Bitdefender Free - Blocks malware but doesn't always quarantine it.

Nunzio77
Nunzio77 Defender of the month mod

I did a test with this ransoware:

https://www.virustotal.com/gui/file/cd1bb0b84729b272e28a48cdfc22ef1f2577e4a1779a9fe871e54cf71707ded8/detection

On Virus Total it is stated that Bitdefender Free recognizes it.

On my PC if I do a scan it is not detected as malware. If I launch it it is blocked and therefore recognized as a dangerous object but not removed, it remains on the desktop.

Why does this happen?

I would have expected that, even if it is possibly not detected, because it is not yet present in the signatures (even if on VirusTotal it is already declared as malware even for Bitdefender), however after blocking it it should be quarantined and not left on the desktop.

Nunzio ·

Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

Comments

  • Nunzio77
    Nunzio77 Defender of the month mod

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Gjoksi
    Gjoksi Defender of the month mod

    Thanks, but no thanks! I don't want to get in trouble for no reason.

    Anyway, you could send the file and the link to the malware research team, as i highly doubt that anyone here on his/her device, except @mrmirakhur on his virtual machine, will test the file.

    Regards.

  • Nunzio77
    Nunzio77 Defender of the month mod

    In fact my purpose was only to report this Bitdefender behavior which in my opinion is not correct. It is true that it protects the PC that is not damaged but the malware should be quarantined and not left on the desktop. I put the link for any "lab" tests to find the solution to this behavior. 🙂😉

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Flexx
    Flexx mod
    edited June 2022

    Thanks for the sample. I downloaded it. Will update you tomorrow with the findings. I am using bitdefender total security, so will be checking the sample under that. This should not make any difference whether it is bitdefender antivirus free or bitdefender total security since both have the same baseline code.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Nunzio77
    Nunzio77 Defender of the month mod

    I did the test a little while ago and now it is detected, probably having updated the signatures it has finished with the new definitions and therefore it is detected and then quarantined, as always taking many seconds. The point, however, remains on the fact that when it was not in the signatures and therefore it was not detected, running it was blocked (which is very good) but it was not quarantined and remained on the desktop, instead in my opinion if detected as malicious it should be quarantined and don't stay on the desktop. 😉


    Thanks!

    Nunzio.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Nice to know the issue has been resolved by the latest database update.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Nunzio77
    Nunzio77 Defender of the month mod

    But the goal of this post is not the fact that thanks to the signature update this malware (taken as an example) is detected, the point is that when a malware is not detected by the signatures and the behavioral analysis of Bitdefender still blocks it (this is great) the malware remains on the PC and is not quarantined even if Bitdefender reports that it is a malicious application and blocks it.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • In that case we may need to find a sample against which signature based detection is not created and behavior blocker of bitdefender works to stop the execution of the sample. If you can figure out the sample then let me know. Because without the sample even developers will not be able to reproduce the issue.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Nunzio77
    Nunzio77 Defender of the month mod

    Here is a new example of malware not yet present in signatures that is not yet recognized by Bitdafender Free (rightly by file protection). By executing it, the behavioral analysis intervenes by blocking the malicious app (excellent) but is not eliminated.

    Because?

    It should be quarantined and not left on the desktop.

    Here you can find the malware sample and the evaluation on Virus total:

    https://bazaar.abuse.ch/download/5466ad64faf97ff2f6cf88872406ce7891f2518c11101c0646575ef08bc9f6be/

    https://www.virustotal.com/gui/file/5466ad64faf97ff2f6cf88872406ce7891f2518c11101c0646575ef08bc9f6be


    Run the tests before it ends up in the AV signatures-

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Nunzio77
    Nunzio77 Defender of the month mod

    In addition to the previous post, when running the malware from a USB stick, the message appears that it has been quarantined but a residual file of 0Kb remains.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Nunzio77
    Nunzio77 Defender of the month mod

    @mmirrakhur Were you able to test it too?

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Flexx
    Flexx mod
    edited June 2022

    Checked it as of now and complete file was quarantined. There was no file left on desktop.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Nunzio77
    Nunzio77 Defender of the month mod

    It is now in the AV signatures, as also noted on VirusTotal.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • That was because I sent the file to the malware researchers. Still, I ran the file while disabling the real time protection (which disables the signature based detection if I double click the file instead of contextual scan) and executed the file and advanced threat defense came into action and quarantined the file.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Nunzio77
    Nunzio77 Defender of the month mod

    To me it stayed on the desktop. So could it just be a Bitdefender Free problem to fix?

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Did you refreshed the desktop or the respective page after the file was quarantined. I have no idea whether it is a problem with the free version since I use total security.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Nunzio77
    Nunzio77 Defender of the month mod

    The warning pop-up in this case only said that the application had been blocked, it did not communicate that it had been quarantined. The other time while communicating that it had been quarantined it remained on the desktop, refreshing the desktop was always on the desktop.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Premium Security & Bitdefender Endpoint Security Tools user

  • Nunzio77
    Nunzio77 Defender of the month mod
    edited June 2022

    Another malware sample not detected in the signatures, is blocked if performed (excellent behavioral analysis) but is not quarantined (to be fixed):

    VirusTotal:

    https://www.virustotal.com/gui/file/e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0

    malware link:

    [LINK TO MALWARE SAMPLE REMOVED]

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Gjoksi
    Gjoksi Defender of the month mod

    Reported the .exe file as FALSE NEGATIVE to Bitdefender Labs.

    [FN] [Sample] Submission 1007503184

    So, we must wait for their response.

    @Alexandru_BD @mrmirakhur Check on this. Thanks.

  • Flexx
    Flexx mod
    edited June 2022

    I have removed the link to malware sample. Kindly refrain from sharing malware samples or link to malware samples on the forum. If you still want to share the samples, you can private message the admins and ask them your query related to it. As on the forum, virustotal link is more than enough.

    Additionally, the sample has been shared with the malware researchers.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Nunzio77
    Nunzio77 Defender of the month mod

    Ok. Sorry 🙂

    However, this example is to draw attention to the fact that malware blocked by behavioral analysis, not present in signatures, is not always quarantined. 😉

    Thanks!

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Flexx
    Flexx mod
    edited June 2022

    As per the reply from malware researchers via bitdefender support, the file is not malicious and not detected by signature based detection, however regarding the behavior blocking they are checking on it.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Nunzio77
    Nunzio77 Defender of the month mod

    Thanks for the feedback, but that's not the case, Bitdefender blocked it for me and the Bitdefender notification came out. I don't remember if I cleared the register. If I can check it tonight and if I find it I share it.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Sure, I have also asked the support team to get information related to advanced threat defense for the same sample from the malware researchers.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Nunzio77
    Nunzio77 Defender of the month mod

    For the following malware: e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0

     as per Virus Total it is only recognized by 2 AVs:

    https://www.virustotal.com/gui/file/e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0

    Bitdefender Free does not recognize it in the files but by executing it it is blocked by the behavioral analysis as seen from the images and even if it says that it quarantines it the file remains on the desktop and the quarantine is empty as seen from the images.

    What do you think?

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Flexx
    Flexx mod
    edited June 2022

    I am still awaiting for the response from the malware researchers through support regarding the blocking of file by behaviour analysis on its execution.

    I have updated the support ticket with the images that you shared.

    As far as the detection by those 2 antimalware vendors on virustotal is considered, it can be easily made out that those are not signature based detection and instead machine learning based detection which are false negative.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Gjoksi
    Gjoksi Defender of the month mod

    @Nunzio d'Abbruzzo

    Hello.

    Just to inform you that @Alexandru_BD has just added this community's rule:

    "Posting malware samples and /or URLs is not allowed in the community! Do not post direct links to any executable files, malicious/suspicious software or websites in threads, comments or private messages, even if you think the software or site is clean and incorrectly detected by Bitdefender. Should you wish to report a false positive / false negative detection, head to this link and submit your findings using the dedicated form."

    Kind regards.

  • Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Flexx
    Flexx mod
    edited June 2022

    Below is the update from malware researchers via Bitdefender support team.

    It seems like that behavior blocking/ machine learning detection has also been removed.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Nunzio77
    Nunzio77 Defender of the month mod

    Why is it only blocked and not quarantined (see attached image)?

    It is not yet in the signatures.

    If it is blocked it should also be quarantined, to leave the PC clean.

    It is a general discourse not only on this specific sample.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • It is a cloud based detection.

    Kindly share your query with bitdefender support team by dropping them an email at bitsy@bitdefender.com

    The support team will reply back to your query within next 24-48 hours excluding weekends.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Nunzio77
    Nunzio77 Defender of the month mod

    I sent the following email to the service center ... let's see if they understand the problem and solve it ...


    "Good morning,

    for example i did a test on this ransoware sample:

    removed link with example malware

    which is not yet present in the Bitdefender signatures:

    https://www.virustotal.com/gui/file/bb762f2ee1e1b87d0b2a6340f2470ed895cfefc2d809f58e187f735cbc808850

    Running the Bitdefender Free malware blocks it but the file remains on the desktop is not quarantined.

    Let's see what they will answer me ..

    It's not hard to understand ... just run some tests and see how Bitdefender Free behaves ...😀😉

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Nunzio77
    Nunzio77 Defender of the month mod

    They replied with this link:

    https://www.bitdefender.com/consumer/support/answer/2576/

    but I remain of the idea that an automatic action to quarantine the malicious file blocked by Bitdefender (even if it is not yet in the signatures) should be implemented.

    Thank you and I hope my feedback is welcomed by the development team. 😀

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Nunzio77
    Nunzio77 Defender of the month mod

    I understood what happens in the free version as opposed to the paid one. In the advanced settings of the antivirus in "actions on threats" leaving the choice on "perform appropriate actions" in some cases some applications are only blocked but not put in forty (I do not know by what criteria).

    In the paid version this option can be changed, while in the free version it is not. So in the paid versions you can choose to always quarantine everything, in the free version it is more automatic and some malicious applications are blocked but remain on the PC.

    What do you think @camarie ?

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • camarie
    camarie Principal Software Developer BD Staff

    @Nunzio d'Abbruzzo I do not know in great detail this area, but I suppose, as you noticed, the free version tends to be more automated/less customizable than the paid versions, as well as performing a subset of operations. But, again, I cannot say exactly what is there without knowing exactly the code.

  • Nunzio77
    Nunzio77 Defender of the month mod

    Thank you @camarie 🙂

    However, in my opinion in the free version at least this option could be left unlocked at the user's choice. 😉

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Nunzio77
    Nunzio77 Defender of the month mod

    However, I wonder which of the three is the best choice:

    - take appropriate action;

    - move files to quarantine;

    - deny access

    I have a doubt ... if set to "move files to quarant" anyway access is denied?

    How about @camarie @Alexandru_BD @Gjoksi @Scott and other?

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Nunzio77
    Nunzio77 Defender of the month mod

    Recentemente ho notato questo comportamento anche nella versione plus con un altro malware recente. Non mi piace molto. Continua a bloccarsi con vari popup, ma l'applicazione dannosa ha continuato a funzionare e sul dektop del PC. Messo su una chiavetta USB dopo l'esecuzione viene bloccato e cancellato e messo in quarantena. Questo bug deve essere corretto. Con altri AV russi gratuiti questo non accade.

    Non ho avuto altre risposte a questo.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Nunzio77
    Nunzio77 Defender of the month mod

    @Alexandru_BD can you report it to the developers?

    Thanks! 😉

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • Nunzio77
    Nunzio77 Defender of the month mod

    Another example of malware blocked but not removed.

    https://www.virustotal.com/gui/file/d36dfa6a4b6f9b227140179c2424fe17f113e925a4bb9e8f51e304b8ef4eabf3

    Even if it is indicated that it has been quarantined "Disinfection successful" open quarantine, the malware was not present in the quarantine and the file was always left on the desktop and this time also on the USB stick (I did a second test from a USB stick).

    In my opinion, in addition to blocking, it should quarantine the malicious file causing the infection.

    See detail image.



    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • That is the behaviour blocker that has kicked in to block the file. Currently, bitdefender has not created any signature against the sample file. The sample file has been shared with the malware researchers. Once, signature based detection will be created, maybe then the file might get quarantined.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Nunzio77
    Nunzio77 Defender of the month mod

    Quindi giusto per capire, se il file non è nelle firme, l'analisi comportamentale blocca il file e tutti gli altri file che entrano nel "gioco" senza metterlo in quarantena?

    A me, facendo altri test, è capitato che il file non fosse ancora nelle firme ma dopo essere stato bloccato dall'analisi comportamentale è stato anche messo in quarantena.

    Ma ho notato che questo non accade sempre e non mi è ancora chiaro perché. Se si tratta di un comportamento normale o c'è qualcosa di anomalo in alcuni casi.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security

  • I have to always use google translator for your post, lol 😂

    The answer to this is not straight forward. Some files may get quarantined while some may only get blocked from execution.

    @Alexandru_BD, @Mike_BD do you guys have anything to share at your end.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Hi,

    Nothing to add here, but I did forward the information to the Antivirus Free product team for review.

    Cheers

    Premium Security & Bitdefender Endpoint Security Tools user

  • Nunzio77
    Nunzio77 Defender of the month mod

    Thanks!

    I specify that I also tested with the Plus version. So my observation applies to both the free and paid versions.

    Nunzio ·

    Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security