Bitdefender Free - Blocks malware but doesn't always quarantine it.

Nunzio d'Abbruzzo
Nunzio d'Abbruzzo Defender of the Month ✭✭✭

I did a test with this ransoware:

https://www.virustotal.com/gui/file/cd1bb0b84729b272e28a48cdfc22ef1f2577e4a1779a9fe871e54cf71707ded8/detection

On Virus Total it is stated that Bitdefender Free recognizes it.

On my PC if I do a scan it is not detected as malware. If I launch it it is blocked and therefore recognized as a dangerous object but not removed, it remains on the desktop.

Why does this happen?

I would have expected that, even if it is possibly not detected, because it is not yet present in the signatures (even if on VirusTotal it is already declared as malware even for Bitdefender), however after blocking it it should be quarantined and not left on the desktop.

Nunzio ·

Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

Comments

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Gjoksi
    Gjoksi Defender of the month mod

    Thanks, but no thanks! I don't want to get in trouble for no reason.

    Anyway, you could send the file and the link to the malware research team, as i highly doubt that anyone here on his/her device, except @mrmirakhur on his virtual machine, will test the file.

    Regards.

    Win8.1Pro64bit-TotalSecurity26.0.32.109-Firefox107.0.1

    Android13-PatchNov1,2022-MobileSecurity3.3.191.2134-Central3.1.10.89

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    In fact my purpose was only to report this Bitdefender behavior which in my opinion is not correct. It is true that it protects the PC that is not damaged but the malware should be quarantined and not left on the desktop. I put the link for any "lab" tests to find the solution to this behavior. 🙂😉

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Flexx
    Flexx Moderator, Defender of the month mod
    edited June 3

    Thanks for the sample. I downloaded it. Will update you tomorrow with the findings. I am using bitdefender total security, so will be checking the sample under that. This should not make any difference whether it is bitdefender antivirus free or bitdefender total security since both have the same baseline code.

    Regards

    OMEN Laptop 15-en1037AX (Bitdefender Total Security) & Samsung Galaxy S22 Ultra (Bitdefender Mobile Security)

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    I did the test a little while ago and now it is detected, probably having updated the signatures it has finished with the new definitions and therefore it is detected and then quarantined, as always taking many seconds. The point, however, remains on the fact that when it was not in the signatures and therefore it was not detected, running it was blocked (which is very good) but it was not quarantined and remained on the desktop, instead in my opinion if detected as malicious it should be quarantined and don't stay on the desktop. 😉


    Thanks!

    Nunzio.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Flexx
    Flexx Moderator, Defender of the month mod

    Nice to know the issue has been resolved by the latest database update.

    Regards

    OMEN Laptop 15-en1037AX (Bitdefender Total Security) & Samsung Galaxy S22 Ultra (Bitdefender Mobile Security)

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    But the goal of this post is not the fact that thanks to the signature update this malware (taken as an example) is detected, the point is that when a malware is not detected by the signatures and the behavioral analysis of Bitdefender still blocks it (this is great) the malware remains on the PC and is not quarantined even if Bitdefender reports that it is a malicious application and blocks it.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Flexx
    Flexx Moderator, Defender of the month mod

    In that case we may need to find a sample against which signature based detection is not created and behavior blocker of bitdefender works to stop the execution of the sample. If you can figure out the sample then let me know. Because without the sample even developers will not be able to reproduce the issue.

    Regards

    OMEN Laptop 15-en1037AX (Bitdefender Total Security) & Samsung Galaxy S22 Ultra (Bitdefender Mobile Security)

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    Here is a new example of malware not yet present in signatures that is not yet recognized by Bitdafender Free (rightly by file protection). By executing it, the behavioral analysis intervenes by blocking the malicious app (excellent) but is not eliminated.

    Because?

    It should be quarantined and not left on the desktop.

    Here you can find the malware sample and the evaluation on Virus total:

    https://bazaar.abuse.ch/download/5466ad64faf97ff2f6cf88872406ce7891f2518c11101c0646575ef08bc9f6be/

    https://www.virustotal.com/gui/file/5466ad64faf97ff2f6cf88872406ce7891f2518c11101c0646575ef08bc9f6be


    Run the tests before it ends up in the AV signatures-

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    In addition to the previous post, when running the malware from a USB stick, the message appears that it has been quarantined but a residual file of 0Kb remains.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    @mmirrakhur Were you able to test it too?

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Flexx
    Flexx Moderator, Defender of the month mod
    edited June 9

    Checked it as of now and complete file was quarantined. There was no file left on desktop.

    Regards

    OMEN Laptop 15-en1037AX (Bitdefender Total Security) & Samsung Galaxy S22 Ultra (Bitdefender Mobile Security)

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    It is now in the AV signatures, as also noted on VirusTotal.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Flexx
    Flexx Moderator, Defender of the month mod

    That was because I sent the file to the malware researchers. Still, I ran the file while disabling the real time protection (which disables the signature based detection if I double click the file instead of contextual scan) and executed the file and advanced threat defense came into action and quarantined the file.

    Regards

    OMEN Laptop 15-en1037AX (Bitdefender Total Security) & Samsung Galaxy S22 Ultra (Bitdefender Mobile Security)

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    To me it stayed on the desktop. So could it just be a Bitdefender Free problem to fix?

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Flexx
    Flexx Moderator, Defender of the month mod

    Did you refreshed the desktop or the respective page after the file was quarantined. I have no idea whether it is a problem with the free version since I use total security.

    Regards

    OMEN Laptop 15-en1037AX (Bitdefender Total Security) & Samsung Galaxy S22 Ultra (Bitdefender Mobile Security)

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    The warning pop-up in this case only said that the application had been blocked, it did not communicate that it had been quarantined. The other time while communicating that it had been quarantined it remained on the desktop, refreshing the desktop was always on the desktop.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭
    edited June 18

    Another malware sample not detected in the signatures, is blocked if performed (excellent behavioral analysis) but is not quarantined (to be fixed):

    VirusTotal:

    https://www.virustotal.com/gui/file/e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0

    malware link:

    [LINK TO MALWARE SAMPLE REMOVED]

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Gjoksi
    Gjoksi Defender of the month mod

    Reported the .exe file as FALSE NEGATIVE to Bitdefender Labs.

    [FN] [Sample] Submission 1007503184

    So, we must wait for their response.

    @Alexandru_BD @mrmirakhur Check on this. Thanks.

    Win8.1Pro64bit-TotalSecurity26.0.32.109-Firefox107.0.1

    Android13-PatchNov1,2022-MobileSecurity3.3.191.2134-Central3.1.10.89

  • Flexx
    Flexx Moderator, Defender of the month mod
    edited June 18

    I have removed the link to malware sample. Kindly refrain from sharing malware samples or link to malware samples on the forum. If you still want to share the samples, you can private message the admins and ask them your query related to it. As on the forum, virustotal link is more than enough.

    Additionally, the sample has been shared with the malware researchers.

    Regards

    OMEN Laptop 15-en1037AX (Bitdefender Total Security) & Samsung Galaxy S22 Ultra (Bitdefender Mobile Security)

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    Ok. Sorry 🙂

    However, this example is to draw attention to the fact that malware blocked by behavioral analysis, not present in signatures, is not always quarantined. 😉

    Thanks!

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Flexx
    Flexx Moderator, Defender of the month mod
    edited June 22

    As per the reply from malware researchers via bitdefender support, the file is not malicious and not detected by signature based detection, however regarding the behavior blocking they are checking on it.

    Regards

    OMEN Laptop 15-en1037AX (Bitdefender Total Security) & Samsung Galaxy S22 Ultra (Bitdefender Mobile Security)

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    Thanks for the feedback, but that's not the case, Bitdefender blocked it for me and the Bitdefender notification came out. I don't remember if I cleared the register. If I can check it tonight and if I find it I share it.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Flexx
    Flexx Moderator, Defender of the month mod

    Sure, I have also asked the support team to get information related to advanced threat defense for the same sample from the malware researchers.

    Regards

    OMEN Laptop 15-en1037AX (Bitdefender Total Security) & Samsung Galaxy S22 Ultra (Bitdefender Mobile Security)

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    For the following malware: e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0

     as per Virus Total it is only recognized by 2 AVs:

    https://www.virustotal.com/gui/file/e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0

    Bitdefender Free does not recognize it in the files but by executing it it is blocked by the behavioral analysis as seen from the images and even if it says that it quarantines it the file remains on the desktop and the quarantine is empty as seen from the images.

    What do you think?

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Flexx
    Flexx Moderator, Defender of the month mod
    edited June 19

    I am still awaiting for the response from the malware researchers through support regarding the blocking of file by behaviour analysis on its execution.

    I have updated the support ticket with the images that you shared.

    As far as the detection by those 2 antimalware vendors on virustotal is considered, it can be easily made out that those are not signature based detection and instead machine learning based detection which are false negative.

    Regards

    OMEN Laptop 15-en1037AX (Bitdefender Total Security) & Samsung Galaxy S22 Ultra (Bitdefender Mobile Security)

  • Gjoksi
    Gjoksi Defender of the month mod

    @Nunzio d'Abbruzzo

    Hello.

    Just to inform you that @Alexandru_BD has just added this community's rule:

    "Posting malware samples and /or URLs is not allowed in the community! Do not post direct links to any executable files, malicious/suspicious software or websites in threads, comments or private messages, even if you think the software or site is clean and incorrectly detected by Bitdefender. Should you wish to report a false positive / false negative detection, head to this link and submit your findings using the dedicated form."

    Kind regards.

    Win8.1Pro64bit-TotalSecurity26.0.32.109-Firefox107.0.1

    Android13-PatchNov1,2022-MobileSecurity3.3.191.2134-Central3.1.10.89

  • Flexx
    Flexx Moderator, Defender of the month mod

    OMEN Laptop 15-en1037AX (Bitdefender Total Security) & Samsung Galaxy S22 Ultra (Bitdefender Mobile Security)

  • Flexx
    Flexx Moderator, Defender of the month mod
    edited June 30

    Below is the update from malware researchers via Bitdefender support team.

    It seems like that behavior blocking/ machine learning detection has also been removed.

    Regards

    OMEN Laptop 15-en1037AX (Bitdefender Total Security) & Samsung Galaxy S22 Ultra (Bitdefender Mobile Security)

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    Why is it only blocked and not quarantined (see attached image)?

    It is not yet in the signatures.

    If it is blocked it should also be quarantined, to leave the PC clean.

    It is a general discourse not only on this specific sample.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Flexx
    Flexx Moderator, Defender of the month mod

    It is a cloud based detection.

    Kindly share your query with bitdefender support team by dropping them an email at [email protected]

    The support team will reply back to your query within next 24-48 hours excluding weekends.

    Regards

    OMEN Laptop 15-en1037AX (Bitdefender Total Security) & Samsung Galaxy S22 Ultra (Bitdefender Mobile Security)

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    I sent the following email to the service center ... let's see if they understand the problem and solve it ...


    "Good morning,

    for example i did a test on this ransoware sample:

    removed link with example malware

    which is not yet present in the Bitdefender signatures:

    https://www.virustotal.com/gui/file/bb762f2ee1e1b87d0b2a6340f2470ed895cfefc2d809f58e187f735cbc808850

    Running the Bitdefender Free malware blocks it but the file remains on the desktop is not quarantined.

    Let's see what they will answer me ..

    It's not hard to understand ... just run some tests and see how Bitdefender Free behaves ...😀😉

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    They replied with this link:

    https://www.bitdefender.com/consumer/support/answer/2576/

    but I remain of the idea that an automatic action to quarantine the malicious file blocked by Bitdefender (even if it is not yet in the signatures) should be implemented.

    Thank you and I hope my feedback is welcomed by the development team. 😀

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    I understood what happens in the free version as opposed to the paid one. In the advanced settings of the antivirus in "actions on threats" leaving the choice on "perform appropriate actions" in some cases some applications are only blocked but not put in forty (I do not know by what criteria).

    In the paid version this option can be changed, while in the free version it is not. So in the paid versions you can choose to always quarantine everything, in the free version it is more automatic and some malicious applications are blocked but remain on the PC.

    What do you think @camarie ?

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • camarie
    camarie Principal Software Developer ✭✭✭

    @Nunzio d'Abbruzzo I do not know in great detail this area, but I suppose, as you noticed, the free version tends to be more automated/less customizable than the paid versions, as well as performing a subset of operations. But, again, I cannot say exactly what is there without knowing exactly the code.

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    Thank you @camarie 🙂

    However, in my opinion in the free version at least this option could be left unlocked at the user's choice. 😉

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400

  • Nunzio d'Abbruzzo
    Nunzio d'Abbruzzo Defender of the Month ✭✭✭

    However, I wonder which of the three is the best choice:

    - take appropriate action;

    - move files to quarantine;

    - deny access

    I have a doubt ... if set to "move files to quarant" anyway access is denied?

    How about @camarie @Alexandru_BD @Gjoksi @Scott and other?

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb, ATI Mobile Radeon HD 2400