my wife downloaded that, not sure how, came from a mail I think, she probably clicked on an attachment randomly : I found it in a shared folder, knew I never put it there, and it disappeared from view as soon as I clicked on it (I know I shouldn’t have clicked, I should have scanned it first : ). Okay I then found it in Chest on her laptop, explaining how it disappeared as I said.
One question I have here is why wasn’t it scanned and sent to Chest immediately when it was saved to disk in the first place. That’s an executable, so why was it ignored until it got manually executed ??? (not mentioning that the webshield didn’t stop it).
FLVDIRECT.EXE has been seen to perform the following behavior:
Writes to another Process’s Virtual Memory (Process Hijacking)
This process creates other processes on disk
Executes a Process
Registers a Dynamic Link Library File
Creates new folders on the system
This Process Deletes Other Processes From Disk
Injects code into other processes
Found on infected systems and resists interrogation by security products
FLVDIRECT.EXE has been the subject of the following behavior:
Created as a process on disk
Executed as a Process
Has code inserted into its Virtual Memory space by other programs
Terminated as a Process
bump:
1 I’d like to know why the web shield didn’t intercept the file and abort the download connection
2 I’d like to know why a malicious executable isn’t sent to Chest (by the file shield) as soon as it’s saved to disk
thank you :)
ps: for the fs behavior, may be because it’s already blocked from self-execution by Windows?
no it was only detected when I clicked on it (it’s pure hazard if I found it) and that was earlier today with 100513-0. And I’m sure it was downloaded today.
and the problem is that I have no way atm to simulate a new download of it (to compare with the new database behavior); if I restore it from Chest it will just be restored to a folder of my choice and that’s it, until I either execute it or scan it.
I might do that later from the mail it came from (not my mail box and not on my laptop)…after removing it from Chest there first to make sure there’s no old detection referred to…
no no it is detected by the file system shield, but only once you click on it, not when first saved to disk during the download (and of course the webshield doesn’t detect it ).
okay solved ;D >>> two alerts when attempting to download it from the original web site hxxp://www.flvdirect.com/ (I thought it was bundled to another site with subscription, that’s why I didn’t try to find the file before).
1st alert from the web shield, but the file is still downloaded, and then blocked automatically by the file system shield. Wondering why the web shield doesn’t block every thing, but fine, that’s better than the previous behavior. See screen shots
ps: this was in Chrome, and the behavior in Firefox is a bit different >>> first similar web shield alert, and second alert from the file shield, very quickly, not enough time to click on save. Also, that’s a Windows process being involved when the detection is done from Firefox.
True, Network Shield recently detected a malicious website, and I had access. Without block. I think it should be a bug in the current version. 5.0.545