It’s not new the an AV surprises me, but it’s rare that they do in a pleasant way. So here is the story…
Let’s say you have a system that automatically processes emails and it also stores them as TXT files in a specific folder. Well, when I say TXT files, I really mean MSG files named as whatever.txt. I just found that Trend Micro Deep Security doesn’t just scan these files, but it “understands” that these are emails, so it treats them as emails. And there comes the magic.
Say, there is an alert that it detected and deleted a malware like this:
It doesn’t mean it deleted or did anything with the original file, but it deleted the malicious attachment from the “email”. So basically the TXT emails are always there, all Trend does is removing the malicious parts of the email.
If you check the TXT file, you can see Trend didn’t just delete the attachment, but it also put a placeholder there. Just like a AV on a mail gateway would do.
Honestly I was pretty surprised – this is kinda cool!
To double-check my theory I recovered the original file from Trend’s quarantine. As you can see in the original TXT file, there was a .7z attachment.
So Trend extracted the attachment – which was a VBS script btw – and detected it as malicious.
Just out of curiosity I did the legwork and extracted the VBS script and uploaded it to VirusTotal and also to Malwr. Below are the results – looks pretty bad.
Don’t get me wrong, I’m not impressed by the fact that it found a malicious file, but I’m kinda surprised by the fact that it didn’t just dumbly scanned the TXT files, but it detected them as e-mails.