Hello!
Windows Defender (Windows 10 Pro x64 v1909 build 18363.1016) has blocked 3 times AgentTesla malware on a dual-boot machine (with Linux Mint 19.2 x64). As you may see in the picture below ,it does not say from where it was removed.
In my own research I could find that AgentTesla is one of those malware which steal and transmit/disclose user info and as well as acts as gateway for ransomware. It is a .NET-based malware.
Microsoft says that "Windows Defender Antivirus detects and removes this threat.". Nonetheless, I have done my best to find and remove it but I was not successful. I have employed:
Windows Defender, which has been run in quick, full, custom (c:\ only) & offline modes;
Microsoft Safety Scanner;
Linux: clamav (from Cisco), running twice with and without the extra unofficial malware signatures;
Bootable Rescue Disks (.iso) from Norton, Trend Micro and Avira.
Windows-based tools Norton Power Eraser and Trend Micro tool.
As I have aforementioned, none of them have found it (okay, it may have been indeed removed).
I would like to know if those notifications could be some sort of false positive. I have never received what seems to be a false positive notification from Microsoft Defender. It have to admit it has startled me. Moreover, may I render this machine as clean?
As usual, all signatures / virus intelligence were updated before scanning.
Thank you,
Sandro
References:
https://krebsonsecurity.com/2018/10/who-is-agent-tesla/
https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant
