novice
-
Posts
263 -
Joined
-
Last visited
-
Days Won
1
Posts posted by novice
-
-
52 minutes ago, itman said:
target is both IE11 x(86) and x(64) executable full path name location
That would be easy.
The problem is you never know which "parent" application will launch which "child" application; so the "child' application doesn't have to necessarily be each time IE.
So, how do you make the rules not knowing which "child" application is going to be launched?????
-
For example I allow IE to communicate over internet using TCP/UDP port 80 and 443 (for general browsing of the internet)
At the same time for an undesirable item (let's say "undesirable.exe") I block access to the internet.
However, "undesirable.exe" as a parent application will launch "IE" as a child application and will get out on the internet , even though my intention was to prevent this.
For known "parent" / "child" applications I can create HIPS rules, but they can be in any combination so, without a mechanism which would tell you that a "parent" is trying to use a "child" , you cannot control access to the internet.
-
6 hours ago, Azure Phoenix said:
Isn't that the job of the HIPS?
HIPS in default mode or in Smart mode will not even blink when a "parent" application will connect to the internet through a child.
-
... child process being launched by parent process.
While the firewall will correctly indicate the child process , however you do not know which process is behind as "parent".
This practically bypass the firewall making it useless.
Am I wrong?
-
9 hours ago, ram1220 said:
I also turned off the paid version of MB. Too many problems. I only use it as an on demand scanner now.
MBAM has grown in complexity since v1.75 (when was a simply "second layer" to any antivirus) and cannot be used with a sophisticated antivirus like ESET.
Malwarebytes recently acquired Windows Firewall Control from Binisoft and has everything to be a fully flagged antivirus (even though they say MBAM is still compatible with any antivirus)
I run MBAM and MSE without issues.
-
Malwarebytes is well known for FP generated by its Web Protection ( I disabled mine) so I would say is a false positive.
-
46 minutes ago, cyberhash said:
"Tests" don't equate to real world.
In real word everything is based on tests.
You want a driver's license? You have to pass a test!
You want to get to university? You have to pass a test!
You want to get a job? You have to pass an interview!
Why do I have to wait to get infected first and after that to ask questions???
See here for example: "rapid ransomware detection?"
I've encountered a rapid ransomware sample around 15 hours ago. At that time, ESET's scanner couldn't detect it (while other major vendors already detected it on VT). "
46 minutes ago, cyberhash said:The OP and others keep relating to tests but have never fell short of protection themself when using the products.
I have been using MSE alone for many years and never got infected. And what?
46 minutes ago, cyberhash said:"What If's" is fruitless and misleading to other users.
"What if's" is a legitimate question, especially now when ESET doesn't participate anymore in AV Test!!!!
-
55 minutes ago, itman said:
Here's an ad hoc test that Malware Research Group performed when EternalBlue was running around "in the wild": https://www.mrg-effitas.com/wp-content/uploads/2017/05/screencapture-mrg-effitas-eternalblue-vs-internet-security-suites-and-nextgen-protections-1495176251119.pdf . Eset was one of only three AV/NextGen products to detect it. ......,,
Yes, this shows one more time that ESET bases its detection on Web shield and signatures , even though has a DEDICATED antiransomware shield (most likely some generic HIPS rules)
I ran WANNACRY live on my PC with only the Antiransomware shield from MBAM and the threat was quarantined after 4 files being encrypted.
This is how a dedicated antiransomware shield is supposed to look like.
-
Well I tried the test , ZERO reaction from ESET. And when I say ZERO I do not exaggerate!!!!
IE11 64bit open, IE11 64bit added to the test, run all tests -----> ZERO reaction from ESET
IE11 32 bit open, IE32BIT added to the test, run all test-----------> zero reaction from ESET
I can say , wit 99% probability that there is no viable dedicated antiexploit shied in ESET.
ESET hopes to catch the exploit with the webshield, based on signature of the exploit vector, on cloud based detection and maybe with some generic HIPS rules but no, there is no dedicated shield against antiexploit.
-
1 minute ago, itman said:
What I used it for primarily is to create custom HIPS rules for my browser
Shouldn't these rule be created by default for the most common applications?? How many users can create HIPS rule to protect against 0 days????
-
I assume you have ESET installed on your PC.
Can you try, please, the HitmanPro.Alert Exploit Test Tool again?
from here : hxxp://dl.surfright.nl/hmpalert-test.exe
-
Used the above mentioned test to see ESET antiexploit capabilities; ZERO reaction from ESET.
Now I know I will get "we know that is a test, that's why!!!"
So, is there any test on the internet which can be used to test ESET capabilities (other than EICAR)????
-
I need to slide left and right to figure out what has been detected.
-
21 minutes ago, 0xDEADBEEF said:
I've evaluated several other vendors so-called "ransom shield"
Have you tried RanSim on ESET? Nothing is being detected , with the explanation: we know that is a simulator, but in real life ESET will behave differently.
Here is the real life: this rapid ransomware sample , where you end up having several files encrypted.
-
2 hours ago, itman said:
Ransomware creators will randomize their file encryption activities within and across directories to avoid detection
You just said that "Ransomware creators will randomize their file encryption activities within and across directories to avoid detection" so how "If that usage exceeds a predetermined threshold in predefined directories, shut it down" is going to work???
11 minutes ago, itman said:If that usage exceeds a predetermined threshold in predefined directories, shut it down.
-
2 hours ago, itman said:
...Eset does not employ behavioral analysis in its ransomware detection methods.
ok, from where did you get the idea that ESET does employ behavioral analysis in its ransomware detection methods?
Could be only HIPS involved in the process.
-
We are talking about this particular situation, not about "another example"
-
Well, see here:
Detected by : Avast!, AVG, Avira, BitDefender, F-Secure, Kaspersky, Microsoft, Sophos, Symantec
Not detected by: ESET, Malwarebytes, Trend Micro, Webroot
-
Is the same story with ESET, over and over again: being the last one to detect a ransomware. Even MSE (free) detected it, alongside with most major AV's.
-
3 hours ago, Marcos said:
Not really [...] In such case, the malicious part of the code is removed/sanitized and a copy of the original file is placed in quarantine in an encrypted form in case one would need to restore it at a later time.
I do not understand "Not really". In the situation mentioned by you, the user would have 2 identical files (by name); one sanitized , in the original location and one "original" placed in quarantine, BOTH OF THEM WITH THE SAME NAME.
So why "not really"????
-
5 hours ago, Marcos said:
That said, it should not exist anywhere but in quarantine
If the file was "cleaned", will exists in 2 places : in quarantine,( the original infected one) and in original place (the cleaned one). Both of them will have the same name.
Very difficult to figure out what happened.
-
6 minutes ago, cyberhash said:
I could do exactly the same thing creating a password protected file using Winrar, which is legitimate.
Yes , you could! But I rather prefer ESET to detect even this (RAR encryption) and to let me know that "RAR is trying to encrypt" YES or NO.
At this point , ESET had ZERO reactions to any test run.
-
6 minutes ago, cyberhash said:
But i suspect its nonsense that would return the same result when run under any security product
I wouldn't so sure: see the detection of Malwarebytes (everything disabled . only Antiransomware protection active )
This is the purpose of "Test Files" : to test a capability .
An answer as " we know that is a test file , that's why we did not detect it" is an insult to a paying user.
-
9 minutes ago, cyberhash said:
The answer is in the name ....... It's a "Simulator" = not the real thing
This is the convenient answer , to justify failure. The Antiransomware protection on ESET is based on HIPS , which cannot distinguish between a simulator an a real threat (unless the simulator is on a white list)
See here a test with Eicar, another "simulator"
Yet, ESET will detect it as a normal threat.
Firewall cannot prevent ...
in ESET NOD32 Antivirus
Posted
Not really:
Just an example: I have Malwarebytes and Mbamservice.exe is supposed to have access to the internet for updates, license check, etc. So I allowed Mbamservice.exe to connect to various ULS's.
At the same time Malwarebytes Assistant (Assistant.exe) will act as a "parent" application and will launch the same Mbamservice.exe as "child" to submit telemetry data , which I want to block. In this particular situation I know which one is the "parent" which one is the "child" so I can create rules in any firewall.
However, in day to day operation is impossible to say which is which and what are they doing (the same is valid for Adobe Acrobat and Adobe Manager) so unless the firewall is telling you that "this application" is trying to connect to the internet using "that application" , you will never know.