stapp

CLOSED amtso results on 6799

Recommended Posts

To help me understand things a bit better can someone explain why I get the results that I do results here

 

http://www.amtso.org/feature-settings-check-for-desktop-solutions/

 

Only .zip and ,jar files result in an Emsi warning on the compressed malware test

 

Pup test works but Phishing doesn't.

 

Does Emsi follow all the Amtso standards or is there more to it that that?

Share this post


Link to post
Share on other sites

Hi Stapp,

 

Our softwares don't detect following page as phishing: http://www.amtso.org/check-desktop-phishing-page/ and as you can see we are not in the list too. I have contacted our lab too, it is up to them if we should block this as a test or not. At the moment, it is expected that the page is NOT blocked.

 

Thank you for the feedback,
Orlando

Share this post


Link to post
Share on other sites

Good chuckle     I saw a lot of what stapp saw as all the stuff it did got  trapped by SBIE.   Yawn

 

It was in the Sandbox for me too Peter but that's not the point is it?

 

Emsi is still supposed to flag it.

 

Emsi flagged two of the compressed malware ones but not the others. I just wanted to know why.

Share this post


Link to post
Share on other sites

This depends on extension scanned by the File Guard. In fact it is expected that a .zip file is detected and a .7z is not, you can do the checks by using these files: http://www.amtso.org/feature-settings-check-download-of-compressed-malware/ 

 

You can also check and modify extensions to be scanned by the File Guard in the File Guard settings, clicking on "Edit" button, a list of extensions scanned will be opened.

 

Orlando

Share this post


Link to post
Share on other sites

Stapp,

We only block domains and IP addresses. So, if we block their test phishing website, we will end up blocking their entire domain. There is no way to effectively detect and block phishing websites on a consistent basis. Phishing websites do not do anything other the collect user inputed data and then send it. They do nothing other than what a webform does and is designed explicity to do, collect user inputed data and then foward it to a database, or a web or email address.

Share this post


Link to post
Share on other sites

Is the EICAR test file inside a CAB archive, or is it just renamed to eicar.cab? If it's inside a CAB archive, then we more than likely don't have a signature for it. If I remember right, that's not one of the official download formats from EICAR, so chances are we wouldn't have added it and it wouldn't be detected until it was either extracted or scanned manually. ;)

Share this post


Link to post
Share on other sites

File Guard does not scan within archives. It's a performance drain and simply useless as we do scan files when they are unpacked anyway. Doesn't matter which format. If the File Guard does detect something in an archive, chances are it is because enough of the compression dictionary contains still readable parts of the Eicar scan string that the signature still matches. Not that we scan within archives.

Share this post


Link to post
Share on other sites

Thanks GT and Fabian.

 

.cab files are indeed flagged by EAM when extracted.

 

I guess my confusion arose because the other files were flagged before extraction.

 

However Fabian has cleared that up for me now.

 

Hopefully this thread may help others to understand better the scan options in File Guard

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.