[at] Panic
You win as usual your message is correct as always and the shortest, shorter then my paragraph about “text files” and “executable” code inside. Needles to say about the verbosity of other stuff. Thanks
[at] bestfreeav
First, sure I did reread the initial post. Honestly it is very hard to recreate what happened just because you are talking about some detections picked up by different scanners. No names no locations, no submissions to the vendor. You can call it malware only if you are absolutely sure yourself. If not only the confirmation by developers of the particular security can tell. Could be FPs.
If Avira picked up something but CAV did not does not mean Avira was right CAV missed
You should submit files to Avira as FPs (for investigation) and to CAV as “new” malware, meaning – you think that CAV missed
In this case you will get an answer from both vendors.
And sure the submission done by the rules (I see edited post) passworded archive has to be attached to e-mail.
What CAV picked up was in the Restore point. And it happened at the moment another scanner was checking the same file. The “onAccess” of CAV woke up.
Well, unless you are conducting such experiment deliberately usually you disable another active Guard. That is different story why, but that is not a big mistake.
The mistake was not submitting A0047918.exe file too. Interestingly enough that sometimes when you have real of FP detection in Restore you may not have the initial file in your system present for a long time already.
Then I don’t know how you removed file by Nod32. Did you have auto-healing enabled?
If so that is another big mistake. First now you don’t know the truth.
Secondly, having auto-quarantine and auto-healing enable is highly unrecommended – that is dangerous. You should leave notification only.
You may render your OS inoperable if FP flagging was for some vital system files. And actually it really could be the case. Since now something flagged in Restore it means that original file was one of those which system is monitoring. And that can be say Explorer; Scvchost; tcpIP.sys, and so on. How many times those were falsely flagged and what happened after auto-healing – just don’t ask. Sometimes users do that themselves – anything detected by AV – goes into quarantine – the result - Blue/Black & other colored screens –no system.
Unfortunately we cannot tell a lot about the specifics of what was detected because there is not enough information as I see it.
One more thing to say
…you should change folder access authority.
After then you and antivirus software can access that folder.
Then remove infected file by yourself or let antivirus delete it.
Well, as I said above about submitting file from Sys Restore area you have to temporarily uncheck “Protect system files” copy the file somewhere for further archiving with password and then set Protection back.
But “antivirus software can access that folder” only after user “changes folder access authority” himself, as suggested, you'd rather throw away such Antivirus :)
Sure you should not do that. Actually your image shows how two security scanners are accessing files in there without your help.
[at] Creasy
The hacker sent an e-mail including malicious code inside of the HTML+javascript.
One of the staff opened it. There was nothing happened in the screen.
He saw only some sentences on the screen.
Yes, it was just like normal e-mail,NO file attached.
(Not a binary file, please don't confuse it)
Sure there was Antivirus tools.
Sure there was server side scanning tool.
But it happened.
And? Sure nothing happened.
First. panic is not confusing anything.
Text / HTML whatever file are binary files too as a matter of fact - “zeros and ones”.
And where is execution? Who is the host? You can read that file as I said in one of previous posts already.
The malicious host hast to be picked up. Yes. sometimes some sequence inside html, etc can be interpreted as malicious (in most cases those are FPs), but the main point of the discussion you returned to is that real-time scan will not add anything to that detection.
If you are expecting your antivirus to raise alarm in situation you described that probably should’ve happened when user opened e-mail and that AV did not catch it as you said. But that is different topic.
Usually scripts are not flagged. Batch files are not flagged. Those can be malicious too. You cannot disable/flag batches “because they can”. There are a lot of batches working in the background.
Therefore the behavioral layer needed to interpret and catch malicious [b]execution sequence
My regards