Kaspersky
Question

virus in eml file detect only with manual scan and not real time scan, Why ?


Userlevel 2

hello to every body

i have got a big problem

i received an email that has got attachment and i save that email in eml file and after that for better test i zip that file and test with some antivirus

1 = when i upload eml file into virustotal.com then antivirus scan and alert that file has got a virus

2 = i install mcafee virus scan enterprise edition in virtual machine and update that, and when i extract eml file from zip file, mcafee detect and delete eml file, and i check mcafee settiong is set on all file scan.

3 = i install kaspersky internet security and update that, check setting and all file scan is enable, when i extract zip file kaspersky does not alert any virus, but when right click on file then click scan for virus, then kaspersky alert virus found

 

now question is , when kaspersky setting is set on all file scan, why kaspersky does not detect that eml file and only when right click and then scan click, after that it detect eml file that contain attachment virus ?

 

is that any setting to enable for detect virus in eml file in real time protection enable ?

 

For security reason i send that file in zip file [REMOVED BY MODERATION
that has got password 123

 


28 replies

Userlevel 2

i send my question to support team

and this is their answer

 

“Thank you for your patience. We have just received a response from our experts. This behavior has been tested, and we registered it as a bug. As soon as we receive a response from our developers, we will notify you. Please wait.”

Userlevel 2

I am not convinced

so its name must not all files

its name must specific file

Userlevel 7
Badge +8

The file type eml is just an exported content of an email message, usually users don’t export messages and send the eml file, except for specific situations…  anyway as I already said: setting Kaspersky Selective Scan to High Security Level will scan and detect malicious threats inside, if You open it Kaspersky (in Defaults Settings) will detect it, if You try to send it via email again Kaspersky (in Defaults Settings) will detect it and again if You try to send it via a browser, Kaspersky (in Defaults Settings) will detect it… so Kaspersky can detect eml with different layers of protection…

 

Agree that Kaspersky does not scan an eml directly in real-time protection but it is not necessary, since it is not a direct executable type, that eml remains harmless unless You manually open it, and in the other cases if You try to open or send it We know Kaspersky will detect it in Defaults Settings… so as I said, it is enough safe behaviour for me, anyway contact to Kaspersky Support for an extra information :)

Userlevel 2

dear @harlan4096 

your answer is good

but imagine when you have share folder that all users save their eml file in that folder, when mcafee install, eml file scan and when virus found inside it, clean and delete

but when kaspersky install, can not scan and users can send eml file with virus in it so easy

why ?

this is not good, i want my system resource is used very high, i have not problem with that, but kaspersky scan all file, not selected by itself

my boss like mcafee and i love kaspersky, but in this situation i lose this game because kaspersky not scan all file and my boss winner, WHHHHHHHY ?

this is so bad

Userlevel 7
Badge +8

I also guess that the problem here is that the eml by itself is not malicious or infected, since it is an email message but contains a malicious attach (.doc), so probably that’s why Kaspersky does not process it directly but it detects and delete only that malicious attach and not the complete file…

 

Probably other av firms just add a signature for the complete file, but Kaspersky in this case focuses only in the malicious part of the doc...

Userlevel 2

thanks @Friend 

but i set both ( iSwift, iChecker ) to disable and test with new name and location with high setting but is doesnt detect againt

heuristic analyzer is not for a file that has got a virus, heuristic analyzer  is for file execute and check and track their file and area that is access and modified and then if is harmful must be restore and or alert to user that file is harmful, but this file not execute and kaspersky when manual scan detect as trojan inside it. so antivirus must be detect that file when select high setting and all file selected.

Userlevel 7
Badge +9

@hellboy755 . according to the virustotal results, it is clear that the detection takes place with a heuristic analyzer, and not with bases.
The antivirus also uses scan optimization technologies, that is, the same file may not be scanned again, even after changing the antivirus settings, if these technologies are not disabled.
For checks, the high level must be changed in the settings in the section: Scan  https://help.kaspersky.com/KIS/2020/en-US/68154.htm

Userlevel 2

dear @harlan4096 

i have both mcafee and kaspersky

when mcafee set all file scan, then when extract eml file, the file is detected

but when kasper is on all file scan, kaspersky not scan eml

this is my question, why kaspersky all file scan doesnt work ?

you can test with mcafee, my problem is only kaspersky or other antiviruses has got option to all file scan, but this option doesnt work, why ?

why mcafee all file scan works ?

i would like someone explain why ? and can solve the problem that kaspersky scan my all my files, not only that file his like to scan.

thanks a lot for your test

Userlevel 7
Badge +8

Well, I have been running some different tests with that eml file, and these are my conclusions:

 

1.- In FileAV module set to default Recommended or in Security Level set to High , it seems the file will not be detected on extracting or on access it (for example opening to the folder where is located), unless You open it with a mail client application.

 

2.- If You try to send it via a browser, the file will be detected (WebAV module in Default/Recommended Security Level).

 

3.- If You try to send it via an email client, for example via SMTP also the file is detected (MailAV module in Default/Recommended Security Level).

 

4.- If You run manual on demand scan/Selective Scan over the file (Security Level set to High), it will be also detected.

 

Since this kind of file will remain harmless unless You open or send it, I am enough satisfied with Kaspersky's behaviour… so my suggestion is to set Selective, Quick and Full Scan settings to High Level, and keep in Recommended the resident modules FileAV, WebAV and MailAV.

 

That file is already detected by Kaspersky, so no need to do extra working sending it to Kaspersky VirusDesk:

 

 

Userlevel 2

i send the link to dear @harlan4096 

Userlevel 7
Badge +8

you can test file that i attach in first my send message


Your eml-file attachment in your first post that contains the suspicious doc-file  has been deleted for security reasons. You could eventually upload the file on a Cloud service  and PM the link to @harlan4096 

Userlevel 2

hi dear @harlan4096 

i know what option you speak about that and i set this option too

but it doesnt detect that eml file

you can test file that i attach in first my send message

 

Userlevel 7
Badge +8

@hellboy755: FileAV (resident protection) is set by default to Scan by Format, taken from Online Help:

If you select this option, File Anti-Virus scans only files which a virus could infiltrate. Before searching for viruses in a file, its internal header is analyzed to determine the file format (TXT, DOC, EXE, etc.). During the scan, file extensions are also taken into consideration.

File Anti-Virus treats files without extensions as executables. File Anti-Virus always scans them, regardless of the file types you have selected for scanning.

 

Probably .eml files are not included directly in this scan, since eml file type is not directly executable and You need to open it with an application. You may try to set You FileAV to All Files and check again, but probably this setting will slowdown Your system:

 

Also as @Friend already said, if You modify the main FileAV Security Level to High, All Files are scanned and Heur is also set to Deep Scan, but also this may slowdown Your system, so FileAV is set by default to optimum and to offer a great performance.

Userlevel 2

hi again dear @Berny 

thanks a lot

i hope some people can help me for this problem in this community forum

i send my question to support team and i wait for their answer

 

Userlevel 7
Badge +8

@hellboy755  I would like to help you but your best option is to continue with Kaspersky Lab Technical Support ….

Userlevel 2

hi @Berny  again

 

SHA256 of my file is : d98dff28b9d7947431da8d35cdf54e9b1acee32282f41446a1079298a2d8f987

 

you can test with hash calculator

 

 

 

 

and when you upload into virustotal.com it detect that

 

 

 

 

 

you must set security level of scanning to high to detect eml file with right clickscan

Userlevel 7
Badge +8

@hellboy755Please see below
 

*.eml Scan

 

*.doc scan

 

Please contact K-Lab Technical Support https://center.kaspersky.com

Also , please don’t attach potential infected objects.

Userlevel 2

hi @Berny 

so i use advanced version

do you know why kaspersky does not detect eml file after extract and when you scan manually find attachment virus ?

Userlevel 2

hi @Friend 

i set that option too at the first of my test

but does not solve my problem and kaspersky does not detect file again

Userlevel 7
Badge +8

i dont have premium trial license

FYI product descriptions are available here :
> “Essential” stands for KAV
> “Advanced” stands for KIS
> “Premium” stands for KTS

Also , for security reasons i removed your potential infected attachment


 

Userlevel 7
Badge +9

Hi, @hellboy755 ,
It depends on the level of protection that you have set in Settings -> General -> Security level
If you set a maximum security level  of protection, then the file should be immediately detected

Userlevel 7
Badge +9

Hello  @hellboy755 ,

5 = kaspersky install in trial version for test and 26 days left “ is KIS Premium Trial license

Thank you

Userlevel 2

i dont have premium trial license

Userlevel 7
Badge +9

Hello  @hellboy755,

I understand the question. 

As you have KIS Premium Trial license, raise a case with Kaspersky Technical Support, provide them with the KIS Report, history & information, a GSI & Windows Logs, they may also ask for Traces, run as the issue is replicated, they will guide you with the collection of the Traces.

Thank you

Userlevel 2

thanks for you replying

but my question is very clear

i dont speak about outlook

why mcafee all file scan setting, when i extract file , detect attachment virus but kaspersky does not detect that and must right click and manual select scan ?

how can i tune kaspersky to detect that file

Reply