large javascript EVAL code in php files = NOT DETECTED ?

-Satori-

Hi 

 

I put a copy of my infected wordpress blog on my local hard disk and make a right click to scan for viruses with my F-SAFE antivirus. 

 

It did NOT detect any of the javascript threads written in 11 php files or js files or hidden .files

 

Is there a solution or a method against that ? 

 

Thanks to who helps and answers 

 

Best whishes for the new year to everyone 

 

Fred

Ukko

Hello,

 

I am only an F-Secure user (their home solutions).

You could check some things:

 

-- An ability to contact their F-Secure Labs.

• https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample

for example, it is possible to transfer files and to receive feedback from Labs.

As described there:

• https://community.f-secure.com/t5/Common-Topics/How-can-I-submit-samples-to-F/ta-p/77674
• https://community.f-secure.com/t5/Common-Topics/How-can-I-submit-large-samples/ta-p/77499

-- To check settings under F-Secure SAFE manual scanning.

For example, 'check' to scan inside compressed files and 'uncheck' to scan only known file types.

• https://help.f-secure.com/product.html#home/safe-windows/latest/en/task_DA9DC2D0CF664461B679DD6157516892-safe-windows-latest-en

Thanks!

-Satori-

Hi 

 

Thanks for the answer 

 

In gigagytes of data, I ask my antivirus to detect these kind of javascript threats.

I am unable to find them by myself for making smaples and submit them to F-secure. 

 

Switching between type of files does not help to make a single step in detecting those javascript, but thanks anyway. 

 

Bye

Ukko

Hello,

 

Sorry for my amateur opinion.

 

I think that "eval" code itself is not always malicious. So, to detect it only based on this is not an option.

Thus, certain piece of code or functionality should be known as a malicious or clearly harmful for static analysis (or dynamic ?! ones on the cloud). In addition, if there are any forms of obfuscation - then to detect item is much more troublesome.

 

I can to think about some reasons of "not detected":

-- file is not a malicious item. Or certain inserts are not known as a malicious;

-- malicious payload is obfuscated and detection is not applied;

-- to large size of scanned file (skipped as a result).

 

infected wordpress blog any of the javascript threads written in 11 php files or js files or hidden .files

Is wordpress blog indeed with malicious inserts? If so - enough to check with one example to understand whether F-Secure detect it or not.

 

In gigagytes of data, I ask my antivirus to detect these kind of javascript threats.

I am unable to find them by myself for making smaples and submit them to F-secure. 
 

 Perhaps, good to use specific tools for such. F-Secure home (?!) solution is not always too useful against specific tasks.

But, as a general situation, F-Secure do able to detect Javascript malicious files and so.

 

Thanks!