Bitdefender Free - Blocks malware but doesn't always quarantine it.
I did a test with this ransoware:
On Virus Total it is stated that Bitdefender Free recognizes it.
On my PC if I do a scan it is not detected as malware. If I launch it it is blocked and therefore recognized as a dangerous object but not removed, it remains on the desktop.
Why does this happen?
I would have expected that, even if it is possibly not detected, because it is not yet present in the signatures (even if on VirusTotal it is already declared as malware even for Bitdefender), however after blocking it it should be quarantined and not left on the desktop.
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
Comments
-
If you want to test the sample you can download it from here:
https://bazaar.abuse.ch/download/cd1bb0b84729b272e28a48cdfc22ef1f2577e4a1779a9fe871e54cf71707ded8/
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
Thanks, but no thanks! I don't want to get in trouble for no reason.
Anyway, you could send the file and the link to the malware research team, as i highly doubt that anyone here on his/her device, except @mrmirakhur on his virtual machine, will test the file.
Regards.
1 -
In fact my purpose was only to report this Bitdefender behavior which in my opinion is not correct. It is true that it protects the PC that is not damaged but the malware should be quarantined and not left on the desktop. I put the link for any "lab" tests to find the solution to this behavior. 🙂😉
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
1 -
Thanks for the sample. I downloaded it. Will update you tomorrow with the findings. I am using bitdefender total security, so will be checking the sample under that. This should not make any difference whether it is bitdefender antivirus free or bitdefender total security since both have the same baseline code.
Regards
Life happens, Coffee helps!
Show your Attitude, when you reach that Altitude!
Bitdefender Ultimate Security Plus (user)
1 -
I did the test a little while ago and now it is detected, probably having updated the signatures it has finished with the new definitions and therefore it is detected and then quarantined, as always taking many seconds. The point, however, remains on the fact that when it was not in the signatures and therefore it was not detected, running it was blocked (which is very good) but it was not quarantined and remained on the desktop, instead in my opinion if detected as malicious it should be quarantined and don't stay on the desktop. 😉
Thanks!
Nunzio.
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
1 -
Nice to know the issue has been resolved by the latest database update.
Regards
Life happens, Coffee helps!
Show your Attitude, when you reach that Altitude!
Bitdefender Ultimate Security Plus (user)
0 -
But the goal of this post is not the fact that thanks to the signature update this malware (taken as an example) is detected, the point is that when a malware is not detected by the signatures and the behavioral analysis of Bitdefender still blocks it (this is great) the malware remains on the PC and is not quarantined even if Bitdefender reports that it is a malicious application and blocks it.
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
In that case we may need to find a sample against which signature based detection is not created and behavior blocker of bitdefender works to stop the execution of the sample. If you can figure out the sample then let me know. Because without the sample even developers will not be able to reproduce the issue.
Regards
Life happens, Coffee helps!
Show your Attitude, when you reach that Altitude!
Bitdefender Ultimate Security Plus (user)
0 -
Here is a new example of malware not yet present in signatures that is not yet recognized by Bitdafender Free (rightly by file protection). By executing it, the behavioral analysis intervenes by blocking the malicious app (excellent) but is not eliminated.
Because?
It should be quarantined and not left on the desktop.
Here you can find the malware sample and the evaluation on Virus total:
https://bazaar.abuse.ch/download/5466ad64faf97ff2f6cf88872406ce7891f2518c11101c0646575ef08bc9f6be/
https://www.virustotal.com/gui/file/5466ad64faf97ff2f6cf88872406ce7891f2518c11101c0646575ef08bc9f6be
Run the tests before it ends up in the AV signatures-
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
In addition to the previous post, when running the malware from a USB stick, the message appears that it has been quarantined but a residual file of 0Kb remains.
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
@mmirrakhur Were you able to test it too?
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
Checked it as of now and complete file was quarantined. There was no file left on desktop.
Regards
Life happens, Coffee helps!
Show your Attitude, when you reach that Altitude!
Bitdefender Ultimate Security Plus (user)
0 -
It is now in the AV signatures, as also noted on VirusTotal.
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
That was because I sent the file to the malware researchers. Still, I ran the file while disabling the real time protection (which disables the signature based detection if I double click the file instead of contextual scan) and executed the file and advanced threat defense came into action and quarantined the file.
Regards
Life happens, Coffee helps!
Show your Attitude, when you reach that Altitude!
Bitdefender Ultimate Security Plus (user)
1 -
To me it stayed on the desktop. So could it just be a Bitdefender Free problem to fix?
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
Did you refreshed the desktop or the respective page after the file was quarantined. I have no idea whether it is a problem with the free version since I use total security.
Regards
Life happens, Coffee helps!
Show your Attitude, when you reach that Altitude!
Bitdefender Ultimate Security Plus (user)
0 -
The warning pop-up in this case only said that the application had been blocked, it did not communicate that it had been quarantined. The other time while communicating that it had been quarantined it remained on the desktop, refreshing the desktop was always on the desktop.
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
Premium Security & Bitdefender Endpoint Security Tools user
3 -
Another malware sample not detected in the signatures, is blocked if performed (excellent behavioral analysis) but is not quarantined (to be fixed):
VirusTotal:
https://www.virustotal.com/gui/file/e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0
malware link:
[LINK TO MALWARE SAMPLE REMOVED]
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
Reported the .exe file as FALSE NEGATIVE to Bitdefender Labs.
[FN] [Sample] Submission 1007503184
So, we must wait for their response.
@Alexandru_BD @mrmirakhur Check on this. Thanks.
1 -
I have removed the link to malware sample. Kindly refrain from sharing malware samples or link to malware samples on the forum. If you still want to share the samples, you can private message the admins and ask them your query related to it. As on the forum, virustotal link is more than enough.
Additionally, the sample has been shared with the malware researchers.
Regards
Life happens, Coffee helps!
Show your Attitude, when you reach that Altitude!
Bitdefender Ultimate Security Plus (user)
2 -
Ok. Sorry 🙂
However, this example is to draw attention to the fact that malware blocked by behavioral analysis, not present in signatures, is not always quarantined. 😉
Thanks!
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
As per the reply from malware researchers via bitdefender support, the file is not malicious and not detected by signature based detection, however regarding the behavior blocking they are checking on it.
Regards
Life happens, Coffee helps!
Show your Attitude, when you reach that Altitude!
Bitdefender Ultimate Security Plus (user)
0 -
Thanks for the feedback, but that's not the case, Bitdefender blocked it for me and the Bitdefender notification came out. I don't remember if I cleared the register. If I can check it tonight and if I find it I share it.
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
Sure, I have also asked the support team to get information related to advanced threat defense for the same sample from the malware researchers.
Regards
Life happens, Coffee helps!
Show your Attitude, when you reach that Altitude!
Bitdefender Ultimate Security Plus (user)
0 -
For the following malware: e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0
as per Virus Total it is only recognized by 2 AVs:
https://www.virustotal.com/gui/file/e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0
Bitdefender Free does not recognize it in the files but by executing it it is blocked by the behavioral analysis as seen from the images and even if it says that it quarantines it the file remains on the desktop and the quarantine is empty as seen from the images.
What do you think?
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
I am still awaiting for the response from the malware researchers through support regarding the blocking of file by behaviour analysis on its execution.
I have updated the support ticket with the images that you shared.
As far as the detection by those 2 antimalware vendors on virustotal is considered, it can be easily made out that those are not signature based detection and instead machine learning based detection which are false negative.
Regards
Life happens, Coffee helps!
Show your Attitude, when you reach that Altitude!
Bitdefender Ultimate Security Plus (user)
1 -
Hello.
Just to inform you that @Alexandru_BD has just added this community's rule:
"Posting malware samples and /or URLs is not allowed in the community! Do not post direct links to any executable files, malicious/suspicious software or websites in threads, comments or private messages, even if you think the software or site is clean and incorrectly detected by Bitdefender. Should you wish to report a false positive / false negative detection, head to this link and submit your findings using the dedicated form."
Kind regards.
2 -
Regards
Life happens, Coffee helps!
Show your Attitude, when you reach that Altitude!
Bitdefender Ultimate Security Plus (user)
1 -
Below is the update from malware researchers via Bitdefender support team.
It seems like that behavior blocking/ machine learning detection has also been removed.
Regards
Life happens, Coffee helps!
Show your Attitude, when you reach that Altitude!
Bitdefender Ultimate Security Plus (user)
2 -
Why is it only blocked and not quarantined (see attached image)?
It is not yet in the signatures.
If it is blocked it should also be quarantined, to leave the PC clean.
It is a general discourse not only on this specific sample.
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
It is a cloud based detection.
Kindly share your query with bitdefender support team by dropping them an email at bitsy@bitdefender.com
The support team will reply back to your query within next 24-48 hours excluding weekends.
Regards
Life happens, Coffee helps!
Show your Attitude, when you reach that Altitude!
Bitdefender Ultimate Security Plus (user)
2 -
I sent the following email to the service center ... let's see if they understand the problem and solve it ...
"Good morning,
for example i did a test on this ransoware sample:
removed link with example malware
which is not yet present in the Bitdefender signatures:
https://www.virustotal.com/gui/file/bb762f2ee1e1b87d0b2a6340f2470ed895cfefc2d809f58e187f735cbc808850
Running the Bitdefender Free malware blocks it but the file remains on the desktop is not quarantined.
Let's see what they will answer me ..
It's not hard to understand ... just run some tests and see how Bitdefender Free behaves ...😀😉
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
They replied with this link:
https://www.bitdefender.com/consumer/support/answer/2576/
but I remain of the idea that an automatic action to quarantine the malicious file blocked by Bitdefender (even if it is not yet in the signatures) should be implemented.
Thank you and I hope my feedback is welcomed by the development team. 😀
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
2 -
I understood what happens in the free version as opposed to the paid one. In the advanced settings of the antivirus in "actions on threats" leaving the choice on "perform appropriate actions" in some cases some applications are only blocked but not put in forty (I do not know by what criteria).
In the paid version this option can be changed, while in the free version it is not. So in the paid versions you can choose to always quarantine everything, in the free version it is more automatic and some malicious applications are blocked but remain on the PC.
What do you think @camarie ?
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
1 -
@Nunzio d'Abbruzzo I do not know in great detail this area, but I suppose, as you noticed, the free version tends to be more automated/less customizable than the paid versions, as well as performing a subset of operations. But, again, I cannot say exactly what is there without knowing exactly the code.
2 -
However, I wonder which of the three is the best choice:
- take appropriate action;
- move files to quarantine;
- deny access
I have a doubt ... if set to "move files to quarant" anyway access is denied?
How about @camarie @Alexandru_BD @Gjoksi @Scott and other?
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
Recentemente ho notato questo comportamento anche nella versione plus con un altro malware recente. Non mi piace molto. Continua a bloccarsi con vari popup, ma l'applicazione dannosa ha continuato a funzionare e sul dektop del PC. Messo su una chiavetta USB dopo l'esecuzione viene bloccato e cancellato e messo in quarantena. Questo bug deve essere corretto. Con altri AV russi gratuiti questo non accade.
Non ho avuto altre risposte a questo.
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
@Alexandru_BD can you report it to the developers?
Thanks! 😉
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
Another example of malware blocked but not removed.
https://www.virustotal.com/gui/file/d36dfa6a4b6f9b227140179c2424fe17f113e925a4bb9e8f51e304b8ef4eabf3
Even if it is indicated that it has been quarantined "Disinfection successful" open quarantine, the malware was not present in the quarantine and the file was always left on the desktop and this time also on the USB stick (I did a second test from a USB stick).
In my opinion, in addition to blocking, it should quarantine the malicious file causing the infection.
See detail image.
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
That is the behaviour blocker that has kicked in to block the file. Currently, bitdefender has not created any signature against the sample file. The sample file has been shared with the malware researchers. Once, signature based detection will be created, maybe then the file might get quarantined.
Regards
Life happens, Coffee helps!
Show your Attitude, when you reach that Altitude!
Bitdefender Ultimate Security Plus (user)
2 -
Quindi giusto per capire, se il file non è nelle firme, l'analisi comportamentale blocca il file e tutti gli altri file che entrano nel "gioco" senza metterlo in quarantena?
A me, facendo altri test, è capitato che il file non fosse ancora nelle firme ma dopo essere stato bloccato dall'analisi comportamentale è stato anche messo in quarantena.
Ma ho notato che questo non accade sempre e non mi è ancora chiaro perché. Se si tratta di un comportamento normale o c'è qualcosa di anomalo in alcuni casi.
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
0 -
I have to always use google translator for your post, lol 😂
The answer to this is not straight forward. Some files may get quarantined while some may only get blocked from execution.
@Alexandru_BD, @Mike_BD do you guys have anything to share at your end.
Regards
Life happens, Coffee helps!
Show your Attitude, when you reach that Altitude!
Bitdefender Ultimate Security Plus (user)
0 -
Hi,
Nothing to add here, but I did forward the information to the Antivirus Free product team for review.
Cheers
Premium Security & Bitdefender Endpoint Security Tools user
1 -
Thanks!
I specify that I also tested with the Plus version. So my observation applies to both the free and paid versions.
Nunzio ·
Bitdefender Plus, Windows 10 Pro-32 Bit, CPU Intel Core2 Duo T7500, RAM 4 Gb - Bitdefender Mobile Security
1