Jump to content


Most Valued Members
  • Content count

  • Joined

  • Last visited

  • Days Won


0xDEADBEEF last won the day on June 5

0xDEADBEEF had the most liked content!


Profile Information

  • Location

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Yes, as I said, HIPS is the foundation of Ransomware Shield. In general, you can view the ransomware shield as HIPS + a complex rule set made by ESET that is not visible to end users. And that's why it is a behavioral-based defense layer.
  2. In most cases it should be ok. But as the forum rules said: https://forum.eset.com/topic/76-rules-of-the-eset-security-forum/ I just don't want to touch any topics that fall inside the grey zone
  3. I think Marcos was referring solely to the HIPS module (by default the auto mode indeed doesn't block most behaviors, but it is serving as a foundation for other protection layers like memory scanner and ransomware shield). Ransomware shield is different. It is a behavior-based defense layer. It is more complicated than writing custom rules in the HIPS rule table because so far there is no simple rule in the world that can block ransomware with the guarantee of low FPs. I can say this for sure because I've tested the ransomware shield using my own code.
  4. Kaspersky indeed has some decent behavioral defense mechanisms, but it is not without its issues. I tend not to compare products in this forum so I will stop here 🙂 Generally there are always trade offs
  5. yes it is a behavior monitoring component (potentially combined with cloud reputation and other methods). The thing to keep in mind is that it is hard to distinguish malicious file modification behaviors versus legitimate ones. So to balance the detection rate and false positives, there will be weaknesses of such protection layer. And that's why multi-layer protection is important.

    Game downloader false positive?

    Yes I have the habit of zipping the sample sand name it using the sha1 hash before submission. I have observed this for months(I was using Chrome), and I think it is a bug. Previously opera has this issue with vpn on, then this issue propagate to chrome and potentially more browsers. If you use the built in vpn in opera, you will find the quarantined sample downloaded through opera can’t even be restored to its original place btw, nearly all FPs I’ve encountered in ESET product is such Generik detection, which makes sense

    Game downloader false positive?

    Is this sample indeed malicious/PUA? Though I didn't do careful analysis on this sample, judging from the source and digital sig it is likely to be benign with not-so-few users (according to LiveGrid). It is a bit unusual to see ESET holding a potential FP for such long time.

    website bug?

    Nope, and I also tested two other browsers (Chrome and Opera, also tested the incognito mode), both have the same issue.

    website bug?

    Not sure if this is a bug or issues only on my computer. It seems ESET's official website will change web content according to the browser's user agent.. So when I browse using Ubuntu, the top portion is missing, as shown below... If I use a user agent switcher and change to IE for example, the top part is fine.. My browser's user agent string is: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
  10. ESET detects a popular official game downloader as Generik trojan for some days. The sample 768596273459d8c3e01c77ffcc0f631bf79f3b6c.zip is uploaded to ftp server. Original file is downloaded from here Also I am wondering if these two apks (in the ftp server d693ae624fa9c0ebfbbf019cb53def036a51e719d693a.zip and fc3a46a4bbbee9ca2c053b388873bfdb9bd93f57.zip) are malicious or not. ESET detects them as a variant of Android/Obfus.AY and a variant of Android/TrojanDownloader.Agent.KU. They both are relatively popular android apps downloaded from the official website. This game file is detected as malicious by ESET (82233f28e7badb481d7cb016b791056fc48fa71582233.zip in the ftp server), not sure if it is correct or not.
  11. 0xDEADBEEF

    rapid ransomware detection?

    RanSim from my view is not a correct way to test ransomware protection. Since itman has more info on that, I will skip those details. The art of detecting the malware automatically is to precisely locate the difference between it and benign programs. This can be very subtle in some cases because antivirus has limited view on program’s intention. Take winrar as an example, if a bad guy use it to silently batch encrypt all your docs and delete the original files without telling you, this legitimate program is a “ransomware”. In that sense how does an antivirus know if these behaviors should be allowed or not? The answer perhaps is: user prompt. But the truth of such fall back method is essentially offloading the decision back to human, while human ( I mean ordinary users) can be easily fooled to click allow in such case with some social engineering tricks. On the other hand, if the user clicks deny in such case, it is actually the user instead of the AV itself that manage to recognize the ransomware. So different vendors have different ways to deal with this pain point. Some use whitelist to only allow common program to modify files in key folders. RanSim might be blocked in such case but as soon as one use a legitimate program outside a whitelist, things become troublesome (they might even auto quarantine the legitimate program!) Some simply rely on user decision, but humans are always the weakest part in such attack. Some use heuristic rules to guess if a program is ransomware or not, and this is how ESET and some other vendors deal with this. You have a balance between FPs and detection ratio, and of course malware can play by such rules as AVs can hardly be smart enough. I feel like with so many different security product, each with a different design philosophy on the market, one have abundant choice to pick a security solution that best fit him/herself. If one wants more control on such events, enabling custom HIPS rules in ESET or change to other security product with more aggressive blocking (and hence FPs) might be a better choice.
  12. 0xDEADBEEF

    rapid ransomware detection?

    ESET indeed has behavioral analysis against ransomware from my own testing (and the Beh.XXX family which is used to flag potential ransomware behavior now has more members), it is rare to see it being effective though because most samples are already detected by the scan engine already (some slip through the defense though) 😂 Actually this is also the first time I encounter a real-world fresh sample being caught by the ransomware shield. Ransomware shield is the last defense layer in such case with the cost of some files being encrypted. Of course ESET can further implement the roll-back as some other vendors do. But the performance implication and the protection robustness remain a problem. Still, there is no perfect auto-blocking solution against ransomware so far, while ESET is so insistent on protection with minimal user interaction. I've evaluated several other vendors so-called "ransom shield" designs using white samples or realworld malicious samples. Most of them are effective against typical malicious ransom behaviors, but are also way too sensitive to white programs (some even mark legitimate archive program as suspicious without the help of a sufficiently large whitelist). Generally not knowing the true intention of a file modification behavior makes recognizing ransomware a particularly hard problem, and one can't expect computer program to fully understand this because sometimes even human can't without careful analysis
  13. 0xDEADBEEF

    rapid ransomware detection?

    the ransomware detection was triggered, the process is terminated and the original binary is quarantined (yes there is a threat prompt). However, some images are encrypted already, and the malware has successfully achieved persistence. So in the next boot the ransomware shield is triggered again, and more files are unfortunately encrypted. The major threat is cleaned only after the second ransomware shield quarantine event. By saying the cloud detected it as malicious, I was referring to EDTD's detection. The file is marked as malicious by EDTD upon the first encounter already, so I expect it to be blacklisted as suspicious object soon, but apparently as Marcos explained, this doesn't happen due to some FP concerns at that time.
  14. 0xDEADBEEF

    rapid ransomware detection?

    Thanks for the explanation. Looking forward to seeing Augur's improvements
  15. I've encountered a rapid ransomware sample around 15 hours ago. At that time, ESET's scanner couldn't detect it (while other major vendors already detected it on VT). The ransomware shield can stop it before it encrypting more of my images. The cloud also detect it as malicious at that time. However the scan engine/cloud blacklisting is still not updated to detect such sample as of now. Wondering if this is expected or not.. the sample is uploaded with the name 713995310B25497E94432F22D262B84EF196AEA3.zip BTW the scan engine takes a while to scan this 4MB file, which is a bit unusual. https://www.virustotal.com/#/file/487313b869a4d73c9f7288786e70a1660893a9c7243b81ccd49ccc051caf0fa9/detection