their file and area that is access and modified and then if is harmful must be restore and or alert to user that file is harmful, but this file not execute and kaspersky when manual scan detect as trojan inside it. so antivirus must be detect that file when select high setting and all file selected.

[harlan4096]

I also guess that the problem here is that the eml by itself is not malicious or infected, since it is an email message but contains a malicious attach (.doc), so probably that’s why Kaspersky does not process it directly but it detects and delete only that malicious attach and not the complete file…

 

Probably other av firms just add a signature for the complete file, but Kaspersky in this case focuses only in the malicious part of the doc...